From: Benjamin Barenblat Subject: Support tofu+pgp trust model in GnuPG Bug-Debian: https://bugs.debian.org/955271 Forwarded: no GnuPG supports a trust-on-first-use layer that sits on top of the standard PGP trust model. If this is enabled, 'gpg --list-keys' needs write and lock permissions on the TOFU database to return any useful data. Allow this access through AppArmor. --- libreoffice-7.1.2.2/sysui/desktop/apparmor/program.soffice.bin +++ libreoffice-7.1.2.2/sysui/desktop/apparmor/program.soffice.bin @@ -2,6 +2,7 @@ # # Copyright (C) 2016 Canonical Ltd. # Copyright (C) 2018 Software in the Public Interest, Inc. +# Copyright (C) 2021 Google LLC # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this @@ -215,6 +216,7 @@ profile gpg { owner @{HOME}/.gnupg/* r, owner @{HOME}/.gnupg/random_seed rk, + owner @{HOME}/.gnupg/tofu.db rwk, } # probably should become a subprofile like gpg above, but then it doesn't