From: Benjamin Barenblat <bbaren@google.com>
Subject: Support tofu+pgp trust model in GnuPG
Bug-Debian: https://bugs.debian.org/955271
Forwarded: no

GnuPG supports a trust-on-first-use layer that sits on top of the
standard PGP trust model. If this is enabled, 'gpg --list-keys' needs
write and lock permissions on the TOFU database to return any useful
data. Allow this access through AppArmor.

--- libreoffice-7.1.2.2/sysui/desktop/apparmor/program.soffice.bin
+++ libreoffice-7.1.2.2/sysui/desktop/apparmor/program.soffice.bin
@@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2016 Canonical Ltd.
 #    Copyright (C) 2018 Software in the Public Interest, Inc.
+#    Copyright (C) 2021 Google LLC
 #
 #    This Source Code Form is subject to the terms of the Mozilla Public
 #    License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -215,6 +216,7 @@   profile gpg {
 
     owner @{HOME}/.gnupg/* r,
     owner @{HOME}/.gnupg/random_seed rk,
+    owner @{HOME}/.gnupg/tofu.db rwk,
   }
 
   # probably should become a subprofile like gpg above, but then it doesn't