apparmor: fix @{HOME}/.mozilla/firefox access for XML signing

the #include <abstractions/private-files-strict> bringing
"audit deny @{HOME}/.mozilla/** mrwkl," in actually denies everything here.
Use just <abstractions/private-files> and allow profiles.ini, secmod.db
and cert8.db.

At least opening the Digital Signatures dialog doesn't log apparmor DENIED
now...

Change-Id: Id557626fc26745841f0cca005d483fd1e6ac922d
Reviewed-on: https://gerrit.libreoffice.org/48264
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Reviewed-on: https://gerrit.libreoffice.org/49253
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/sysui/desktop/apparmor/program.soffice.bin b/sysui/desktop/apparmor/program.soffice.bin
index 84c4d543c48d..74320a6ff5ee 100644
--- a/sysui/desktop/apparmor/program.soffice.bin
+++ b/sysui/desktop/apparmor/program.soffice.bin
@@ -63,7 +63,7 @@
 #include <tunables/global>
 
 profile libreoffice-soffice INSTDIR-program/soffice.bin {
-  #include <abstractions/private-files-strict>
+  #include <abstractions/private-files>
 
   #include <abstractions/audio>
   #include <abstractions/bash>
@@ -165,6 +165,9 @@ profile libreoffice-soffice INSTDIR-program/soffice.bin {
   /usr/share/*-fonts/conf.avail/*.conf  r,
   /usr/share/fonts-config/conf.avail/*.conf r,
 
+  owner @{HOME}/.mozilla/firefox/profiles.ini r,
+  owner @{HOME}/.mozilla/firefox/*/secmod.db r,
+  owner @{HOME}/.mozilla/firefox/*/cert8.db r,
   # there is abstractions/gnupg but that's just for gpg1...
   profile gpg {
     #include <abstractions/base>