AppArmor Profile

Hi there, I’d like to create an AppArmor profile for Collabora but it seems a lot more hard than I thought. I installed the Debian package for Collabora, I set the reverse proxy and everything works great, but everytime I try to enforce appamor coolforkit doesn’t start and everything stop working. This is what I did with just using collabora in complain mode and automatically create the profile with aa-logprof . The profile refer to /usr/bin/coolwsd


# Last Modified: Thu Aug 18 19:51:52 2022
#include <tunables/global>

/usr/bin/coolwsd flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/openssl>
  #include <abstractions/postfix-common>
  #include <abstractions/totem>

  capability mknod,
  capability sys_admin,

  signal peer=/usr/bin/coolforkit,
  signal peer=/usr/bin/coolwsd/,
  signal send peer=/usr/bin/coolforkit,
  signal send set=kill peer=/usr/bin/coolwsd//null-/usr/bin/coolforkit,

  /etc/timezone r,
  /opt/collaboraoffice/program/* mr,
  /opt/collaboraoffice/program/libcairo.so.* mr,
  /opt/collaboraoffice/program/libcurl.so.* mr,
  /opt/collaboraoffice/program/libexslt.so.* mr,
  /opt/collaboraoffice/program/libicui18n.so.* mr,
  /opt/collaboraoffice/program/libicuuc.so.* mr,
  /opt/collaboraoffice/program/liblcms2.so.* mr,
  /opt/collaboraoffice/program/libnspr*.so mr,
  /opt/collaboraoffice/program/libnss*.so mr,
  /opt/collaboraoffice/program/liborcus-0.17.so.* mr,
  /opt/collaboraoffice/program/liborcus-parser-0.17.so.* mr,
  /opt/collaboraoffice/program/libpixman-1.so.* mr,
  /opt/collaboraoffice/program/libplc*.so mr,
  /opt/collaboraoffice/program/libraptor2-lo.so.* mr,
  /opt/collaboraoffice/program/librasqal-lo.so.* mr,
  /opt/collaboraoffice/program/librdf-lo.so.* mr,
  /opt/collaboraoffice/program/libsmime*.so mr,
  /opt/collaboraoffice/program/libuno_cppu.so.* mr,
  /opt/collaboraoffice/program/libuno_cppuhelpergcc3.so.* mr,
  /opt/collaboraoffice/program/libuno_sal.so.* mr,
  /opt/collaboraoffice/program/libuno_salhelpergcc3.so.* mr,
  /opt/collaboraoffice/program/libxml2.so.* mr,
  /opt/collaboraoffice/program/libxslt.so.* mr,
  /opt/cool/child-roots/** mr,
  /proc/*/comm r,
  /proc/*/smaps r,
  /proc/*/stat r,
  /usr/bin/coolforkit mrCx,
  /usr/bin/coolmount mrCx,
  /usr/bin/coolwsd mrix,
  /usr/bin/dash mrix,
  owner /etc/coolwsd/coolwsd.xml r,
  owner /etc/coolwsd/proof_key r,
  owner /opt/cool/child-roots/ rw,
  owner /opt/cool/child-roots/** rw,

}

Using aa-logprof doesn’t show anything else, but still coolforkit doesn’t start when I launch coolwsd (I tried to set a profile for coolforkit too with signal receive peer=/usr/bin/coolforkit and something else but nothing changed). Do anyone have any idea about what should I do?
Of course thanks in advance for any answer, and thanks to the devs for their amazing work :slight_smile: