github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1703] Couldn't start 'libreoffice' in Debian Testing #1151

New issue
Closed
opened 2026-05-05 07:32:34 -06:00 by gitea-mirror · 29 comments
gitea-mirror commented 2026-05-05 07:32:34 -06:00
Owner
Copy link

Originally created by @bitfreak25 on GitHub (Dec 30, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1703

With the current state of Debian Testing (with firejail 0.9.52) I couldn't start the program "libreoffice".

The output for "firejail libreoffice" is the following:

Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1131, child pid 1132
Blacklist violations are logged to syslog
Child process initialized in 118.68 ms
Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

Originally created by @bitfreak25 on GitHub (Dec 30, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1703 With the current state of Debian Testing (with firejail 0.9.52) I couldn't start the program "libreoffice". The output for _"firejail libreoffice"_ is the following: > Reading profile /etc/firejail/libreoffice.profile > Reading profile /etc/firejail/disable-common.inc > Reading profile /etc/firejail/disable-devel.inc > Reading profile /etc/firejail/disable-passwdmgr.inc > Reading profile /etc/firejail/disable-programs.inc > Reading profile /etc/firejail/whitelist-var-common.inc > Parent pid 1131, child pid 1132 > Blacklist violations are logged to syslog > Child process initialized in 118.68 ms > Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features > Warning: failed to launch javaldx - java may not function correctly > ERROR 4 forking process > > Parent is shutting down, bye...
gitea-mirror 2026-05-05 07:32:34 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 07:32:38 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jan 1, 2018):

Can you edit /etc/firejail/libreoffice.profile, disable all the options, and re-enable them one by one until it crashes? Thanks.

<!-- gh-comment-id:354647088 --> @SkewedZeppelin commented on GitHub (Jan 1, 2018): Can you edit /etc/firejail/libreoffice.profile, disable all the options, and re-enable them one by one until it crashes? Thanks.
gitea-mirror commented 2026-05-05 07:32:39 -06:00
Author
Owner
Copy link

@bitfreak25 commented on GitHub (Jan 1, 2018):

It crashed until I re-enable one of the following lines:

nonewprivs
noroot
protocol unix,inet,inet6
seccomp

All other could be re-enabled without problems.

The thrown errors looks like the same as above but with the exception of re-enabling line "noroot" with the following output:

Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 3634, child pid 3635
Blacklist violations are logged to syslog
Child process initialized in 54.45 ms
No protocol specified
Failed to open display
[Java framework] Error in function createSettingsDocument (elements.cxx).
javaldx failed!
Warning: failed to read path from javaldx
No protocol specified

(process:19): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Not a directory. dconf will not work properly.

Parent is shutting down, bye...

PS:
I could start libreoffice with re-enabling line "noroot" but only with calling "firejail libreoffice", not with "libreoffice" alone when "firecfg" is called before.

<!-- gh-comment-id:354651436 --> @bitfreak25 commented on GitHub (Jan 1, 2018): It crashed until I re-enable one of the following lines: > nonewprivs > noroot > protocol unix,inet,inet6 > seccomp All other could be re-enabled without problems. The thrown errors looks like the same as above but with the exception of re-enabling line "noroot" with the following output: > Reading profile /etc/firejail/libreoffice.profile > Reading profile /etc/firejail/disable-common.inc > Reading profile /etc/firejail/disable-devel.inc > Reading profile /etc/firejail/disable-passwdmgr.inc > Reading profile /etc/firejail/disable-programs.inc > Reading profile /etc/firejail/whitelist-var-common.inc > Parent pid 3634, child pid 3635 > Blacklist violations are logged to syslog > Child process initialized in 54.45 ms > No protocol specified > Failed to open display > [Java framework] Error in function createSettingsDocument (elements.cxx). > javaldx failed! > Warning: failed to read path from javaldx > No protocol specified > > (process:19): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Not a directory. dconf will not work properly. > > Parent is shutting down, bye... PS: I could start libreoffice with re-enabling line "noroot" but only with calling "firejail libreoffice", not with "libreoffice" alone when "firecfg" is called before.
gitea-mirror commented 2026-05-05 07:32:41 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jan 1, 2018):

I'm unable to reproduce under Arch or under Debian Buster both with LibreOffice 5.4.4.2.

After running firecfg, running firejail [program enabled by firecfg] is equivalent to running firejail --profile=/etc/firejail/[program].profile firejail [program] unless you use the full path, eg firejail /usr/bin/libreoffice.

<!-- gh-comment-id:354653830 --> @SkewedZeppelin commented on GitHub (Jan 1, 2018): I'm unable to reproduce under Arch or under Debian Buster both with LibreOffice 5.4.4.2. After running `firecfg`, running `firejail [program enabled by firecfg]` is equivalent to running `firejail --profile=/etc/firejail/[program].profile firejail [program]` unless you use the full path, eg `firejail /usr/bin/libreoffice`.
gitea-mirror commented 2026-05-05 07:32:42 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 2, 2018):

I'll start tracking Debian testing here, let's mark it as a bug for now.

It crashed until I re-enable one of the following lines:
nonewprivs, noroot, protocol unix,inet,inet6, seccomp

This looks like some SUID executable in java package or in the graphic card stack. @bitfreak25 what graphic card drivers are you using?

<!-- gh-comment-id:354775850 --> @netblue30 commented on GitHub (Jan 2, 2018): I'll start tracking Debian testing here, let's mark it as a bug for now. >It crashed until I re-enable one of the following lines: > nonewprivs, noroot, protocol unix,inet,inet6, seccomp This looks like some SUID executable in java package or in the graphic card stack. @bitfreak25 what graphic card drivers are you using?
gitea-mirror commented 2026-05-05 07:32:43 -06:00
Author
Owner
Copy link

@bitfreak25 commented on GitHub (Jan 2, 2018):

I'm using the non-free nvidia-driver from Debian: nvidia-legacy-340xx-driver

I also found the following private commit from ParrotSec which could be related to this bug:
ee2c6777a3

<!-- gh-comment-id:354804110 --> @bitfreak25 commented on GitHub (Jan 2, 2018): I'm using the non-free nvidia-driver from Debian: [nvidia-legacy-340xx-driver](https://packages.debian.org/buster/nvidia-legacy-340xx-driver) I also found the following private commit from ParrotSec which could be related to this bug: https://github.com/ParrotSec/firejail/commit/ee2c6777a363ddc5cf61444987f34a74fb8624c3
gitea-mirror commented 2026-05-05 07:32:44 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jan 7, 2018):

@bitfreak25 Which version of libreoffice are you running?

<!-- gh-comment-id:355841461 --> @chiraag-nataraj commented on GitHub (Jan 7, 2018): @bitfreak25 Which version of libreoffice are you running?
gitea-mirror commented 2026-05-05 07:32:45 -06:00
Author
Owner
Copy link

@bitfreak25 commented on GitHub (Jan 7, 2018):

@chiraag-nataraj As the title says: 'libreoffice' in Debian Testing. This is currently version 5.4.4 .

<!-- gh-comment-id:355847064 --> @bitfreak25 commented on GitHub (Jan 7, 2018): @chiraag-nataraj As the title says: ['libreoffice' in Debian Testing](https://packages.debian.org/buster/libreoffice). This is currently version 5.4.4 .
gitea-mirror commented 2026-05-05 07:32:46 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jan 7, 2018):

Shit, I should learn to read more carefully 😜 The exact same version is in sid. Can you try this profile?
libreoffice.txt

<!-- gh-comment-id:355850603 --> @chiraag-nataraj commented on GitHub (Jan 7, 2018): Shit, I should learn to read more carefully :stuck_out_tongue_winking_eye: The exact same version is in sid. Can you try this profile? [libreoffice.txt](https://github.com/netblue30/firejail/files/1610176/libreoffice.txt)
gitea-mirror commented 2026-05-05 07:32:47 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Jan 7, 2018):

I can see in in Debian Testing, firejail 0.9.52 from the Debian repos, and LibreOffice 5.4.4.2 as well. I did not run firecfg previously and the system is using Virtual Box's guest additions drivers.
Just like @bitfreak25 noted in https://github.com/netblue30/firejail/issues/1703#issuecomment-354651436, the important lines seem to be

nonewprivs
noroot
protocol unix,inet,inet6
seccomp

With either nonewprivs, protocol unix,inet,inet6, or seccomp uncommented,

$ firejail libreoffice
Reading profile /home/user1/.config/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 14185, child pid 14186
Blacklist violations are logged to syslog
Child process initialized in 54.54 ms
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

With noroot uncommented,

$ firejail libreoffice
Reading profile /home/user1/.config/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 14205, child pid 14206
Blacklist violations are logged to syslog
Child process initialized in 20.41 ms
No protocol specified
Failed to open display
[Java framework] Error in function createSettingsDocument (elements.cxx).
javaldx failed!
Warning: failed to read path from javaldx
No protocol specified

(process:19): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Not a directory.  dconf will not work properly.

Parent is shutting down, bye...
<!-- gh-comment-id:355857776 --> @Fred-Barclay commented on GitHub (Jan 7, 2018): I can see in in Debian Testing, firejail 0.9.52 from the Debian repos, and LibreOffice 5.4.4.2 as well. I did not run `firecfg` previously and the system is using Virtual Box's guest additions drivers. Just like @bitfreak25 noted in https://github.com/netblue30/firejail/issues/1703#issuecomment-354651436, the important lines seem to be ``` nonewprivs noroot protocol unix,inet,inet6 seccomp ``` With either `nonewprivs`, `protocol unix,inet,inet6`, or `seccomp` uncommented, ``` $ firejail libreoffice Reading profile /home/user1/.config/firejail/libreoffice.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 14185, child pid 14186 Blacklist violations are logged to syslog Child process initialized in 54.54 ms Warning: failed to launch javaldx - java may not function correctly ERROR 4 forking process Parent is shutting down, bye... ``` With `noroot` uncommented, ``` $ firejail libreoffice Reading profile /home/user1/.config/firejail/libreoffice.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 14205, child pid 14206 Blacklist violations are logged to syslog Child process initialized in 20.41 ms No protocol specified Failed to open display [Java framework] Error in function createSettingsDocument (elements.cxx). javaldx failed! Warning: failed to read path from javaldx No protocol specified (process:19): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Not a directory. dconf will not work properly. Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 07:32:48 -06:00
Author
Owner
Copy link

@bitfreak25 commented on GitHub (Jan 7, 2018):

@chiraag-nataraj I tested your libreoffice.txt file by using its content in /etc/firejail/libreoffice.profile. But it gives the same error message.

<!-- gh-comment-id:355861253 --> @bitfreak25 commented on GitHub (Jan 7, 2018): @chiraag-nataraj I tested your libreoffice.txt file by using its content in /etc/firejail/libreoffice.profile. But it gives the same error message.
gitea-mirror commented 2026-05-05 07:32:49 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jan 8, 2018):

Hmm, that's weird. I have the exact same versions of both libreoffice and firejail, yet the profile I attached works for me. So this means the protocol problem is just an incidental thing (I use net none in my profile, so I don't bother filtering the protocols).

What happens if you use --trace or --debug? Does it give any more information?

<!-- gh-comment-id:355866391 --> @chiraag-nataraj commented on GitHub (Jan 8, 2018): Hmm, that's weird. I have the exact same versions of both libreoffice and firejail, yet the profile I attached works for me. So this means the protocol problem is just an incidental thing (I use `net none` in my profile, so I don't bother filtering the protocols). What happens if you use `--trace` or `--debug`? Does it give any more information?
gitea-mirror commented 2026-05-05 07:32:50 -06:00
Author
Owner
Copy link

@chrsmrtnx commented on GitHub (Jan 21, 2018):

I have a likely related issue on Debian testing.

If I run "firejail libreoffice example.ods" (or try to load any other document) I get a little pop-up telling me "Write Error. The file could not be written." and then libreoffice exits. To be clear, I can run "firejail libreoffice" and it starts normally. But it fails with "Write Error. The file could not be written." when I then select a document to open.

I can work-around the problem by commenting out "private-tmp" from libreoffice.profile .

<!-- gh-comment-id:359276684 --> @chrsmrtnx commented on GitHub (Jan 21, 2018): I have a likely related issue on Debian testing. If I run "firejail libreoffice example.ods" (or try to load any other document) I get a little pop-up telling me "Write Error. The file could not be written." and then libreoffice exits. To be clear, I can run "firejail libreoffice" and it starts normally. But it fails with "Write Error. The file could not be written." when I then select a document to open. I can work-around the problem by commenting out "private-tmp" from libreoffice.profile .
gitea-mirror commented 2026-05-05 07:32:51 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 26, 2018):

Same problem here, need to disable the following

nonewprivs
noroot
protocol unix,inet,inet6
seccomp

Any news on when this is getting fixed?

<!-- gh-comment-id:376289580 --> @ghost commented on GitHub (Mar 26, 2018): Same problem here, need to disable the following nonewprivs noroot protocol unix,inet,inet6 seccomp Any news on when this is getting fixed?
gitea-mirror commented 2026-05-05 07:32:53 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 27, 2018):

Still fighting with it. I put a fix in to allow Java, it was crashing it on some distros. Go in /etc/firejail/libreoffice.profile and comment out (add a #) this line:

#include /etc/firejail/disable-devel.inc

Try to see if this works. Also some questions:

Does it work if you start lowriter directly (type "lowriter" in a terminal)?
What video card are you using and what video drivers?

<!-- gh-comment-id:376644833 --> @netblue30 commented on GitHub (Mar 27, 2018): Still fighting with it. I put a fix in to allow Java, it was crashing it on some distros. Go in /etc/firejail/libreoffice.profile and comment out (add a #) this line: ````` #include /etc/firejail/disable-devel.inc ````` Try to see if this works. Also some questions: Does it work if you start lowriter directly (type "lowriter" in a terminal)? What video card are you using and what video drivers?
gitea-mirror commented 2026-05-05 07:32:55 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 27, 2018):

Hmm, actually it doesn't work. I made a mistake and didn't start LibreOffice with firejail.

Commenting that line doesn't work for me.

<!-- gh-comment-id:376659719 --> @ghost commented on GitHub (Mar 27, 2018): Hmm, actually it doesn't work. I made a mistake and didn't start LibreOffice with firejail. Commenting that line doesn't work for me.
gitea-mirror commented 2026-05-05 07:32:56 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 7, 2018):

I have the same issue here on Kubuntu 17.10 with libreoffice 6.0.2.1 from the ppa (firejail version 0.9.50).

XXX@XXX:~$ firejail libreoffice 
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 19569, child pid 19570
Blacklist violations are logged to syslog
Child process initialized in 110.89 ms
Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

I tried amarildojr's temp' fix and it works, although I do not need to disable noroot for it to work. Only disabling nonewprivs, protocol unix,inet,inet6 and seccomp makes it work for me. Commenting out disable-devel.inc does not fix it.

<!-- gh-comment-id:379461154 --> @ghost commented on GitHub (Apr 7, 2018): I have the same issue here on Kubuntu 17.10 with libreoffice 6.0.2.1 from the ppa (firejail version 0.9.50). ``` XXX@XXX:~$ firejail libreoffice Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 19569, child pid 19570 Blacklist violations are logged to syslog Child process initialized in 110.89 ms Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features Warning: failed to launch javaldx - java may not function correctly ERROR 4 forking process Parent is shutting down, bye... ``` I tried amarildojr's temp' fix and it works, although I do not need to disable noroot for it to work. Only disabling nonewprivs, protocol unix,inet,inet6 and seccomp makes it work for me. Commenting out disable-devel.inc does not fix it.
gitea-mirror commented 2026-05-05 07:32:56 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Apr 7, 2018):

Could also be symptoms of an AppArmor policy with profile transition. Can someone please try if firejail --apparmor libreoffice helps? Or, alternatively, run sudo aa-disable <profilename>, in case there are enforced libreoffice profiles. I'm on a different system in the moment and can't try myself.

<!-- gh-comment-id:379483964 --> @smitsohu commented on GitHub (Apr 7, 2018): Could also be symptoms of an AppArmor policy with profile transition. Can someone please try if `firejail --apparmor libreoffice` helps? Or, alternatively, run `sudo aa-disable <profilename>`, in case there are enforced libreoffice profiles. I'm on a different system in the moment and can't try myself.
gitea-mirror commented 2026-05-05 07:32:58 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 7, 2018):

I reverted libreoffice.profile to original state and tested :

XXX@XXX:~$ firejail --apparmor libreoffice
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 6438, child pid 6439
Blacklist violations are logged to syslog
Child process initialized in 101.95 ms
Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features
LibreOffice(20)/kdeui (kdelibs): Session bus not found 
To circumvent this problem try the following command (with Linux and bash) 
export $(dbus-launch) 

Parent is shutting down, bye...

Adding export $(dbus-launch) to .bashrc does not change the message nor allows LO to start.

<!-- gh-comment-id:379484741 --> @ghost commented on GitHub (Apr 7, 2018): I reverted libreoffice.profile to original state and tested : ``` XXX@XXX:~$ firejail --apparmor libreoffice Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 6438, child pid 6439 Blacklist violations are logged to syslog Child process initialized in 101.95 ms Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features LibreOffice(20)/kdeui (kdelibs): Session bus not found To circumvent this problem try the following command (with Linux and bash) export $(dbus-launch) Parent is shutting down, bye... ``` Adding `export $(dbus-launch)` to .bashrc does not change the message nor allows LO to start.
gitea-mirror commented 2026-05-05 07:32:59 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Apr 8, 2018):

@amartos Thanks. While it doesn't provide insight regarding the original issue, this is interesting because we were planning to enable apparmor and the new nodbus option by default for LibreOffice. I guess we might need to reconsider it :)

Would you please try it with temporarily disabling apparmor for libreoffice? Or else, could someone on Debian testing give it a try?

<!-- gh-comment-id:379552377 --> @smitsohu commented on GitHub (Apr 8, 2018): @amartos Thanks. While it doesn't provide insight regarding the original issue, this is interesting because we were planning to enable `apparmor` and the new `nodbus` option by default for LibreOffice. I guess we might need to reconsider it :) Would you please try it with temporarily disabling apparmor for libreoffice? Or else, could someone on Debian testing give it a try?
gitea-mirror commented 2026-05-05 07:33:00 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 8, 2018):

(Not a power user here, so playing with apparmor is something I barely understand, sorry)

root@XXX:~# aa-disable usr.lib.libreoffice.program.soffice.bin
Disabling /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin.
root@XXX:~# exit
exit
XXX@XXX:~$ firejail libreoffice 
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 22670, child pid 22671
Blacklist violations are logged to syslog
Child process initialized in 343.57 ms
Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

Does nothing. :/ There were multiple profiles for libreoffice, but aa-disable libreoffice wouldn't work, so I did it only for the executable. Hope it helps anyway.

<!-- gh-comment-id:379575648 --> @ghost commented on GitHub (Apr 8, 2018): (Not a power user here, so playing with apparmor is something I barely understand, sorry) ``` root@XXX:~# aa-disable usr.lib.libreoffice.program.soffice.bin Disabling /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin. root@XXX:~# exit exit XXX@XXX:~$ firejail libreoffice Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 22670, child pid 22671 Blacklist violations are logged to syslog Child process initialized in 343.57 ms Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features Warning: failed to launch javaldx - java may not function correctly ERROR 4 forking process Parent is shutting down, bye... ``` Does nothing. :/ There were multiple profiles for libreoffice, but `aa-disable libreoffice` wouldn't work, so I did it only for the executable. Hope it helps anyway.
gitea-mirror commented 2026-05-05 07:33:01 -06:00
Author
Owner
Copy link

@Panzerfather commented on GitHub (Apr 16, 2018):

We ran into the same problem on Fedora-Systems where apparmor isn't even installed. So we tried some different options and after only commenting this line libreoffice successfully starts like in V0.9.50.

#include /etc/firejail/whitelist-var-common.inc

So it seems that libreoffice needs at least one more directory to be whitelisted to function correctly.

<!-- gh-comment-id:381560867 --> @Panzerfather commented on GitHub (Apr 16, 2018): We ran into the same problem on Fedora-Systems where apparmor isn't even installed. So we tried some different options and after only commenting this line libreoffice successfully starts like in V0.9.50. > #include /etc/firejail/whitelist-var-common.inc So it seems that libreoffice needs at least one more directory to be whitelisted to function correctly.
gitea-mirror commented 2026-05-05 07:33:02 -06:00
Author
Owner
Copy link

@HotelBellaMuerte commented on GitHub (Apr 17, 2018):

@smitsohu @Panzerfather
it happens here too (manjaro KDE, linux416)

<!-- gh-comment-id:382144300 --> @HotelBellaMuerte commented on GitHub (Apr 17, 2018): @smitsohu @Panzerfather it happens here too (manjaro KDE, linux416)
gitea-mirror commented 2026-05-05 07:33:03 -06:00
Author
Owner
Copy link

@Panzerfather commented on GitHub (Apr 19, 2018):

@bn0785ac
Pull https://github.com/netblue30/firejail/pull/1894 doesn't fix the problem on Fedora 27 for us. Tested on various PCs. Only commenting the whitelist-var-common include let's start libreoffice.

So that it looks like this:

#include /etc/firejail/whitelist-var-common.inc

All other fixes aren't needed for Fedora 27 to run libreoffice successfully. It seems like libreoffice is missing a whitelist path for javaldx.

<!-- gh-comment-id:382573006 --> @Panzerfather commented on GitHub (Apr 19, 2018): @bn0785ac Pull https://github.com/netblue30/firejail/pull/1894 doesn't fix the problem on Fedora 27 for us. Tested on various PCs. Only commenting the whitelist-var-common include let's start libreoffice. So that it looks like this: > #include /etc/firejail/whitelist-var-common.inc All other fixes aren't needed for Fedora 27 to run libreoffice successfully. It seems like libreoffice is missing a whitelist path for javaldx.
gitea-mirror commented 2026-05-05 07:33:04 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Apr 20, 2018):

@bn0785ac Does the solution of @Panzerfather work for you?

<!-- gh-comment-id:383093787 --> @smitsohu commented on GitHub (Apr 20, 2018): @bn0785ac Does the solution of @Panzerfather work for you?
gitea-mirror commented 2026-05-05 07:33:05 -06:00
Author
Owner
Copy link

@Panzerfather commented on GitHub (May 6, 2018):

After updating to the latest profile, the problem still exists on Fedora 27+28 for us. So we did some more tracing to get this problem fixed.

All we have to comment in the profile to let libreoffice run just like in 0.9.50 are the following lines:

-> fixes the "javaldx failed!" error, because it doesn't blacklist the other directories:
#include /etc/firejail/whitelist-var-common.inc

-> fixes the menu bar which isn't shown when active:
#nodbus

All other options which have to be commented for Ubuntu/Debian can be uncommented and libreoffice works in Fedora.

So we run firejail with debug and trace to get a deeper look at where it's failing and we found the following error:

/usr/lib64/libreoffice/program/soffice: line 52: cd: $'10:dirname:exec /usr/bin/dirname:0\n/usr/lib64/libreoffice/program': No such file or directory

The file exists, but firejail seems to lock the access for libreoffice. We tried some solutions to noblacklist|whitelist the path, but either firejail ignores it (noblacklist) or returns an invalid whitelist path error (whitelist). Also solutions like read-only doesn't seem to work.

So we took a quick review of the source code and it seems that firejail is rejecting whitelisting paths like /usr/lib{,32,64}.

Is there a special command to let the program have access to these paths?

<!-- gh-comment-id:386913846 --> @Panzerfather commented on GitHub (May 6, 2018): After updating to the latest profile, the problem still exists on Fedora 27+28 for us. So we did some more tracing to get this problem fixed. All we have to comment in the profile to let libreoffice run just like in 0.9.50 are the following lines: -> fixes the "javaldx failed!" error, because it doesn't blacklist the other directories: `#include /etc/firejail/whitelist-var-common.inc` -> fixes the menu bar which isn't shown when active: `#nodbus` All other options which have to be commented for Ubuntu/Debian can be uncommented and libreoffice works in Fedora. So we run firejail with debug and trace to get a deeper look at where it's failing and we found the following error: > /usr/lib64/libreoffice/program/soffice: line 52: cd: $'10:dirname:exec /usr/bin/dirname:0\n/usr/lib64/libreoffice/program': No such file or directory The file exists, but firejail seems to lock the access for libreoffice. We tried some solutions to noblacklist|whitelist the path, but either firejail ignores it (noblacklist) or returns an invalid whitelist path error (whitelist). Also solutions like read-only doesn't seem to work. So we took a quick review of the source code and it seems that firejail is rejecting whitelisting paths like /usr/lib{,32,64}. Is there a special command to let the program have access to these paths?
gitea-mirror commented 2026-05-05 07:33:06 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (May 7, 2018):

@panzerfather In case you have strace installed, could you try something like strace -y /usr/bin/libreoffice 2>&1 | grep /var? The question is then if this yields paths that are not covered in /etc/firejail/whitelist-var-common.inc. You can also attach the output here if you want.
(command edited)

<!-- gh-comment-id:387160929 --> @smitsohu commented on GitHub (May 7, 2018): @panzerfather In case you have strace installed, could you try something like `strace -y /usr/bin/libreoffice 2>&1 | grep /var`? The question is then if this yields paths that are not covered in /etc/firejail/whitelist-var-common.inc. You can also attach the output here if you want. (command edited)
gitea-mirror commented 2026-05-05 07:33:07 -06:00
Author
Owner
Copy link

@Panzerfather commented on GitHub (May 7, 2018):

@smitsohu Thanks for the hint, which pointed us in the right direction for a fix in Fedora 27/28. Currently undergoing tests and soon be available as a pull request. 😄

<!-- gh-comment-id:387195325 --> @Panzerfather commented on GitHub (May 7, 2018): @smitsohu Thanks for the hint, which pointed us in the right direction for a fix in Fedora 27/28. Currently undergoing tests and soon be available as a pull request. :smile:
gitea-mirror commented 2026-05-05 07:33:08 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 22, 2018):

Is this fixed now?

<!-- gh-comment-id:406871973 --> @chiraag-nataraj commented on GitHub (Jul 22, 2018): Is this fixed now?
gitea-mirror commented 2026-05-05 07:33:09 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 24, 2018):

Closing for now. Please feel free to re-open if the issue is not fixed.

<!-- gh-comment-id:407244809 --> @chiraag-nataraj commented on GitHub (Jul 24, 2018): Closing for now. Please feel free to re-open if the issue is not fixed.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1151
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?