github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1917] LibreOffice won't start on Ubuntu 18.04 #1283

New issue
Closed
opened 2026-05-05 07:47:18 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 07:47:18 -06:00
Owner
Copy link

Originally created by @derba on GitHub (Apr 29, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1917

$ libreoffice
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 21258, child pid 21259
Blacklist violations are logged to syslog
Child process initialized in 77.09 ms
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

$ journalctl | tail
ápr 29 19:33:20 Lapi audit[20977]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/firejail/mnt/fslogger" pid=20977 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.547:90): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/firejail/mnt/fslogger" pid=20977 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ápr 29 19:33:20 Lapi audit[20991]: AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/javaldx" pid=20991 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
ápr 29 19:33:20 Lapi audit[20993]: AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=20993 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice"
ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.563:91): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/javaldx" pid=20991 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.563:92): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=20993 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice"

$ /usr/bin/libreoffice --version
LibreOffice 6.0.3.2 00m0(Build:2)

$ firejail --version
firejail version 0.9.52

Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- bind support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- git install support is disabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Could you help me resolving the issue?

Originally created by @derba on GitHub (Apr 29, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1917 $ libreoffice Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 21258, child pid 21259 Blacklist violations are logged to syslog Child process initialized in 77.09 ms Warning: failed to launch javaldx - java may not function correctly ERROR 4 forking process Parent is shutting down, bye... $ journalctl | tail ápr 29 19:33:20 Lapi audit[20977]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/firejail/mnt/fslogger" pid=20977 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.547:90): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/firejail/mnt/fslogger" pid=20977 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ápr 29 19:33:20 Lapi audit[20991]: AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/javaldx" pid=20991 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" ápr 29 19:33:20 Lapi audit[20993]: AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=20993 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice" ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.563:91): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/javaldx" pid=20991 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.563:92): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=20993 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice" $ /usr/bin/libreoffice --version LibreOffice 6.0.3.2 00m0(Build:2) $ firejail --version firejail version 0.9.52 Compile time support: - AppArmor support is enabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled Could you help me resolving the issue?
gitea-mirror commented 2026-05-05 07:47:22 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Apr 29, 2018):

Those logs indicate that libreoffice is contained in AppArmor profile but in complain state which still can interfere with firejail. Can you try running firejail --apparmor libreoffice which should force using firejail-default AppArmor profile instead of libreoffice one?

Also if you don't use java with libreoffice you can start it unsandboxed and disable java.

<!-- gh-comment-id:385284412 --> @Vincent43 commented on GitHub (Apr 29, 2018): Those logs indicate that libreoffice is contained in AppArmor profile but in complain state which still can interfere with firejail. Can you try running `firejail --apparmor libreoffice` which should force using firejail-default AppArmor profile instead of libreoffice one? Also if you don't use java with libreoffice you can start it unsandboxed and disable java.
gitea-mirror commented 2026-05-05 07:47:24 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Apr 29, 2018):

@Vincent43 I've just tested and firejail --apparmor libreoffice does work for my Ubuntu 18.04 vm. Funny thing was, so did 00b91bf1cb when building firejail from source (and w/o apparmor support). It'd sure be nice if we can fix this with just apparmor.

<!-- gh-comment-id:385287093 --> @Fred-Barclay commented on GitHub (Apr 29, 2018): @Vincent43 I've just tested and `firejail --apparmor libreoffice` does work for my Ubuntu 18.04 vm. Funny thing was, so did 00b91bf1cb1e04d405990ae7b2395386c7fde3fe when building firejail from source (and w/o apparmor support). It'd sure be nice if we can fix this with just `apparmor`.
gitea-mirror commented 2026-05-05 07:47:25 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Apr 30, 2018):

This leaves us with an interesting choice. Since libreoffice-kde has been ported away from old kdelibs4 particularly late (afaik only coming LibreOffice 6.1), apparmor breaks it currently on Kubuntu (due to missing D-Bus).

<!-- gh-comment-id:385354058 --> @smitsohu commented on GitHub (Apr 30, 2018): This leaves us with an interesting choice. Since libreoffice-kde has been ported away from old kdelibs4 particularly late (afaik only coming LibreOffice 6.1), `apparmor` breaks it currently on Kubuntu (due to missing D-Bus).
gitea-mirror commented 2026-05-05 07:47:26 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 30, 2018):

They are bringing in their own apparmor profile for libreoffice, so we need to disable ours. With this fix a6c97ef348 and the previous one 00b91bf1cb from @Fred-Barclay we should be all set.

@derba can you grab the version from mainline git and give it a try? All you have to do is the following:

$ sudo apt-get install build-essential git
$ git clone http://github.com/netblue30/firejail
$ cd firejail
$ ./configure && make && sudo make install
$ sudo firecfg

Thanks.

<!-- gh-comment-id:385411932 --> @netblue30 commented on GitHub (Apr 30, 2018): They are bringing in their own apparmor profile for libreoffice, so we need to disable ours. With this fix https://github.com/netblue30/firejail/commit/a6c97ef348046929a7d8528d10c0949fd64c9b62 and the previous one https://github.com/netblue30/firejail/commit/00b91bf1cb1e04d405990ae7b2395386c7fde3fe from @Fred-Barclay we should be all set. @derba can you grab the version from mainline git and give it a try? All you have to do is the following: ````` $ sudo apt-get install build-essential git $ git clone http://github.com/netblue30/firejail $ cd firejail $ ./configure && make && sudo make install $ sudo firecfg ````` Thanks.
gitea-mirror commented 2026-05-05 07:47:28 -06:00
Author
Owner
Copy link

@derba commented on GitHub (May 1, 2018):

It works fine.

<!-- gh-comment-id:385632944 --> @derba commented on GitHub (May 1, 2018): It works fine.
gitea-mirror commented 2026-05-05 07:47:29 -06:00
Author
Owner
Copy link

@derba commented on GitHub (May 1, 2018):

I played with the profile a bit. It seems that commenting out nonewprivs solved the actual issue. When I put back apparmor LO works fine.

<!-- gh-comment-id:385635037 --> @derba commented on GitHub (May 1, 2018): I played with the profile a bit. It seems that commenting out `nonewprivs` solved the actual issue. When I put back `apparmor` LO works fine.
gitea-mirror commented 2026-05-05 07:47:30 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (May 1, 2018):

@netblue30 keep in mind that libreoffice AppArmor profile is in complain mode by default so it doesn't do anything except printing logs and breaking firejail. I doubt it will be force enabled in ubuntu bionic lifetime. I wonder if we should enable dbus in firejail apparmor profile and control it with nodbus option instead which can be used per profile instead of globally.

<!-- gh-comment-id:385718201 --> @Vincent43 commented on GitHub (May 1, 2018): @netblue30 keep in mind that libreoffice AppArmor profile is in complain mode by default so it doesn't do anything except printing logs and breaking firejail. I doubt it will be force enabled in ubuntu bionic lifetime. I wonder if we should enable dbus in firejail apparmor profile and control it with `nodbus` option instead which can be used per profile instead of globally.
gitea-mirror commented 2026-05-05 07:47:33 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (May 2, 2018):

I'll do a release in the next two/three weeks with what we have now. After that we move to enable dbus in firejail apparmor profile as you suggested.

<!-- gh-comment-id:386002234 --> @netblue30 commented on GitHub (May 2, 2018): I'll do a release in the next two/three weeks with what we have now. After that we move to enable dbus in firejail apparmor profile as you suggested.
gitea-mirror commented 2026-05-05 07:47:34 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (May 12, 2018):

Since Apparmor allows pretty fine grained control of D-Bus, maybe we can try to blacklist some interfaces? Thinking of stuff like NetworkManager and WPASupplicant on system bus, or terminals and scriptable window managers on the session bus. We won't be able to blacklist everything that's dangerous, but limiting an attackers toolkit to some extent should be still possible.

<!-- gh-comment-id:388553506 --> @smitsohu commented on GitHub (May 12, 2018): Since Apparmor allows pretty fine grained control of D-Bus, maybe we can try to blacklist some interfaces? Thinking of stuff like NetworkManager and WPASupplicant on system bus, or terminals and scriptable window managers on the session bus. We won't be able to blacklist everything that's dangerous, but limiting an attackers toolkit to some extent should be still possible.
gitea-mirror commented 2026-05-05 07:47:35 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Aug 21, 2018):

Now that we don't restrict D-Bus anymore in our Apparmor profile, shouldn't it be possible to enable everything back in the Libreoffice profile?

<!-- gh-comment-id:414668248 --> @smitsohu commented on GitHub (Aug 21, 2018): Now that we don't restrict D-Bus anymore in our Apparmor profile, shouldn't it be possible to enable everything back in the Libreoffice profile?
gitea-mirror commented 2026-05-05 07:47:37 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Aug 21, 2018):

Yeah, we may try 😄

<!-- gh-comment-id:414688346 --> @Vincent43 commented on GitHub (Aug 21, 2018): Yeah, we may try :smile:
gitea-mirror commented 2026-05-05 07:47:38 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Aug 22, 2018):

You convinced me 😄 Let's see if we find the courage during in the next development cycle...

<!-- gh-comment-id:415030242 --> @smitsohu commented on GitHub (Aug 22, 2018): You convinced me :smile: Let's see if we find the courage during in the next development cycle...
gitea-mirror commented 2026-05-05 07:47:39 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Aug 22, 2018):

Sending the issue back to sleep

<!-- gh-comment-id:415226139 --> @smitsohu commented on GitHub (Aug 22, 2018): Sending the issue back to sleep
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1283
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?