[GH-ISSUE #379] Could you add Profiles for Libreoffice and wps-office?

gitea-mirror commented

2026-05-05 05:28:41 -06:00

Owner

Originally created by @HighIO on GitHub (Mar 23, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/379

Hi There, I run:

$ strace -qcf wps   [et,wpp,libreoffice]
$ firejail --noprofile --shell=none --seccomp.keep=pool,wait4,futex,restart_syscall,poll,ftruncate,stat,recvmsg,lstat,read,mmap,[...]

Warning: syscall pool not found
Error: cannot establish communication with the parent, exiting...

How can I get it work? Or anyone use firejail to jail an Office Suite, please share it.
THX

Originally created by @HighIO on GitHub (Mar 23, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/379 Hi There, I run: ``` $ strace -qcf wps [et,wpp,libreoffice] $ firejail --noprofile --shell=none --seccomp.keep=pool,wait4,futex,restart_syscall,poll,ftruncate,stat,recvmsg,lstat,read,mmap,[...] ``` > Warning: syscall pool not found > Error: cannot establish communication with the parent, exiting... How can I get it work? Or anyone use firejail to jail an Office Suite, please share it. THX

gitea-mirror

2026-05-05 05:28:41 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:28:48 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 24, 2016):

So I haven't tried to restrict it quite so heavily because I found a much easier solution - blacklist internet access. Here's my libreoffice profile:

whitelist ${HOME}/Documents
whitelist ${HOME}/.config/libreoffice
whitelist ${HOME}/.config/gtk-3.0
whitelist ${HOME}/.gtkrc-2.0
whitelist ${HOME}/.gtkrc.mine
blacklist /opt
blacklist /boot
blacklist /media
blacklist /mnt
private-dev
private-bin sh,libreoffice,dirname,grep,uname,ls,sed,pwd,basename
private-etc libreoffice,fonts,passwd,alternatives,X11
caps.drop all
noroot
nogroups
shell none
net none
seccomp

Note that if you're using firejail stable, you'll have to make /usr/bin/libreoffice into a shell script (or make a new one in /usr/local/bin) that runs /usr/lib/libreoffice/program/soffice.bin.

@chiraag-nataraj commented on GitHub (Mar 24, 2016): So I haven't tried to restrict it quite so heavily because I found a much easier solution - blacklist internet access. Here's my libreoffice profile: ``` whitelist ${HOME}/Documents whitelist ${HOME}/.config/libreoffice whitelist ${HOME}/.config/gtk-3.0 whitelist ${HOME}/.gtkrc-2.0 whitelist ${HOME}/.gtkrc.mine blacklist /opt blacklist /boot blacklist /media blacklist /mnt private-dev private-bin sh,libreoffice,dirname,grep,uname,ls,sed,pwd,basename private-etc libreoffice,fonts,passwd,alternatives,X11 caps.drop all noroot nogroups shell none net none seccomp ``` Note that if you're using firejail stable, you'll have to make `/usr/bin/libreoffice` into a shell script (or make a new one in `/usr/local/bin`) that runs `/usr/lib/libreoffice/program/soffice.bin`.

gitea-mirror commented

2026-05-05 05:28:50 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 24, 2016):

@chiraag-nataraj : I think blacklisting internet access is a bit problematic as you won't be able to install/update extensions. My profile on Manjaro with Plasma 5 is:

include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-terminals.inc
whitelist ~/.config/libreoffice
whitelist ~/.kde4/share/config/LibreOfficerc
whitelist ~/Dokumente
whitelist ~/Office
include /etc/firejail/whitelist-common.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
noroot
shell none

Whitelist globbing as suggested in #216 would make things easier, of course.

@curiosity-seeker commented on GitHub (Mar 24, 2016): @chiraag-nataraj : I think blacklisting internet access is a bit problematic as you won't be able to install/update extensions. My profile on Manjaro with Plasma 5 is: ``` include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-terminals.inc whitelist ~/.config/libreoffice whitelist ~/.kde4/share/config/LibreOfficerc whitelist ~/Dokumente whitelist ~/Office include /etc/firejail/whitelist-common.inc caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter noroot shell none ``` Whitelist globbing as suggested in #216 would make things easier, of course.

gitea-mirror commented

2026-05-05 05:28:52 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 24, 2016):

@curiosity-seeker : Since extensions don't need to be updated every single time you use LibreOffice, I would actually suggest using net none in the profile and using --ignore=net if you want to update your extensions. This is mainly because malicious macros could connect to remote servers if you always enable network access.

@chiraag-nataraj commented on GitHub (Mar 24, 2016): @curiosity-seeker : Since extensions don't need to be updated every single time you use LibreOffice, I would actually suggest using `net none` in the profile and using `--ignore=net` if you want to update your extensions. This is mainly because malicious macros could connect to remote servers if you always enable network access.

gitea-mirror commented

2026-05-05 05:28:54 -06:00

Author

Owner

@nick75e commented on GitHub (Mar 24, 2016):

Hi!
@chiraag-nataraj : Does the profile in your first post work? Because when I use private-etc, LibreOffice fails with this error:

/usr/lib/libreoffice/program/soffice.bin: error while loading shared libraries:
libGL.so.1: cannot open shared object file: No such file or directory

Do you have a solution?

@nick75e commented on GitHub (Mar 24, 2016): Hi! @chiraag-nataraj : Does the profile in your first post work? Because when I use `private-etc`, LibreOffice fails with this error: ``` /usr/lib/libreoffice/program/soffice.bin: error while loading shared libraries: libGL.so.1: cannot open shared object file: No such file or directory ``` Do you have a solution?

gitea-mirror commented

2026-05-05 05:28:56 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 24, 2016):

@chiraag-nataraj : Yes, you're right, and I will implement that, too. However, I wonder if that setting would be appropriate for a pre-defined profile that comes with Firejail as it might break important functionalities for many users who wouldn't expect that. Perhaps @netblue30 should add a comment to temporarily disable this switch for installing/updating extensions. That might be the best compromise.

EDIT: A nice enhancement would be a switch like

--net-urlallowed=http://extensions.libreoffice.org/

@curiosity-seeker commented on GitHub (Mar 24, 2016): @chiraag-nataraj : Yes, you're right, and I will implement that, too. However, I wonder if that setting would be appropriate for a pre-defined profile that comes with Firejail as it might break important functionalities for many users who wouldn't expect that. Perhaps @netblue30 should add a comment to temporarily disable this switch for installing/updating extensions. That might be the best compromise. EDIT: A nice enhancement would be a switch like --net-urlallowed=http://extensions.libreoffice.org/

gitea-mirror commented

2026-05-05 05:28:59 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 24, 2016):

@chiraag-nataraj : Could you explain why you didn't add the various *.inc files to your profile?

@curiosity-seeker commented on GitHub (Mar 24, 2016): @chiraag-nataraj : Could you explain why you didn't add the various *.inc files to your profile?

gitea-mirror commented

2026-05-05 05:29:01 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 24, 2016):

@curiosity-seeker : I didn't include the default ones because I'm using whitelist instead of blacklist - that is, they'd merely be redundant (all of the files that it blocks wouldn't be available anyway due to things like private-etc, private-bin, and so on)

@nick75e : That's odd...it works for me (I use the profile all the time). My profile doesn't restrict access to libraries at all, so it sounds like that's a libreoffice issue. Does libreoffice work if you launch it without firejail? Another thought is this: try disabling private-bin and see if it works.

@chiraag-nataraj commented on GitHub (Mar 24, 2016): @curiosity-seeker : I didn't include the default ones because I'm using whitelist instead of blacklist - that is, they'd merely be redundant (all of the files that it blocks wouldn't be available anyway due to things like private-etc, private-bin, and so on) @nick75e : That's odd...it works for me (I use the profile all the time). My profile doesn't restrict access to libraries at all, so it sounds like that's a libreoffice issue. Does libreoffice work if you launch it without firejail? Another thought is this: try disabling private-bin and see if it works.

gitea-mirror commented

2026-05-05 05:29:03 -06:00

Author

Owner

@nick75e commented on GitHub (Mar 24, 2016):

It works without Firejail. It also works with and without private-bin

@nick75e commented on GitHub (Mar 24, 2016): It works without Firejail. It also works with and without `private-bin`

gitea-mirror commented

2026-05-05 05:29:06 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 24, 2016):

@nick75e : So it works now?

@chiraag-nataraj commented on GitHub (Mar 24, 2016): @nick75e : So it works now?

gitea-mirror commented

2026-05-05 05:29:08 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 24, 2016):

@chiraag-nataraj

I didn't include the default ones because I'm using whitelist instead of blacklist - that is, they'd merely be redundant (all of the files that it blocks wouldn't be available anyway due to things like private-etc, private-bin, and so on)

I'm not sure if private-bin etc. covers everything blacklisted in the .inc files, e.g. the various /var subfolders.

@curiosity-seeker commented on GitHub (Mar 24, 2016): @chiraag-nataraj > I didn't include the default ones because I'm using whitelist instead of blacklist - that is, they'd merely be redundant (all of the files that it blocks wouldn't be available anyway due to things like private-etc, private-bin, and so on) I'm not sure if private-bin etc. covers everything blacklisted in the .inc files, e.g. the various /var subfolders.

gitea-mirror commented

2026-05-05 05:29:10 -06:00

Author

Owner

@nick75e commented on GitHub (Mar 24, 2016):

@chiraag-nataraj

So it works now?

Using both or only private-etc doesn't but using only private-bin works.

@nick75e commented on GitHub (Mar 24, 2016): @chiraag-nataraj > So it works now? Using both or only `private-etc` doesn't but using only `private-bin` works.

gitea-mirror commented

2026-05-05 05:29:12 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Mar 24, 2016):

For me it works with the 3 private-* entries. I also kept the *.inc files, redundant or not.

@curiosity-seeker commented on GitHub (Mar 24, 2016): For me it works with the 3 private-\* entries. I also kept the *.inc files, redundant or not.

gitea-mirror commented

2026-05-05 05:29:16 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 24, 2016):

@curiosity-seeker : Hmmm...I guess so. I guess I gave myself some leeway with the profile since I never allow it to access the internet.
@nick75e : Hmmm...that's interesting. I don't have that problem on my computer. Can you try running firejail with the --debug and --trace options (with private-etc enabled)?

@chiraag-nataraj commented on GitHub (Mar 24, 2016): @curiosity-seeker : Hmmm...I guess so. I guess I gave myself some leeway with the profile since I never allow it to access the internet. @nick75e : Hmmm...that's interesting. I don't have that problem on my computer. Can you try running firejail with the `--debug` and `--trace` options (with `private-etc` enabled)?

gitea-mirror commented

2026-05-05 05:29:19 -06:00

Author

Owner

@nick75e commented on GitHub (Mar 24, 2016):

@chiraag-nataraj Here's the log for LibreOffice.

@nick75e commented on GitHub (Mar 24, 2016): @chiraag-nataraj Here's the log for [LibreOffice](http://pastebin.com/GingYTXR).

gitea-mirror commented

2026-05-05 05:29:20 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 24, 2016):

@nick75e what are the contents of white.inc and common.inc? I'm assuming you're using the same libreoffice profile I posted, so the only differences should be whatever's in white.inc and common.inc.

@chiraag-nataraj commented on GitHub (Mar 24, 2016): @nick75e what are the contents of white.inc and common.inc? I'm assuming you're using the same libreoffice profile I posted, so the only differences should be whatever's in `white.inc` and `common.inc`.

gitea-mirror commented

2026-05-05 05:29:22 -06:00

Author

Owner

@nick75e commented on GitHub (Mar 24, 2016):

white.inc

whitelist ~/.config/user-dirs.dirs
read-only ~/.config/user-dirs.dirs
whitelist ~/.config/user-dirs.locale
read-only ~/.config/user-dirs.locale
whitelist ~/.fonts
read-only ~/.fonts
whitelist ~/.config/gtk-3.0
read-only ~/.config/gtk-3.0
whitelist ~/.gtkrc-2.0
read-only ~/.gtkrc-2.0

common.inc

netfilter
caps.drop all
seccomp set_thread_area,tuxcall,reboot,nfsservctl,get_kernel_syms,mknod,personality
noroot
nogroups
protocol unix,inet
shell none
private-dev
private-tmp

var

blacklist /var/backup
blacklist /var/spool/cron
blacklist /var/spool/anacron
blacklist /var/run/acpid.socket
blacklist /var/run/minissdpd.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/mysql/mysql.sock
blacklist /var/run/docker.sock
blacklist /var/log

Dev tools

GCC

blacklist /usr/include

Perl

blacklist /usr/share/perl*

PHP

blacklist /usr/share/php*
blacklist /usr/lib/php*

Ruby

blacklist /usr/lib/ruby

Python

blacklist /usr/lib/python*
blacklist /usr/share/python

Java

blacklist /usr/share/java

Mono

blacklist /usr/lib/mono
blacklist /usr/share/mono

miscellaneous

blacklist /usr/bin/nemo
blacklist /usr/bin/xsel
blacklist /media
blacklist /vids
blacklist /opt

@nick75e commented on GitHub (Mar 24, 2016): > ## white.inc > > whitelist ~/.config/user-dirs.dirs > read-only ~/.config/user-dirs.dirs > whitelist ~/.config/user-dirs.locale > read-only ~/.config/user-dirs.locale > whitelist ~/.fonts > read-only ~/.fonts > whitelist ~/.config/gtk-3.0 > read-only ~/.config/gtk-3.0 > whitelist ~/.gtkrc-2.0 > read-only ~/.gtkrc-2.0 > > ## common.inc > > netfilter > caps.drop all > seccomp set_thread_area,tuxcall,reboot,nfsservctl,get_kernel_syms,mknod,personality > noroot > nogroups > protocol unix,inet > shell none > private-dev > private-tmp > > ### var > > blacklist /var/backup > blacklist /var/spool/cron > blacklist /var/spool/anacron > blacklist /var/run/acpid.socket > blacklist /var/run/minissdpd.sock > blacklist /var/run/rpcbind.sock > blacklist /var/run/mysqld/mysqld.sock > blacklist /var/run/mysql/mysqld.sock > blacklist /var/lib/mysqld/mysql.sock > blacklist /var/lib/mysql/mysql.sock > blacklist /var/run/docker.sock > blacklist /var/log > > ### Dev tools > > ### GCC > > blacklist /usr/include > > ### Perl > > blacklist /usr/share/perl* > > ### PHP > > blacklist /usr/share/php* > blacklist /usr/lib/php* > > ### Ruby > > blacklist /usr/lib/ruby > > ### Python > > blacklist /usr/lib/python* > blacklist /usr/share/python > > ### Java > > blacklist /usr/share/java > > ### Mono > > blacklist /usr/lib/mono > blacklist /usr/share/mono > > ### miscellaneous > > blacklist /usr/bin/nemo > blacklist /usr/bin/xsel > blacklist /media > blacklist /vids > blacklist /opt

gitea-mirror commented

2026-05-05 05:29:24 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 25, 2016):

@nick75e I can't quite figure out what the issue is...can you try not including your common.inc and white.inc files and see if it works?

@chiraag-nataraj commented on GitHub (Mar 25, 2016): @nick75e I can't quite figure out what the issue is...can you try not including your `common.inc` and `white.inc` files and see if it works?

gitea-mirror commented

2026-05-05 05:29:26 -06:00

Author

Owner

@nick75e commented on GitHub (Apr 4, 2016):

Hi!
Sorry for the delay. I've finally made it work:

private-etc hosts,mime.types,fonts/,xdg/,gtk-3.0/,resolv.conf,X11/,gtk-2.0/,alternatives/,libreoffice/,cups/,passwd,ld.so.conf,ld.so.cache,ld.so.conf.d/,

the most important being ld.so.cache

@nick75e commented on GitHub (Apr 4, 2016): Hi! Sorry for the delay. I've finally made it work: ``` private-etc hosts,mime.types,fonts/,xdg/,gtk-3.0/,resolv.conf,X11/,gtk-2.0/,alternatives/,libreoffice/,cups/,passwd,ld.so.conf,ld.so.cache,ld.so.conf.d/, ``` the most important being `ld.so.cache`

gitea-mirror commented

2026-05-05 05:29:29 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 7, 2016):

Interesting! For me the entries suggested by @chiraag-nataraj are sufficient.But it may differ from distro to distro. I'm using Manjaro.

@curiosity-seeker commented on GitHub (Apr 7, 2016): Interesting! For me the entries suggested by @chiraag-nataraj are sufficient.But it may differ from distro to distro. I'm using Manjaro.

gitea-mirror commented

2026-05-05 05:29:30 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Apr 16, 2016):

@nick75e Interesting...what distro do you use?

@chiraag-nataraj commented on GitHub (Apr 16, 2016): @nick75e Interesting...what distro do you use?

gitea-mirror commented

2026-05-05 05:29:32 -06:00

Author

Owner

@nick75e commented on GitHub (Apr 16, 2016):

I use Linux Mint but I installed Libreoffice from The Document Foundation's ppa which may be why your profile doesn't work for me.

@nick75e commented on GitHub (Apr 16, 2016): I use Linux Mint but I installed Libreoffice from The Document Foundation's [ppa](https://launchpad.net/~libreoffice/+archive/ubuntu/libreoffice-5-1) which may be why your profile doesn't work for me.

gitea-mirror commented

2026-05-05 05:29:34 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Apr 16, 2016):

@nick75e ah okay...yeah, maybe...

@chiraag-nataraj commented on GitHub (Apr 16, 2016): @nick75e ah okay...yeah, maybe...

gitea-mirror commented

2026-05-05 05:29:38 -06:00

Author

Owner

@nick75e commented on GitHub (Apr 19, 2016):

Oh and I forgot to mention but you have to allow python in private-bin, Libreoffice uses it to recover documents after a crash and it may also be used by some addons (but not sure).

@nick75e commented on GitHub (Apr 19, 2016): Oh and I forgot to mention but you have to allow python in `private-bin`, Libreoffice uses it to recover documents after a crash and it may also be used by some addons (but not sure).

gitea-mirror commented

2026-05-05 05:29:41 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 19, 2016):

I just put in profiles for all applications in LibreOffice.

@netblue30 commented on GitHub (Jun 19, 2016): I just put in profiles for all applications in LibreOffice.

Rows
Columns

[GH-ISSUE #379] Could you add Profiles for Libreoffice and wps-office? #271

white.inc

common.inc

var

Dev tools

GCC

Perl

PHP

Ruby

Python

Java

Mono

miscellaneous