[Desktop-packages] [Bug 1773497] [NEW] libreoffice fails when launched with no_new_privs

Roc-ocallahan Sat, 26 May 2018 00:01:03 -0700

Public bug reported:

If you exec libreoffice with no_new_privs (e.g. by running it under rr,
https://rr-project.org/), the launch fails. It tries to exec
/usr/lib/libreoffice/program/javaldx, but the exec returns EPERM because
AppArmor has libreoffice in the libreoffice-oopslash profile, while
/usr/lib/libreoffice/program/javaldx is unconfined, and transitioning to
unconfined is not allowed with no_new_privs *even though the
libreoffice-oopslash profile is only in complain mode*. (See
profile_onexec in security/apparmor/domain.c... not clear whether
enforcing this in complain mode is an AppArmor bug or not.)


Maybe this could be fixed by putting
/usr/lib/libreoffice/program/javaldx in the same confinement profile as
libreoffice-oopslash?

Ubuntu 18.04 LTS, libreoffice 6.0.3-0ubuntu1

** Affects: libreoffice (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libreoffice in Ubuntu.
https://bugs.launchpad.net/bugs/1773497

Title:
  libreoffice fails when launched with no_new_privs

Status in libreoffice package in Ubuntu:
  New

Bug description:
  If you exec libreoffice with no_new_privs (e.g. by running it under
  rr, https://rr-project.org/), the launch fails. It tries to exec
  /usr/lib/libreoffice/program/javaldx, but the exec returns EPERM
  because AppArmor has libreoffice in the libreoffice-oopslash profile,
  while /usr/lib/libreoffice/program/javaldx is unconfined, and
  transitioning to unconfined is not allowed with no_new_privs *even
  though the libreoffice-oopslash profile is only in complain mode*.
  (See profile_onexec in security/apparmor/domain.c... not clear whether
  enforcing this in complain mode is an AppArmor bug or not.)

  Maybe this could be fixed by putting
  /usr/lib/libreoffice/program/javaldx in the same confinement profile
  as libreoffice-oopslash?

  Ubuntu 18.04 LTS, libreoffice 6.0.3-0ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1773497/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1773497] [NEW] libreoffice fails when launched with no_new_privs

Reply via email to