This also affects firejail: https://github.com/netblue30/firejail/issues/1917
** Bug watch added: github.com/netblue30/firejail/issues #1917 https://github.com/netblue30/firejail/issues/1917 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1773497 Title: libreoffice fails when launched with no_new_privs Status in libreoffice package in Ubuntu: New Bug description: If you exec libreoffice with no_new_privs (e.g. by running it under rr, https://rr-project.org/), the launch fails. It tries to exec /usr/lib/libreoffice/program/javaldx, but the exec returns EPERM because AppArmor has libreoffice in the libreoffice-oopslash profile, while /usr/lib/libreoffice/program/javaldx is unconfined, and transitioning to unconfined is not allowed with no_new_privs *even though the libreoffice-oopslash profile is only in complain mode*. (See profile_onexec in security/apparmor/domain.c... not clear whether enforcing this in complain mode is an AppArmor bug or not.) Maybe this could be fixed by putting /usr/lib/libreoffice/program/javaldx in the same confinement profile as libreoffice-oopslash? Ubuntu 18.04 LTS, libreoffice 6.0.3-0ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1773497/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
