Easily reproducible: $ setpriv --no-new-privs libreoffice Warning: failed to launch javaldx - java may not function correctly ERROR 4 forking process
Would you mind filing a bug upstream (this is where the apparmor profiles are maintained)? https://bugs.documentfoundation.org/enter_bug.cgi?product=LibreOffice ** Changed in: libreoffice (Ubuntu) Status: New => Confirmed ** Changed in: libreoffice (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libreoffice in Ubuntu. https://bugs.launchpad.net/bugs/1773497 Title: libreoffice fails when launched with no_new_privs Status in libreoffice package in Ubuntu: Confirmed Bug description: If you exec libreoffice with no_new_privs (e.g. by running it under rr, https://rr-project.org/), the launch fails. It tries to exec /usr/lib/libreoffice/program/javaldx, but the exec returns EPERM because AppArmor has libreoffice in the libreoffice-oopslash profile, while /usr/lib/libreoffice/program/javaldx is unconfined, and transitioning to unconfined is not allowed with no_new_privs *even though the libreoffice-oopslash profile is only in complain mode*. (See profile_onexec in security/apparmor/domain.c... not clear whether enforcing this in complain mode is an AppArmor bug or not.) Maybe this could be fixed by putting /usr/lib/libreoffice/program/javaldx in the same confinement profile as libreoffice-oopslash? Ubuntu 18.04 LTS, libreoffice 6.0.3-0ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1773497/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp