https://bugs.documentfoundation.org/show_bug.cgi?id=117922
Bug ID: 117922
Summary: libreoffice fails when launched with no_new_privs, due
to AppArmor
Product: LibreOffice
Version: 6.0.3.2 release
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: LibreOffice
Assignee: [email protected]
Reporter: [email protected]
Description:
If you exec libreoffice with no_new_privs (e.g. by running it under rr,
https://rr-project.org/), the launch fails. It tries to exec
/usr/lib/libreoffice/program/javaldx, but the exec returns EPERM because
AppArmor has libreoffice in the libreoffice-oopslash profile, while
/usr/lib/libreoffice/program/javaldx is unconfined, and transitioning to
unconfined is not allowed with no_new_privs *even though the
libreoffice-oopslash profile is only in complain mode*. (See profile_onexec in
security/apparmor/domain.c... not clear whether enforcing this in complain mode
is an AppArmor bug or not.)
Maybe this could be fixed by putting /usr/lib/libreoffice/program/javaldx in
the same confinement profile as libreoffice-oopslash?
Steps to Reproduce:
$ setpriv --no-new-privs libreoffice
Actual Results:
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process
Expected Results:
Libreoffice launches.
Reproducible: Always
User Profile Reset: No
Additional Info:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101
Firefox/62.0
--
You are receiving this mail because:
You are the assignee for the bug._______________________________________________
Libreoffice-bugs mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
