Can you edit /etc/firejail/libreoffice.profile, disable all the options, and re-enable them one by one until it crashes? Thanks.

It crashed until I re-enable one of the following lines:

nonewprivs
noroot
protocol unix,inet,inet6
seccomp

All other could be re-enabled without problems.

The thrown errors looks like the same as above but with the exception of re-enabling line "noroot" with the following output:

Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 3634, child pid 3635
Blacklist violations are logged to syslog
Child process initialized in 54.45 ms
No protocol specified
Failed to open display
[Java framework] Error in function createSettingsDocument (elements.cxx).
javaldx failed!
Warning: failed to read path from javaldx
No protocol specified

(process:19): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Not a directory. dconf will not work properly.

Parent is shutting down, bye...

PS:
I could start libreoffice with re-enabling line "noroot" but only with calling "firejail libreoffice", not with "libreoffice" alone when "firecfg" is called before.

I'm unable to reproduce under Arch or under Debian Buster both with LibreOffice 5.4.4.2.

After running firecfg, running firejail [program enabled by firecfg] is equivalent to running firejail --profile=/etc/firejail/[program].profile firejail [program] unless you use the full path, eg firejail /usr/bin/libreoffice.

I'll start tracking Debian testing here, let's mark it as a bug for now.

It crashed until I re-enable one of the following lines:
nonewprivs, noroot, protocol unix,inet,inet6, seccomp

This looks like some SUID executable in java package or in the graphic card stack. @bitfreak25 what graphic card drivers are you using?

I'm using the non-free nvidia-driver from Debian: nvidia-legacy-340xx-driver

I also found the following private commit from ParrotSec which could be related to this bug:
https://github.com/ParrotSec/firejail/commit/ee2c6777a363ddc5cf61444987f34a74fb8624c3

@bitfreak25 Which version of libreoffice are you running?

@chiraag-nataraj As the title says: 'libreoffice' in Debian Testing. This is currently version 5.4.4 .

Shit, I should learn to read more carefully :stuck_out_tongue_winking_eye: The exact same version is in sid. Can you try this profile?
libreoffice.txt

I can see in in Debian Testing, firejail 0.9.52 from the Debian repos, and LibreOffice 5.4.4.2 as well. I did not run firecfg previously and the system is using Virtual Box's guest additions drivers.
Just like @bitfreak25 noted in https://github.com/netblue30/firejail/issues/1703#issuecomment-354651436, the important lines seem to be

nonewprivs
noroot
protocol unix,inet,inet6
seccomp

With either nonewprivs, protocol unix,inet,inet6, or seccomp uncommented,

$ firejail libreoffice
Reading profile /home/user1/.config/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 14185, child pid 14186
Blacklist violations are logged to syslog
Child process initialized in 54.54 ms
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

With noroot uncommented,

$ firejail libreoffice
Reading profile /home/user1/.config/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 14205, child pid 14206
Blacklist violations are logged to syslog
Child process initialized in 20.41 ms
No protocol specified
Failed to open display
[Java framework] Error in function createSettingsDocument (elements.cxx).
javaldx failed!
Warning: failed to read path from javaldx
No protocol specified

(process:19): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Not a directory.  dconf will not work properly.

Parent is shutting down, bye...

@chiraag-nataraj I tested your libreoffice.txt file by using its content in /etc/firejail/libreoffice.profile. But it gives the same error message.

Hmm, that's weird. I have the exact same versions of both libreoffice and firejail, yet the profile I attached works for me. So this means the protocol problem is just an incidental thing (I use net none in my profile, so I don't bother filtering the protocols).

What happens if you use --trace or --debug? Does it give any more information?

I have a likely related issue on Debian testing.

If I run "firejail libreoffice example.ods" (or try to load any other document) I get a little pop-up telling me "Write Error. The file could not be written." and then libreoffice exits. To be clear, I can run "firejail libreoffice" and it starts normally. But it fails with "Write Error. The file could not be written." when I then select a document to open.

I can work-around the problem by commenting out "private-tmp" from libreoffice.profile .

Same problem here, need to disable the following

nonewprivs
noroot
protocol unix,inet,inet6
seccomp

Any news on when this is getting fixed?

Still fighting with it. I put a fix in to allow Java, it was crashing it on some distros. Go in /etc/firejail/libreoffice.profile and comment out (add a #) this line:
`````

include /etc/firejail/disable-devel.inc

`````
Try to see if this works. Also some questions:

Does it work if you start lowriter directly (type "lowriter" in a terminal)?
What video card are you using and what video drivers?

Hmm, actually it doesn't work. I made a mistake and didn't start LibreOffice with firejail.

Commenting that line doesn't work for me.

I have the same issue here on Kubuntu 17.10 with libreoffice 6.0.2.1 from the ppa (firejail version 0.9.50).

XXX@XXX:~$ firejail libreoffice 
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 19569, child pid 19570
Blacklist violations are logged to syslog
Child process initialized in 110.89 ms
Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

I tried amarildojr's temp' fix and it works, although I do not need to disable noroot for it to work. Only disabling nonewprivs, protocol unix,inet,inet6 and seccomp makes it work for me. Commenting out disable-devel.inc does not fix it.

Could also be symptoms of an AppArmor policy with profile transition. Can someone please try if firejail --apparmor libreoffice helps? Or, alternatively, run sudo aa-disable <profilename>, in case there are enforced libreoffice profiles. I'm on a different system in the moment and can't try myself.

I reverted libreoffice.profile to original state and tested :

XXX@XXX:~$ firejail --apparmor libreoffice
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 6438, child pid 6439
Blacklist violations are logged to syslog
Child process initialized in 101.95 ms
Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features
LibreOffice(20)/kdeui (kdelibs): Session bus not found 
To circumvent this problem try the following command (with Linux and bash) 
export $(dbus-launch) 

Parent is shutting down, bye...

Adding export $(dbus-launch) to .bashrc does not change the message nor allows LO to start.

@amartos Thanks. While it doesn't provide insight regarding the original issue, this is interesting because we were planning to enable apparmor and the new nodbus option by default for LibreOffice. I guess we might need to reconsider it :)

Would you please try it with temporarily disabling apparmor for libreoffice? Or else, could someone on Debian testing give it a try?

(Not a power user here, so playing with apparmor is something I barely understand, sorry)

root@XXX:~# aa-disable usr.lib.libreoffice.program.soffice.bin
Disabling /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin.
root@XXX:~# exit
exit
XXX@XXX:~$ firejail libreoffice 
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 22670, child pid 22671
Blacklist violations are logged to syslog
Child process initialized in 343.57 ms
Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

Does nothing. :/ There were multiple profiles for libreoffice, but aa-disable libreoffice wouldn't work, so I did it only for the executable. Hope it helps anyway.

We ran into the same problem on Fedora-Systems where apparmor isn't even installed. So we tried some different options and after only commenting this line libreoffice successfully starts like in V0.9.50.

include /etc/firejail/whitelist-var-common.inc

So it seems that libreoffice needs at least one more directory to be whitelisted to function correctly.

@smitsohu @Panzerfather
it happens here too (manjaro KDE, linux416)

@bn0785ac
Pull https://github.com/netblue30/firejail/pull/1894 doesn't fix the problem on Fedora 27 for us. Tested on various PCs. Only commenting the whitelist-var-common include let's start libreoffice.

So that it looks like this:

include /etc/firejail/whitelist-var-common.inc

All other fixes aren't needed for Fedora 27 to run libreoffice successfully. It seems like libreoffice is missing a whitelist path for javaldx.

@bn0785ac Does the solution of @Panzerfather work for you?

After updating to the latest profile, the problem still exists on Fedora 27+28 for us. So we did some more tracing to get this problem fixed.

All we have to comment in the profile to let libreoffice run just like in 0.9.50 are the following lines:

-> fixes the "javaldx failed!" error, because it doesn't blacklist the other directories:
#include /etc/firejail/whitelist-var-common.inc

-> fixes the menu bar which isn't shown when active:
#nodbus

All other options which have to be commented for Ubuntu/Debian can be uncommented and libreoffice works in Fedora.

So we run firejail with debug and trace to get a deeper look at where it's failing and we found the following error:

/usr/lib64/libreoffice/program/soffice: line 52: cd: $'10:dirname:exec /usr/bin/dirname:0\n/usr/lib64/libreoffice/program': No such file or directory

The file exists, but firejail seems to lock the access for libreoffice. We tried some solutions to noblacklist|whitelist the path, but either firejail ignores it (noblacklist) or returns an invalid whitelist path error (whitelist). Also solutions like read-only doesn't seem to work.

So we took a quick review of the source code and it seems that firejail is rejecting whitelisting paths like /usr/lib{,32,64}.

Is there a special command to let the program have access to these paths?

@panzerfather In case you have strace installed, could you try something like strace -y /usr/bin/libreoffice 2>&1 | grep /var? The question is then if this yields paths that are not covered in /etc/firejail/whitelist-var-common.inc. You can also attach the output here if you want.
(command edited)

@smitsohu Thanks for the hint, which pointed us in the right direction for a fix in Fedora 27/28. Currently undergoing tests and soon be available as a pull request. :smile:

Is this fixed now?

Closing for now. Please feel free to re-open if the issue is not fixed.