Firejail: LibreOffice won't start on Ubuntu 18.04

Created on 29 Apr 2018  路  13Comments  路  Source: netblue30/firejail

$ libreoffice
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 21258, child pid 21259
Blacklist violations are logged to syslog
Child process initialized in 77.09 ms
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

$ journalctl | tail
谩pr 29 19:33:20 Lapi audit[20977]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/firejail/mnt/fslogger" pid=20977 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
谩pr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.547:90): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/firejail/mnt/fslogger" pid=20977 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
谩pr 29 19:33:20 Lapi audit[20991]: AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/javaldx" pid=20991 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
谩pr 29 19:33:20 Lapi audit[20993]: AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=20993 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice"
谩pr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.563:91): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/javaldx" pid=20991 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
谩pr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.563:92): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=20993 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice"

$ /usr/bin/libreoffice --version
LibreOffice 6.0.3.2 00m0(Build:2)

$ firejail --version
firejail version 0.9.52

Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- bind support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- git install support is disabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Could you help me resolving the issue?

picture derba

Most helpful comment

You convinced me :smile: Let's see if we find the courage during in the next development cycle...

picture smitsohu on 22 Aug 2018
😄1 👍1

All 13 comments

Those logs indicate that libreoffice is contained in AppArmor profile but in complain state which still can interfere with firejail. Can you try running firejail --apparmor libreoffice which should force using firejail-default AppArmor profile instead of libreoffice one?

Also if you don't use java with libreoffice you can start it unsandboxed and disable java.

Vincent43 picture Vincent43 on 29 Apr 2018

@Vincent43 I've just tested and firejail --apparmor libreoffice does work for my Ubuntu 18.04 vm. Funny thing was, so did 00b91bf1cb1e04d405990ae7b2395386c7fde3fe when building firejail from source (and w/o apparmor support). It'd sure be nice if we can fix this with just apparmor.

Fred-Barclay picture Fred-Barclay on 30 Apr 2018

This leaves us with an interesting choice. Since libreoffice-kde has been ported away from old kdelibs4 particularly late (afaik only coming LibreOffice 6.1), apparmor breaks it currently on Kubuntu (due to missing D-Bus).

smitsohu picture smitsohu on 30 Apr 2018

They are bringing in their own apparmor profile for libreoffice, so we need to disable ours. With this fix https://github.com/netblue30/firejail/commit/a6c97ef348046929a7d8528d10c0949fd64c9b62 and the previous one https://github.com/netblue30/firejail/commit/00b91bf1cb1e04d405990ae7b2395386c7fde3fe from @Fred-Barclay we should be all set.

@derba can you grab the version from mainline git and give it a try? All you have to do is the following:
$ sudo apt-get install build-essential git $ git clone http://github.com/netblue30/firejail $ cd firejail $ ./configure && make && sudo make install $ sudo firecfg

Thanks.

netblue30 picture netblue30 on 30 Apr 2018
👍1

It works fine.

derba picture derba on 1 May 2018

I played with the profile a bit. It seems that commenting out nonewprivs solved the actual issue. When I put back apparmor LO works fine.

derba picture derba on 1 May 2018

@netblue30 keep in mind that libreoffice AppArmor profile is in complain mode by default so it doesn't do anything except printing logs and breaking firejail. I doubt it will be force enabled in ubuntu bionic lifetime. I wonder if we should enable dbus in firejail apparmor profile and control it with nodbus option instead which can be used per profile instead of globally.

Vincent43 picture Vincent43 on 1 May 2018

I'll do a release in the next two/three weeks with what we have now. After that we move to enable dbus in firejail apparmor profile as you suggested.

netblue30 picture netblue30 on 2 May 2018

Since Apparmor allows pretty fine grained control of D-Bus, maybe we can try to blacklist some interfaces? Thinking of stuff like NetworkManager and WPASupplicant on system bus, or terminals and scriptable window managers on the session bus. We won't be able to blacklist everything that's dangerous, but limiting an attackers toolkit to some extent should be still possible.

smitsohu picture smitsohu on 12 May 2018

Now that we don't restrict D-Bus anymore in our Apparmor profile, shouldn't it be possible to enable everything back in the Libreoffice profile?

smitsohu picture smitsohu on 21 Aug 2018

Yeah, we may try :smile:

Vincent43 picture Vincent43 on 21 Aug 2018

You convinced me :smile: Let's see if we find the courage during in the next development cycle...

smitsohu picture smitsohu on 22 Aug 2018
😄1 👍1

Sending the issue back to sleep

smitsohu picture smitsohu on 23 Aug 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

crass picture crass  路  3Comments
yourcelf picture yourcelf  路  4Comments
ghost picture ghost  路  3Comments
fl-chris picture fl-chris  路  4Comments
Vincent43 picture Vincent43  路  3Comments