Firejail: Can't get Libreoffice to start on Kbuntu 18.04

How did you installed firejail?
Please show which firejail, firejail --version and /usr/bin/firejail --version output.
Maybe you can try if firejail --ignore=nodbus libreoffice works.

user@user:~$ firejail --ignore=nodbus libreoffice

Reading profile /usr/local/etc/firejail/libreoffice.profile

Reading profile /usr/local/etc/firejail/disable-common.inc

Reading profile /usr/local/etc/firejail/disable-devel.inc

Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc

Reading profile /usr/local/etc/firejail/disable-programs.inc

Reading profile /usr/local/etc/firejail/whitelist-var-common.inc

Parent pid 15805, child pid 15806

Blacklist violations are logged to syslog

Child process initialized in 97.32 ms

Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any addit
ional sandboxing features

Warning: failed to launch javaldx - java may not function correctly

ERROR 4 forking process

Parent is shutting down, bye...

user@user:~$ firejail --version

firejail version 0.9.57

Compile time support:

    - AppArmor support is disabled

    - AppImage support is enabled

    - chroot support is enabled

    - file and directory whitelisting support is enabled

    - file transfer support is enabled

    - networking support is enabled

    - overlayfs support is enabled

    - private-home support is enabled

    - seccomp-bpf support is enabled

    - user namespace support is enabled

    - X11 sandboxing support is enabled

user@user:~$

On Mon, 2019-01-07 at 05:55 -0800, Vincent43 wrote:

Please show firejail --version output.

Maybe you can try if firejail --ignore=nodbus libreoffice works.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c5
5493e4bb","name":"GitHub"},"entity":{"external_key":"github/netblue30
/firejail","title":"netblue30/firejail","subtitle":"GitHub
repository","main_image_url":"
https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open
in GitHub","url":"
https://github.com/netblue30/firejail"}},"updates":{"snippets":[{"icon":"PERSON","message":"@Vincent43
in #2330: Please show firejail --version output.\r\nMaybe you can
try if firejail --ignore=nodbus libreoffice
works."}],"action":{"name":"View Issue","url":"
https://github.com/netblue30/firejail/issues/2330#issuecomment-451941993
"}}}
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "
https://github.com/netblue30/firejail/issues/2330#issuecomment-451941993
",
"url": "
https://github.com/netblue30/firejail/issues/2330#issuecomment-451941993
",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]

I updated after discovering the issue.

firejail version 0.9.57

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

firejail --ignore=nodbus libreoffice
Reading profile /usr/local/etc/firejail/libreoffice.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 16220, child pid 16221
Blacklist violations are logged to syslog
Child process initialized in 103.80 ms
Warning: an existing sandbox was detected. /usr/bin/libreoffice will run without any additional sandboxing features
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye..

Please try

firejail --ignore=nodbus /usr/bin/libreoffice

firejail --ignore=nodbus /usr/bin/libreoffice
Reading profile /usr/local/etc/firejail/libreoffice.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Parent pid 24718, child pid 24719
Blacklist violations are logged to syslog
Child process initialized in 107.06 ms
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

Current FIREJAIL Libreoffice profile

# Firejail profile for libreoffice
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/libreoffice.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.java
noblacklist /usr/local/sbin
noblacklist ${HOME}/.config/libreoffice

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

include /etc/firejail/whitelist-var-common.inc

caps.drop all
machine-id
netfilter
nodvd
nogroups
#nonewprivs
noroot
notv
#protocol unix,inet,inet6
#seccomp
shell none
#tracelog

private-dev
private-tmp

noexec ${HOME}
noexec /tmp

Eh, are you using the proprietary NVIDIA drivers?
See #1703

I am using the NVIDIA driver that was supplied by the OS.
NVIDIA driver metapackage from nvidia-drive-390 (recommended Driver)

On Tue, 2019-01-08 at 20:27 -0800, SkewedZeppelin wrote:

Eh, are you using the proprietary NVIDIA drivers?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c5
5493e4bb","name":"GitHub"},"entity":{"external_key":"github/netblue30
/firejail","title":"netblue30/firejail","subtitle":"GitHub
repository","main_image_url":"
https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open
in GitHub","url":"
https://github.com/netblue30/firejail"}},"updates":{"snippets":[{"icon":"PERSON","message":"@SkewedZeppelin
in #2330: Eh, are you using the proprietary NVIDIA
drivers?"}],"action":{"name":"View Issue","url":"
https://github.com/netblue30/firejail/issues/2330#issuecomment-452567920
"}}}
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "
https://github.com/netblue30/firejail/issues/2330#issuecomment-452567920
",
"url": "
https://github.com/netblue30/firejail/issues/2330#issuecomment-452567920
",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]

I am having the same problem, were you able to solve the problem.

I am able to run the libreoffice as an root user with firejail

I am able to run the libreoffice as an root user with firejail

This is terrible idea. Please don't do that.

I am able to run the libreoffice as an root user with firejail

This is terrible idea. Please don't do that.

But why is that a terrible idea

Ashfaq

You should never run Libreoffice as root! This will allow any Malicious content FULL access to your system.

No I still have the issue, it has not been solved.

B

On Jan 13, 2019, at 7:46 AM, Ashfaq Nisar notifications@github.com wrote:

I am able to run the libreoffice as an root user with firejail

This is terrible idea. Please don't do that.

But why is that a terrible idea

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Thanks for the heads up, I didn't know this and I was running every application in root mode.

Ashfaq You should never run Libreoffice as root! This will allow any Malicious content FULL access to your system. No I still have the issue, it has not been solved. B
…
On Jan 13, 2019, at 7:46 AM, Ashfaq Nisar @.*> wrote: I am able to run the libreoffice as an root user with firejail This is terrible idea. Please don't do that. But why is that a terrible idea — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

@ashfaqnisar Please, please, _please_ don't run applications as root unless you _have_ to. It ends up breaking all privilege separation mechanisms. Basically, if you run something as root, it can access anything and do anything on your system. This is _not_ true if you're running as an ordinary user (for example, try doing cat /etc/shadow versus sudo cat /etc/shadow - the first one fails because your regular user doesn't have access to that file while root does).

Indeed, Windows used to have a lot more problems _precisely_ because they encouraged everyone to start things as the administrative user (equivalent of root in unix-land), which meant if you made a mistake, your whole computer was at risk.

/endrant

@BCOH I noticed in the first couple of things you posted that you got the warning that an existing sandbox was detected. Do you know why that was happening?

@BCOH if no you can try firejail --list before and after starting LO.

@ashfaqnisar Please, please, _please_ don't run applications as root unless you _have_ to. It ends up breaking all privilege separation mechanisms. Basically, if you run something as root, it can access anything and do anything on your system. This is _not_ true if you're running as an ordinary user (for example, try doing cat /etc/shadow versus sudo cat /etc/shadow - the first one fails because your regular user doesn't have access to that file while root does).

Indeed, Windows used to have a lot more problems _precisely_ because they encouraged everyone to start things as the administrative user (equivalent of root in unix-land), which meant if you made a mistake, your whole computer was at risk.

/endrant

@BCOH I noticed in the first couple of things you posted that you got the warning that an existing sandbox was detected. Do you know why that was happening?

Thank you very much, From now on, i will keep that in mind.

rusty-snakefirejail --list

2572:user::/usr/bin/firejail /usr/bin/evolution
3002:user::/usr/bin/firejail /usr/bin/keepassx
3067:user::/usr/local/bin/firejail --ignore=seccomp --ignore=protocol
firefox -no-remote

Not sure what you mean by before and after loading LO. I receive the
same results either way.

Vincent43
irejail --version

firejail version 0.9.57

Compile time support:

    - AppArmor support is disabled

    - AppImage support is enabled

    - chroot support is enabled

    - file and directory whitelisting support is enabled

    - file transfer support is enabled

    - networking support is enabled

    - overlayfs support is enabled

    - private-home support is enabled

    - seccomp-bpf support is enabled

    - user namespace support is enabled

    - X11 sandboxing support is enabled

firejail --ignore=nodbus libreoffice

Reading profile /usr/local/etc/firejail/libreoffice.profile

Reading profile /usr/local/etc/firejail/disable-common.inc

Reading profile /usr/local/etc/firejail/disable-devel.inc

Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc

Reading profile /usr/local/etc/firejail/disable-programs.inc

Reading profile /usr/local/etc/firejail/whitelist-var-common.inc

Parent pid 4539, child pid 4540

Blacklist violations are logged to syslog

Child process initialized in 84.76 ms

Warning: an existing sandbox was detected. /usr/bin/libreoffice will
run without any additional sandboxing fe
atures

Warning: failed to launch javaldx - java may not function correctly

ERROR 4 forking process

Parent is shutting down, bye...

Still fails when running Fails again with "firejail --ignore=nodbus
libreoffice"

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c5
5493e4bb","name":"GitHub"},"entity":{"external_key":"github/netblue30
/firejail","title":"netblue30/firejail","subtitle":"GitHub
repository","main_image_url":"
https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open
in GitHub","url":"
https://github.com/netblue30/firejail"}},"updates":{"snippets":[{"icon":"PERSON","message":"@Vincent43
in #2330: Please show firejail --version output.\r\nMaybe you can
try if firejail --ignore=nodbus libreoffice
works."}],"action":{"name":"View Issue","url":"
https://github.com/netblue30/firejail/issues/2330#issuecomment-451941993
"}}}
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "
https://github.com/netblue30/firejail/issues/2330#issuecomment-451941993
",
"url": "
https://github.com/netblue30/firejail/issues/2330#issuecomment-451941993
",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]

@BCOH
make ~/.config/firejail/libreoffice.local with the following contents

ignore noroot

then try firejail /usr/bin/libreoffice

also try https://github.com/netblue30/firejail/issues/1771#issuecomment-364498909 if you are having trouble with other profiles too

@chiraag-nataraj

existing sandbox was detected

firecfg was probably already run

@SkewedZeppelin Right, and that might have something to do with the problem. That's why I'm trying to figure out if there's some usage error going on (possibly on top of whatever other errors might be going on with the profile).

OK I've backed myself into a situation and I need to use the application installed on this PC. I uninstalled AppArmor and Firejail here is the log entry in the system log:

blacklist violation - sandbox 15213, name libreoffice, exe soffice.bin, syscall mkdir, path /home/user/.nv

If this can't be resolved is there an uninstall script for firejail?

Thanks
Brian

Discovered all other apps appear to work as intended, e-mail, browsers, etc. With one exception bleach bit root no longer works. Errors with the same code are LibreOffice.

@BCOH To get it running, one more thing you could try: firejail --apparmor --ignore=nodbus --ignore=noroot /usr/bin/libreoffice

To selectively disable firejail for libreoffice and bleachbit, open a terminal and run:
cd /usr/local/bin; sudo rm bleachbit libreoffice loffice soffice lodraw loimpress lobase lowriter lomath lofromtemplate loweb localc.
To stop _all_ apps from starting in firejail automatically run sudo firecfg --clean

There is also sudo make uninstall to remove everything.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918499
In the latest update they seem to have fixed the issue, however that was not pushed to the package repo from 18.04. That was described as an issue with apparmor.
See for comparison the version number version numbers.
1:6.0.3-0ubuntu1 in repository and
1:6.1.4-4

I would thus suggest to close this.

Agreed, thanks for all the help!

B

Sent from my iPhone

On Mar 3, 2019, at 5:17 PM, matu3ba notifications@github.com wrote:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918499
In the latest update they seem to have fixed the issue, however that was not pushed to the package repo ost 18.04. That was described as an issue with apparmor.
See for comparison the version number version numbers.
1:6.0.3-0ubuntu1 in repository and
1:6.1.4-4

I am therefore suggesting closing this.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.