Firejail: Cannot start Libreoffice with the latest Firejail

Please dont link to images, if possible, because they may be removed.
The error is

[context="user"] caught unexpected com.sun.start.deployment.DeloymentException: 
Extension Manager: failed to read data entry in configuration backend db: 
file:////home/user/.config/libreoffice/XXX/backenddb.xml

Looks like this may be unrelated.
Libreoffice profiles may just break.

Please try resetting your profile and report.
Meta: Are you running libreoffice as superuser?

If the problem persists:
It is weird that the program fails to read from that path, because the libreoffice profile contains noblacklist ${HOME}/.config/libreoffice.
What is your output of firejail --debug libreoffice ?

Meta: Are you running libreoffice as superuser?

https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#ive-noticed-the-title-bar-in-firefox-shows-as-superuser-is-this-normal

It is weird that the program fails to read from that path, because the libreoffice profile contains noblacklist ${HOME}/.config/libreoffice.

Describe clear and concise what changed calling firejail --noprofile PROGRAM in a shell.
The exact same thing happens with firejail --noprofile libreoffice.
The only way to run libreoffice is by directly running /usr/bin/libreoffice

Searching $PATH for libreoffice
trying #/home/ThisUser/anaconda3/bin/libreoffice#
trying #/home/ThisUser/anaconda3/condabin/libreoffice#
trying #/usr/local/sbin/libreoffice#
trying #/usr/local/bin/libreoffice#
trying #/usr/sbin/libreoffice#
trying #/usr/bin/libreoffice#
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 10

I/O warning : failed to load external entity "/home/ThisUser/.config/libreoffice/4/user/config/javasettings_Linux_X86_64.xml"
javaldx failed!
Warning: failed to read path from javaldx

(soffice:27): dbind-WARNING **: 13:33:30.077: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Gtk-Message: 13:33:31.444: GtkDialog mapped without a transient parent. This is discouraged.
Sandbox monitor: waitpid 10 retval 10 status 19712

Parent is shutting down, bye...

I will check later, when I have time.

@youknow10 Oh boy, these error messages are most unhelpful.
Could be access related (owner of subfolders .config/libreoffice is not user), could be a bug/race condition in dbus. Could be related to setup.

Do you have JAVA_HOME=/opt/jdk or where is java installed?

@youknow10 what is the output of which java ?

@youknow10 what happens with firejail --private --noprofile /usr/bin/libreoffice.

@rusty-snake What does noblacklist ${PATH}/java evaluate?

@youknow10 Can you try to adjust the paths in etc/allow-java.inc ?
noblacklist /etc/java is the path in profile instead of /etc/alternatives/java
noblacklist /usr/lib/java instead of /usr/lib/jvm/java-11-openjdk-amd64/bin/java.
Change it to your setup and report.

@youknow10 What is the output of echo $PATH ?

@youknow10 What is your echo $PATH ?

@youknow10 then it is caused by your LO config.

@matu3ba changing paths in allow-java.inc makes no sense, because noblacklist hasn't any effect if there is no blacklist.

Or some java files in your home or something else in your home.

I've never been able to run Libreoffice in firejail on Linux Mint 19.x. I can only run it outside of firejail. I'm starting to think I should switch to Ubuntu. Linux Mint + firejail is only giving me problems with the apps I use.

works it with whitelisting?

libreoffice.local:

whitelist ${HOME}/.config/libreoffice
include whitelist-common.inc

If you run firejail --build /usr/bin/libreoffice, what additional (dot) files are whitelisted in your home.

Or some java files in your home or something else in your home.

Since --private works something in your home must be the cause.

How can I add that --private to the profile?

Just add it, but then you can save your work.

If you just whitelist .config/libreoffice?
firejail '--whitelist=${HOME}/.config/libreoffice' /usr/bin/libreoffice

With just whitelist, I mean just. Remove include whitelist-common.inc form libreoffice.local.

@rusty-snake Would it make sense to label this firecfg, because it is a bug of the load-path (of the OS) ? I mean this looks like a mess on Linux Mint.

Candidate for wiki FAQ #2792
"Linux Mint + firejail is only giving me problems with the apps I use."

Would it make sense to label this firecfg

No, because the firecfg label is for bugs/enhancements in/for firecfg.

I've never been able to run Libreoffice in firejail on Linux Mint 19.x. I can only run it outside of firejail. I'm starting to think I should switch to Ubuntu. Linux Mint + firejail is only giving me problems with the apps I use.

I booted up a Mint 20 VM today to reproduce all Mint specific firejail issues and Libreoffice works perfectly fine under default firejail profiles.

Kernel: 5.4.0-40-generic x86_64 bits: 64 compiler: gcc v: 9.3.0 
  Desktop: Cinnamon 4.6.6 Distro: Linux Mint 20 Ulyana 
  base: Ubuntu 20.04 focal 
$ firejail --version
firejail version 0.9.62
Compile time support:
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - firetunnel support is enabled
    - networking support is enabled
    - overlayfs support is enabled
    - private-home support is enabled
    - seccomp-bpf support is enabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
which java
/usr/bin/java

profile.txt

Is this something specific to 19.3 or firejail 0.9.63?

still an issue?

Deleting ~/.config/libreoffice/ works, but I have to do it again every time after running LibreOffice, even when using firejail. I'm using the official LibreOffice AppImage on Debian GNU/Linux 10 (buster).

Command used to start LibreOffice:

$ firejail --appimage /usr/local/bin/LibreOffice-7.1.0.0.beta1-x86_64.AppImage
Mounting appimage type 2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 15609, child pid 15612

**     Warning: dropping all Linux capabilities     **
Child process initialized in 121.48 ms
javaldx failed!
Warning: failed to read path from javaldx

Parent is shutting down, bye...
AppImage unmounted

Firejail version info:

$ firejail --version
firejail version 0.9.58.2

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

$ firejail --appimage /usr/local/bin/LibreOffice-7.1.0.0.beta1-x86_64.AppImage

@ffff135 As you can see from your output posted above you're instructing firejail to use the default.profile, which isn't designed for LO. FYI, when using AppImages, explicitly append the --profile=foo option:

$ firejail --profile=/etc/firefox/libreoffice.profile --appimage  /usr/local/bin/LibreOffice-7.1.0.0.beta1-x86_64.AppImage

Oops, sorry about that. Running with firejail --profile=/etc/firejail/libreoffice.profile --appimage works correctly on my version of firejail. Thank you.