Bug 115208 - Apparmor profile doesn't allow java execution
Summary: Apparmor profile doesn't allow java execution
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.4.4.2 release
Hardware: All Linux (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: target:6.1.0 target:6.0.1
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-24 17:56 UTC by Olivier Tilloy
Modified: 2018-01-28 11:55 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier Tilloy 2018-01-24 17:56:20 UTC 
Description:
When enforced the apparmor profiles prevent libreoffice from seeing and executing installed JREs.

Steps to Reproduce:
With the recent apparmor profile fixes (https://cgit.freedesktop.org/libreoffice/core/log/sysui/desktop/apparmor/program.soffice.bin), and the profiles in enforcement mode, run libreoffice, open Tools > Options, then LibreOffice > Advanced, and check whether JREs are listed

Actual Results:  
No JRE are listed, and attempting to manually add an installed JRE by its full path fails.

Expected Results:
The default JRE (on my system /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin/java) is found and selected by default.


Reproducible: Always


User Profile Reset: No



Additional Info:


User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.40 Safari/537.36
Comment 1 Olivier Tilloy 2018-01-24 17:57:49 UTC 
I added the following rule to /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin and reloaded the profile, and that appears to fix the issue:

    /usr/lib{,32,64}/jvm/**/jre/bin/java     mix,
Comment 2 Rene Engelhard 2018-01-28 11:49:10 UTC 
confirming. see this in my sid VM, too
Comment 3 Commit Notification 2018-01-28 11:50:30 UTC 
Olivier Tilloy committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=c67b490637b586616b46db349b1215296daa34e3

tdf#115208 Apparmor profile update (allow JVM execution)

It will be available in 6.1.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 4 Rene Engelhard 2018-01-28 11:50:55 UTC 
fixed in master (based on https://git.launchpad.net/~libreoffice/ubuntu/+source/libreoffice/commit/?h=ubuntu-bionic-5.4&id=2fa3ce8e733c99ba4b6f6ef30b204f18e8253752), will also send it for review for -6-0
Comment 5 Commit Notification 2018-01-28 11:55:00 UTC 
Olivier Tilloy committed a patch related to this issue.
It has been pushed to "libreoffice-6-0":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=22b1212fb5481706884c412f57e8cd3ee4aff0f2&h=libreoffice-6-0

tdf#115208 Apparmor profile update (allow JVM execution)

It will be available in 6.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.