If you exec libreoffice with no_new_privs (e.g. by running it under rr, https://rr-project.org/), the launch fails. It tries to exec /usr/lib/libreoffice/program/javaldx, but the exec returns EPERM because AppArmor has libreoffice in the libreoffice-oopslash profile, while /usr/lib/libreoffice/program/javaldx is unconfined, and transitioning to unconfined is not allowed with no_new_privs *even though the libreoffice-oopslash profile is only in complain mode*. (See profile_onexec in security/apparmor/domain.c... not clear whether enforcing this in complain mode is an AppArmor bug or not.)
Maybe this could be fixed by putting /usr/lib/libreoffice/program/javaldx in the same confinement profile as libreoffice-oopslash?
Steps to Reproduce:
$ setpriv --no-new-privs libreoffice
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process
User Profile Reset: No
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
You should ask on the developers mailing list: http://document-foundation-mail-archive.969070.n3.nabble.com/Dev-f1639786.html
Best regards. JBF
(In reply to Jean-Baptiste Faure from comment #1)
> You should ask on the developers mailing list:
> Best regards. JBF
Have you asked in the dev mailing list? Which was the answer?
I have set the bug's status to 'NEEDINFO'. Please change it back to
'UNCONFIRMED' once the question has been answered
I have not. I don't want to subscribe to yet another mailing list just to report a bug.
@Rene, I thought you could be interested in this issue...
I asked Vincas Dargis by email. This is his answer:
I believe there was already some issues with other applications due to no_new_privs. There was discussion some time ago  where it was informed that only `ix` mode works with no_new_privs.
If I change profile to make `javaldx` launched in "ix" mode (child mode Cx does not work too) and add additional rule to make `javaldx` itself succeed, launching LO still fails:
type=AVC msg=audit(1535559666.175:887): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=10357 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice"
`px` into ..soffice.bin profile does not work.
I would suggest to ask help from AppArmor experts in mailing list . So not sure how `oopslash` could launch libreoffice...