Description: If you exec libreoffice with no_new_privs (e.g. by running it under rr, https://rr-project.org/), the launch fails. It tries to exec /usr/lib/libreoffice/program/javaldx, but the exec returns EPERM because AppArmor has libreoffice in the libreoffice-oopslash profile, while /usr/lib/libreoffice/program/javaldx is unconfined, and transitioning to unconfined is not allowed with no_new_privs *even though the libreoffice-oopslash profile is only in complain mode*. (See profile_onexec in security/apparmor/domain.c... not clear whether enforcing this in complain mode is an AppArmor bug or not.) Maybe this could be fixed by putting /usr/lib/libreoffice/program/javaldx in the same confinement profile as libreoffice-oopslash? Steps to Reproduce: $ setpriv --no-new-privs libreoffice Actual Results: Warning: failed to launch javaldx - java may not function correctly ERROR 4 forking process Expected Results: Libreoffice launches. Reproducible: Always User Profile Reset: No Additional Info: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
You should ask on the developers mailing list: http://document-foundation-mail-archive.969070.n3.nabble.com/Dev-f1639786.html Best regards. JBF
(In reply to Jean-Baptiste Faure from comment #1) > You should ask on the developers mailing list: > http://document-foundation-mail-archive.969070.n3.nabble.com/Dev-f1639786. > html > > Best regards. JBF Hi Robert, Have you asked in the dev mailing list? Which was the answer? I have set the bug's status to 'NEEDINFO'. Please change it back to 'UNCONFIRMED' once the question has been answered
I have not. I don't want to subscribe to yet another mailing list just to report a bug.
@Rene, I thought you could be interested in this issue...
I asked Vincas Dargis by email. This is his answer: I believe there was already some issues with other applications due to no_new_privs. There was discussion some time ago [0] where it was informed that only `ix` mode works with no_new_privs. If I change profile to make `javaldx` launched in "ix" mode (child mode Cx does not work too) and add additional rule to make `javaldx` itself succeed, launching LO still fails: type=AVC msg=audit(1535559666.175:887): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=10357 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice" `px` into ..soffice.bin profile does not work. I would suggest to ask help from AppArmor experts in mailing list [1]. So not sure how `oopslash` could launch libreoffice... [0] https://lists.ubuntu.com/archives/apparmor/2017-October/011142.html [1] https://lists.ubuntu.com/mailman/listinfo/apparmor/
Hello Robert O'Callahan, A new major release of LibreOffice is available since this bug was reported. Could you please try to reproduce it with the latest version of LibreOffice from https://www.libreoffice.org/download/libreoffice-fresh/ ? I have set the bug's status to 'NEEDINFO'. Please change it back to 'UNCONFIRMED' if the bug is still present in the latest version.
Dear Robert O'Callahan, This bug has been in NEEDINFO status with no change for at least 6 months. Please provide the requested information as soon as possible and mark the bug as UNCONFIRMED. Due to regular bug tracker maintenance, if the bug is still in NEEDINFO status with no change in 30 days the QA team will close the bug as INSUFFICIENTDATA due to lack of needed information. For more information about our NEEDINFO policy please read the wiki located here: https://wiki.documentfoundation.org/QA/Bugzilla/Fields/Status/NEEDINFO If you have already provided the requested information, please mark the bug as UNCONFIRMED so that the QA team knows that the bug is ready to be confirmed. Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-NeedInfo-Ping
Dear Robert O'Callahan, Please read this message in its entirety before proceeding. Your bug report is being closed as INSUFFICIENTDATA due to inactivity and a lack of information which is needed in order to accurately reproduce and confirm the problem. We encourage you to retest your bug against the latest release. If the issue is still present in the latest stable release, we need the following information (please ignore any that you've already provided): a) Provide details of your system including your operating system and the latest version of LibreOffice that you have confirmed the bug to be present b) Provide easy to reproduce steps – the simpler the better c) Provide any test case(s) which will help us confirm the problem d) Provide screenshots of the problem if you think it might help e) Read all comments and provide any requested information Once all of this is done, please set the bug back to UNCONFIRMED and we will attempt to reproduce the issue. Please do not: a) respond via email b) update the version field in the bug or any of the other details on the top section of our bug tracker Warm Regards, QA Team MassPing-NeedInfo-FollowUp