Bug 117922 - libreoffice fails when launched with no_new_privs, due to AppArmor
Summary: libreoffice fails when launched with no_new_privs, due to AppArmor
Status: UNCONFIRMED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
6.0.3.2 release
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords: needsDevAdvice
Depends on:
Blocks:
 
Reported: 2018-05-30 23:20 UTC by Robert O'Callahan
Modified: 2018-08-29 16:35 UTC (History)
4 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert O'Callahan 2018-05-30 23:20:00 UTC
Description:
If you exec libreoffice with no_new_privs (e.g. by running it under rr, https://rr-project.org/), the launch fails. It tries to exec /usr/lib/libreoffice/program/javaldx, but the exec returns EPERM because AppArmor has libreoffice in the libreoffice-oopslash profile, while /usr/lib/libreoffice/program/javaldx is unconfined, and transitioning to unconfined is not allowed with no_new_privs *even though the libreoffice-oopslash profile is only in complain mode*. (See profile_onexec in security/apparmor/domain.c... not clear whether enforcing this in complain mode is an AppArmor bug or not.)

Maybe this could be fixed by putting /usr/lib/libreoffice/program/javaldx in the same confinement profile as libreoffice-oopslash?

Steps to Reproduce:
$ setpriv --no-new-privs libreoffice


Actual Results:  
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Expected Results:
Libreoffice launches.


Reproducible: Always


User Profile Reset: No



Additional Info:


User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Comment 1 Jean-Baptiste Faure 2018-06-10 15:18:15 UTC
You should ask on the developers mailing list: http://document-foundation-mail-archive.969070.n3.nabble.com/Dev-f1639786.html

Best regards. JBF
Comment 2 Xisco Faulí 2018-07-27 10:41:38 UTC
(In reply to Jean-Baptiste Faure from comment #1)
> You should ask on the developers mailing list:
> http://document-foundation-mail-archive.969070.n3.nabble.com/Dev-f1639786.
> html
> 
> Best regards. JBF

Hi Robert,
Have you asked in the dev mailing list? Which was the answer?
I have set the bug's status to 'NEEDINFO'. Please change it back to
'UNCONFIRMED' once the question has been answered
Comment 3 Robert O'Callahan 2018-07-27 23:14:40 UTC
I have not. I don't want to subscribe to yet another mailing list just to report a bug.
Comment 4 Xisco Faulí 2018-08-29 09:52:48 UTC
@Rene, I thought you could be interested in this issue...
Comment 5 Xisco Faulí 2018-08-29 16:35:29 UTC
I asked Vincas Dargis by email. This is his answer:

I believe there was already some issues with other applications due to no_new_privs. There was discussion some time ago [0] where it was informed that only `ix` mode works with no_new_privs.

If I change profile to make `javaldx` launched in "ix" mode (child mode Cx does not work too) and add additional rule to make `javaldx` itself succeed, launching LO still fails:

type=AVC msg=audit(1535559666.175:887): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=10357 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice"

`px` into ..soffice.bin profile does not work.

I would suggest to ask help from AppArmor experts in mailing list [1].  So not sure how `oopslash` could launch libreoffice...

[0] https://lists.ubuntu.com/archives/apparmor/2017-October/011142.html
[1] https://lists.ubuntu.com/mailman/listinfo/apparmor/