[Libreoffice-bugs] [Bug 117922] New: libreoffice fails when launched with no_new_privs, due to AppArmor

Wed May 30 23:20:00 UTC 2018

https://bugs.documentfoundation.org/show_bug.cgi?id=117922

            Bug ID: 117922
           Summary: libreoffice fails when launched with no_new_privs, due
                    to AppArmor
           Product: LibreOffice
           Version: 6.0.3.2 release
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: medium
         Component: LibreOffice
          Assignee: libreoffice-bugs at lists.freedesktop.org
          Reporter: robert at ocallahan.org

Description:
If you exec libreoffice with no_new_privs (e.g. by running it under rr,
https://rr-project.org/), the launch fails. It tries to exec
/usr/lib/libreoffice/program/javaldx, but the exec returns EPERM because
AppArmor has libreoffice in the libreoffice-oopslash profile, while
/usr/lib/libreoffice/program/javaldx is unconfined, and transitioning to
unconfined is not allowed with no_new_privs *even though the
libreoffice-oopslash profile is only in complain mode*. (See profile_onexec in
security/apparmor/domain.c... not clear whether enforcing this in complain mode
is an AppArmor bug or not.)

Maybe this could be fixed by putting /usr/lib/libreoffice/program/javaldx in
the same confinement profile as libreoffice-oopslash?

Steps to Reproduce:
$ setpriv --no-new-privs libreoffice

Actual Results:  
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Expected Results:
Libreoffice launches.

Reproducible: Always

User Profile Reset: No

Additional Info:

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101
Firefox/62.0

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20180530/fe10097e/attachment.html>