Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LibreOffice won't start on Ubuntu 18.04 #1917

Closed
derba opened this issue Apr 29, 2018 · 13 comments

Comments

@derba
Copy link

commented Apr 29, 2018

$ libreoffice
Reading profile /etc/firejail/libreoffice.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 21258, child pid 21259
Blacklist violations are logged to syslog
Child process initialized in 77.09 ms
Warning: failed to launch javaldx - java may not function correctly
ERROR 4 forking process

Parent is shutting down, bye...

$ journalctl | tail
ápr 29 19:33:20 Lapi audit[20977]: AVC apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/firejail/mnt/fslogger" pid=20977 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.547:90): apparmor="ALLOWED" operation="open" profile="libreoffice-oopslash" name="/run/firejail/mnt/fslogger" pid=20977 comm="oosplash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
ápr 29 19:33:20 Lapi audit[20991]: AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/javaldx" pid=20991 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
ápr 29 19:33:20 Lapi audit[20993]: AVC apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=20993 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice"
ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.563:91): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/javaldx" pid=20991 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
ápr 29 19:33:20 Lapi kernel: audit: type=1400 audit(1525023200.563:92): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="libreoffice-oopslash" name="/usr/lib/libreoffice/program/soffice.bin" pid=20993 comm="osl_executeProc" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="libreoffice-soffice"

$ /usr/bin/libreoffice --version
LibreOffice 6.0.3.2 00m0(Build:2)

$ firejail --version
firejail version 0.9.52

Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- bind support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- git install support is disabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Could you help me resolving the issue?

@Vincent43

This comment has been minimized.

Copy link
Collaborator

commented Apr 29, 2018

Those logs indicate that libreoffice is contained in AppArmor profile but in complain state which still can interfere with firejail. Can you try running firejail --apparmor libreoffice which should force using firejail-default AppArmor profile instead of libreoffice one?

Also if you don't use java with libreoffice you can start it unsandboxed and disable java.

Fred-Barclay added a commit that referenced this issue Apr 29, 2018
@Fred-Barclay

This comment has been minimized.

Copy link
Collaborator

commented Apr 29, 2018

@Vincent43 I've just tested and firejail --apparmor libreoffice does work for my Ubuntu 18.04 vm. Funny thing was, so did 00b91bf when building firejail from source (and w/o apparmor support). It'd sure be nice if we can fix this with just apparmor.

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented Apr 30, 2018

This leaves us with an interesting choice. Since libreoffice-kde has been ported away from old kdelibs4 particularly late (afaik only coming LibreOffice 6.1), apparmor breaks it currently on Kubuntu (due to missing D-Bus).

@netblue30

This comment has been minimized.

Copy link
Owner

commented Apr 30, 2018

They are bringing in their own apparmor profile for libreoffice, so we need to disable ours. With this fix a6c97ef and the previous one 00b91bf from @Fred-Barclay we should be all set.

@derba can you grab the version from mainline git and give it a try? All you have to do is the following:

$ sudo apt-get install build-essential git
$ git clone http://github.com/netblue30/firejail
$ cd firejail
$ ./configure && make && sudo make install
$ sudo firecfg

Thanks.

@derba

This comment has been minimized.

Copy link
Author

commented May 1, 2018

It works fine.

@derba

This comment has been minimized.

Copy link
Author

commented May 1, 2018

I played with the profile a bit. It seems that commenting out nonewprivs solved the actual issue. When I put back apparmor LO works fine.

@Vincent43

This comment has been minimized.

Copy link
Collaborator

commented May 1, 2018

@netblue30 keep in mind that libreoffice AppArmor profile is in complain mode by default so it doesn't do anything except printing logs and breaking firejail. I doubt it will be force enabled in ubuntu bionic lifetime. I wonder if we should enable dbus in firejail apparmor profile and control it with nodbus option instead which can be used per profile instead of globally.

@netblue30

This comment has been minimized.

Copy link
Owner

commented May 2, 2018

I'll do a release in the next two/three weeks with what we have now. After that we move to enable dbus in firejail apparmor profile as you suggested.

smitsohu added a commit that referenced this issue May 4, 2018
@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented May 12, 2018

Since Apparmor allows pretty fine grained control of D-Bus, maybe we can try to blacklist some interfaces? Thinking of stuff like NetworkManager and WPASupplicant on system bus, or terminals and scriptable window managers on the session bus. We won't be able to blacklist everything that's dangerous, but limiting an attackers toolkit to some extent should be still possible.

Vincent43 added a commit that referenced this issue Jun 7, 2018
AppArmor: allow dbus access by default
As discussed in #1917 (comment) leave blacklisting dbus access to firejail userspace with 'nodbus' option. Fine grained blacklisting of particular dbus services can be added here in the future.

@Vincent43 Vincent43 closed this Jun 8, 2018

@Vincent43 Vincent43 removed the in testing label Jul 11, 2018

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented Aug 21, 2018

Now that we don't restrict D-Bus anymore in our Apparmor profile, shouldn't it be possible to enable everything back in the Libreoffice profile?

@smitsohu smitsohu reopened this Aug 21, 2018

@Vincent43

This comment has been minimized.

Copy link
Collaborator

commented Aug 21, 2018

Yeah, we may try 😄

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented Aug 22, 2018

You convinced me 😄 Let's see if we find the courage during in the next development cycle...

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented Aug 22, 2018

Sending the issue back to sleep

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.