Open Kalle72 opened 1 year ago
Maybe a bug with join-or-start.
Maybe a duplicated of #5598.
Workaround until now: set "noroot" and "shell none" in the libreoffice.profile. Unfortunately "shell none" is now set by default and cannot be disabled anymore. Therefore the workaround does also not work anymore.
Off-topic
We still have a few files referencing shell none
. Maybe it's a good idea to clean those up before cutting a new release.
@rusty-snake: True story: the profile has a "join-or-start libreoffice" line. Additionally I share the Error:--shell=none configured, but no program specified
with the bug "5598" mentioned.
Marking it as a bug, thanks @Kalle72
Question: why do you need to disable noroot?
noroot is used to prevent the program from rising privileges. For example ping:
$ firejail --noroot ping 1.1.1.1
/usr/bin/ping: socktype: SOCK_RAW
/usr/bin/ping: socket: Operation not permitted
/usr/bin/ping: => missing cap_net_raw+p capability or setuid?
ping tries to open a raw socket, which is a privileged operation; noroot prevents the escalation; ping complains suggesting the program should be installed with cap_net_raw capability or SUID.
Do you have some SUID program being called by libreoffice?
Libreoffice does not open a second document alongside with a first one.
Steps to reprocude: Dubble-click a document --> document opens --> dubbleclick a second document --> second document does not open (nothing happens except the mouse-arrow shows the clock for some seconds).
Workaround until now: set "noroot" and "shell none" in the libreoffice.profile. Unfortunately "shell none" is now set by default and cannot be disabled anymore. Therefore the workaround does also not work anymore.
If I use the terminal I get for the first file the following output:
~/Desktop$ libreoffice test1.odt Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/allow-java.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 15635, child pid 15636 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: not remounting /run/user/1000/gvfs Child process initialized in 137.85 ms
then the document is open.When opening the second document I get:
~/Desktop$ libreoffice test2.odt Reading profile /etc/firejail/libreoffice.profile Reading profile /etc/firejail/allow-java.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Switching to pid 15636, the first child process inside the sandbox Changing root to /proc/15636/root Error: --shell=none configured, but no program specified
(I use usr/local/bin/libreoffice to invoke firejail libreoffice. I do this with all firejailed programs in use.)Kind regards Kalle
PS: I am on Gentoo and use the current firejail release: 0.9.72. PPS: Other firejailed "writing-software" works (i.e. softmaker-freeoffice) PPPS: The libreoffice-probelm occurs since I stated to use firejail (over 5 years ago.), but the workaround solved I until now.