Bug#1127671: "WARNING: Glycin running without sandbox" when AppArmor profile doesn't allow the sandbox to work
Simon McVittie
smcv at debian.org
Sun Mar 15 11:35:33 GMT 2026
On Sat, 14 Mar 2026 at 22:30:10 +0100, Rene Engelhard wrote:
>28 profiles are in complain mode.
> libreoffice-oosplash
> libreoffice-soffice
> libreoffice-soffice//null-/usr/bin/bwrap
> libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-image-rs
> libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-svg
I believe the profiles with "//null-" in their names are automatically
synthesized by complain mode: libreoffice doesn't have a rule allowing
it to run /usr/bin/bwrap or /usr/libexec/glycin-loaders/**, but the
absence of such a rule would prevent it from working, defeating the
purpose of complain mode, therefore AppArmor synthesizes a blank profile
in complain mode for them and behaves as though libreoffice's profile
allowed a transition to that new profile.
>IMHO aa-disable is a bad idea for a warning.
>There is a reason some profiles are kept in enforcing.
Sure, but libreoffice's profile isn't enforcing, so its only purpose is
to generate warnings, and it will never actually prevent anything. (This
is not necessarily a bad thing - I did the same for some games - but it
does limit its value.)
smcv
More information about the pkg-gnome-maintainers
mailing list