Bug#1127671: "WARNING: Glycin running without sandbox" when AppArmor profile doesn't allow the sandbox to work
Rene Engelhard
rene at debian.org
Sun Mar 15 11:39:37 GMT 2026
Hi,
Am 15.03.26 um 12:35 schrieb Simon McVittie:
> On Sat, 14 Mar 2026 at 22:30:10 +0100, Rene Engelhard wrote:
>> 28 profiles are in complain mode.
>> libreoffice-oosplash
>> libreoffice-soffice
>> libreoffice-soffice//null-/usr/bin/bwrap
>> libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-image-rs
>> libreoffice-soffice//null-/usr/libexec/glycin-loaders/2+/glycin-svg
>
> I believe the profiles with "//null-" in their names are automatically synthesized by complain mode: libreoffice doesn't have a rule allowing it to run /usr/bin/bwrap or /usr/libexec/glycin-loaders/**, but the absence of such a rule would prevent it from working, defeating the purpose of complain mode, therefore AppArmor synthesizes a blank profile in complain mode for them and behaves as though libreoffice's profile allowed a transition to that new profile.
Hmm.
Interesting. Makes sense.
>> IMHO aa-disable is a bad idea for a warning.
>> There is a reason some profiles are kept in enforcing.
>
> Sure, but libreoffice's profile isn't enforcing,
Some profiles are:
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
> so its only purpose is to generate warnings, and it will never actually prevent anything. (This is not necessarily a bad thing - I did the same for some games - but it does limit its value.)
Yeah, the value is limited for soffice(.bin)/oosplash itself, indeed.
Regards,
Rene
More information about the pkg-gnome-maintainers
mailing list