Bug#922378: live-boot: Libreoffice doesn't start from a live environment. Signal 11
Control: reassign -1 apparmor
Control: severity -1 serious
Control: retitle -1 AppArmor policy breaks confined software when running under live-boot + overlayfs
Control: found -1 2.13.2-9
Hi,
Cesar Etxeberria:
> Everything works perfectly but libreoffice doesn't start (signal
> 11).
I can reproduce this with LibreOffice and Evince.
The root cause of the problem is that the storage stack set up by
live-boot with overlayfs is not supported by our AppArmor policy at
the moment.
Fixing the root cause of this problem:
- will require quite some work; I've started working on this some
time ago and will definitely finish it at some point for several
reasons, including the fact that Tails needs this to be fixed;
- is too involved to happen in time for Buster.
So my plan for Buster is to disable apparmor.service when running
under live-boot + overlayfs, just like Ubuntu already does in their
live images for the exact same reason. This will prevent loading
policy at boot time, which will avoid such breakage, except for
packages that load policy themselves; thankfully, the nature of these
packages (libvirt, LXC) makes it so they have little chance to be used
in a Live environment, so I think that'll be good enough; and if it's
not good enough, worst case we can patch the Live builds configuration
to disable the AppArmor LSM entirely, by passing apparmor=0 on the
kernel command line.
Cheers,
--
intrigeri
Reply to: