desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #64670
[Bug 851986] Re: use of Ux in ubuntu-* abstractions and profiles is too lenient and should be improved
This bug was fixed in the package apparmor - 2.7.0-0ubuntu1
---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low
* New upstream release. Fixes the following:
- LP: #794974
- LP: #815883
- LP: #840973
* Drop the following patches, included upstream:
- af_names-generation.patch
- 0004-adjust-logprof-log-search-order.patch
- 0005-lp826914.patch
- 0006-lp838275.patch
- 0007-fix-introspection-tests.patch
* Rename 0003-add-debian-integration-to-lighttpd.patch to 0002
* debian/patches/0003-commits-through-r1882.patch: several bug,
documentation and performance fixes on our road to AppArmor 2.8
(LP: #840734, LP: #905412)
* debian/patches/0004-lp887992.patch: cups-client abstraction should allow
owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions
(LP: #887992)
* update debian/patches/0001-add-chromium-browser.patch for deeper
directories of /sys/devices/pci (LP: #885833)
* debian/patches/0005-lp884748.patch: allow kate as text editor in the
browsers abstraction (LP: #884748)
* debian/patches/0006-lp870992.patch: abstractions/fonts should allow access
to ~/.fonts.conf.d (LP: #870992)
* debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py
in the python abstraction, which is needed for apport hooks to work in
python applications (LP: #860856)
* debian/patches/0008-lp852062.patch: update binaries for transmission
clients (LP: #852062)
* debian/patches/0009-lp851977.patch: allow ixr access to exo-open for
Xubuntu and friends (LP: #851977)
* debian/patches/0010-lp890894.patch: allow access to Thunar as well as
thunar in ubuntu-integration abstraction (LP: #890894)
* debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile
(LP: #817956)
* debian/patches/0012-lp458922.patch: update dovecot deliver profile to
access various .conf files for dovecot (LP: #458922)
* debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection
(LP: #769148)
* debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv
(LP: #904548)
* debian/patches/0015-lp712584.patch: Nvidia users need access to
/dev/nvidia* files for various plugins to work right. Since these are all
focused around multimedia, add the acceses to the multimedia abstraction.
(LP: #712584)
* debian/patches/0016-lp562831.patch: allow fireclam plugin to work
(LP: #562831)
* debian/patches/0017-lp662906.patch: allow software-center in the ubuntu
integration browser abstraction (LP: #662906)
* debian/patches/0018-deny-home-pki-so.patch: update private-files
abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
* debian/patches/0019-lp899963.patch: add audacity to the
ubuntu-media-players abstraction (LP: #899963)
* debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit
abstraction and add it to the authentication abstraction (LP: #912754)
* debian/patches/0022-workaround-lp851986.patch: instead of using Ux
in the ubuntu and launchpad abstractions, use a helper child profile.
This will help work around the lack of environment filtering
(LP: #851986)
* debian/patches/0023-syslog-ng-needs-dac-read-search.patch: adjust syslog-ng
profile for dac_read_search
* debian/patches/0024-fix-python-and-ruby-autogeneration.patch: fix python
and ruby autogeneration when using aa-autodep and aa-genprof
* debian/patches/0025-lp914184.patch: allow the creation of enchant .config
directory in the enchant abstraction (LP: #914184)
* debian/patches/0026-lp914190.patch: block write access to ~/.kde/env
because KDE automatically sources scripts in that folder on startup
(LP: #914190)
* debian/pathes/0027-lp914386.patch: add xdg-desktop abstraction and
adjust gnome and kde abstractions to use it (LP: #914386)
* debian/patches/0028-testsuite-fixes.patch: testsuite fixes in the kernel
regression tests
-- Jamie Strandboge <jamie@xxxxxxxxxx> Thu, 12 Jan 2012 12:55:17 +0100
** Changed in: apparmor (Ubuntu Precise)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/851986
Title:
use of Ux in ubuntu-* abstractions and profiles is too lenient and
should be improved
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “cups” package in Ubuntu:
Triaged
Status in “evince” package in Ubuntu:
In Progress
Status in “firefox” package in Ubuntu:
Invalid
Status in “apparmor” source package in Oneiric:
Won't Fix
Status in “cups” source package in Oneiric:
Won't Fix
Status in “evince” source package in Oneiric:
Won't Fix
Status in “firefox” source package in Oneiric:
Won't Fix
Status in “apparmor” source package in Precise:
Fix Released
Status in “cups” source package in Precise:
Won't Fix
Status in “evince” source package in Precise:
In Progress
Status in “firefox” source package in Precise:
Invalid
Bug description:
Ux clears potentially harmful environment variables such as LD_PRELOAD
and LD_LIBRARY_PATH (and others). Because it doesn't clear out all
variables that can influence child processes, the confined parent
process may have too much influence over the child. When considering
GUI applications such as those based on gtk, child processes can also
be called with --gtk-module.
Since there are several applications in the ubuntu-specific
abstractions that can be affected in this manner, evince, firefox, the
chromium profile as included in apparmor-profiles and the ubuntu-
specific abstractions themselves should be adjusted to address this
issue. Cups is also affected because of its use of Ux with filters,
however it runs these filters as non-root and the environment under
which these filters is run is more tightly controlled. Cups should be
investigated more and we should consider confining (at least) those
filters that we ship in Ubuntu.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/851986/+subscriptions
References
