← Back to team overview

touch-packages team mailing list archive

[Bug 1260048] Re: oxide should use an application specific location for pki/nss files

 

With newer oxide on 14.10, we are hitting this again:
apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.webapps.webapp-amazon_webapp-amazon_1.0.9" name="/home/phablet/.pki/" pid=30367 comm="webapp-containe" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

Seems that oxide should allow for specifying an alternate shared nssdb.
Once it can do that, the UbuntuWebview could examine "applicationName"
from MainView like with other QML components and do this for the app
automatically. webapp-container, html5-container, cordova, et al would
need to setup Oxide to do this as well.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1260048

Title:
  oxide should use an application specific location for pki/nss files

Status in Oxide Webview:
  Triaged
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Confirmed

Bug description:
  Running oxide under confinement, I see the following denial:

  Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400
  audit(1386790378.642:1642): apparmor="DENIED" operation="open"
  parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test-
  oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725
  comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc"
  fsuid=1000 ouid=1000

  This requires the following rule:
    owner @{HOME}/.pki/nssdb/ rw,
    owner @{HOME}/.pki/nssdb/** rwk,

  But these rules are too lenient because this could disclose data to a
  malicious app and a malicious app could poison the databases.
  Therefore, these paths need to be made application specific.
  Specifically oxide should be adjusted to use
  $XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name"
  field in the Click manifest.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1260048/+subscriptions