touch-packages team mailing list archive

Thread
Date

[Bug 1260048] Re: oxide should use an application specific location for pki/nss files

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 03 Sep 2014 21:20:20 -0000
Reply-to: Bug 1260048 <1260048@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'm going to mark this as 'High' for now since confined apps will have
this denial. This may need to be moved to Critical.

** Changed in: oxide
   Importance: Medium => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1260048

Title:
  oxide should use an application specific location for pki/nss files

Status in Oxide Webview:
  Triaged
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Confirmed

Bug description:
  Running oxide under confinement, I see the following denial:

  Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400
  audit(1386790378.642:1642): apparmor="DENIED" operation="open"
  parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test-
  oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725
  comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc"
  fsuid=1000 ouid=1000

  This requires the following rule:
    owner @{HOME}/.pki/nssdb/ rw,
    owner @{HOME}/.pki/nssdb/** rwk,

  But these rules are too lenient because this could disclose data to a
  malicious app and a malicious app could poison the databases.
  Therefore, these paths need to be made application specific.
  Specifically oxide should be adjusted to use
  $XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name"
  field in the Click manifest.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1260048/+subscriptions