touch-packages team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxx>]

nssdb is for storing new root certificates and Oxide doesn't support
updating those. Furthermore, upstream will be moving away from nss at
some point anyway. For the time being we can initialize nss without user
db. Marking Critical, rtm14, and touch-2014-09-11. Removing apparmor-
easyprof-ubuntu task since there is nothing to do.

** No longer affects: apparmor-easyprof-ubuntu (Ubuntu)

** Changed in: oxide
       Status: Triaged => In Progress

** Changed in: oxide
   Importance: High => Critical

** Tags added: rtm14 touch-2014-09-03

** Tags removed: touch-2014-09-03
** Tags added: touch-2014-09-11

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1260048

Title:
  oxide should use an application specific location for pki/nss files

Status in Oxide Webview:
  In Progress

Bug description:
  Running oxide under confinement, I see the following denial:

  Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400
  audit(1386790378.642:1642): apparmor="DENIED" operation="open"
  parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test-
  oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725
  comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc"
  fsuid=1000 ouid=1000

  This requires the following rule:
    owner @{HOME}/.pki/nssdb/ rw,
    owner @{HOME}/.pki/nssdb/** rwk,

  But these rules are too lenient because this could disclose data to a
  malicious app and a malicious app could poison the databases.
  Therefore, these paths need to be made application specific.
  Specifically oxide should be adjusted to use
  $XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name"
  field in the Click manifest.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1260048/+subscriptions