touch-packages team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxx>]

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1260098

Title:
  oxide does not seem to honor TMPDIR-- requires read access to /tmp and
  /var/tmp

Status in Oxide Webview:
  New
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Confirmed

Bug description:
  When running oxide, I get the following apparmor denials:
  Dec 11 16:16:48 localhost kernel: [234482.172630] type=1400 audit(1386800208.786:2180): apparmor="DENIED" operation="open" parent=22731 profile="com.ubuntu.developer.jdstrand.test-oxide_test-oxide_0.1" name="/tmp/" pid=9220 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Dec 11 16:16:48 localhost kernel: [234482.172659] type=1400 audit(1386800208.786:2181): apparmor="DENIED" operation="open" parent=22731 profile="com.ubuntu.developer.jdstrand.test-oxide_test-oxide_0.1" name="/var/tmp/" pid=9220 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Dec 11 16:16:49 localhost kernel: [234482.481748]

  Oxide seems to work ok otherwise, but these denials are noisy and could cause confusion. Oxide should be honoring TMPDIR first, then fall back to /tmp and /var/tmp if it isn't set. While we could silence the denials like so:
    deny /tmp/ r,
    deny /var/tmp/ r,

  this could break future profiles. Allowing the read allows enumerating
  files in these directories, which could leak information and should
  not generally be needed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1260098/+subscriptions