touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #52268
[Bug 1219644] Re: Account plugins should be made confinable by apparmor
I started playing with this and have a few observations:
* the account plugin is trying to access /proc/<pid>/attr/current - should this be explicitly denied to silence the denial?
* the account plugin is trying to create /home/phablet/.cache/online-accounts-ui/ -- this should be created on the account plugin's behalf
* this account plugin seems to want the audio policy group. this isn't a problem, it just wasn't mentioned before
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
Status in tools to review click packages:
Confirmed
Status in Online Accounts setup for Ubuntu Touch:
Fix Released
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Confirmed
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
Fix Released
Bug description:
With the current implementation, the QML files for account plugins are
executed by the Online Accounts QML applet which in turn is executed
within the System Settings process, which probably means that
malicious account plugins could control everything that the System
Settings process can (like entering/exiting the flight mode).
Account plugins (or the Online Accounts applet itself) should probably
be run in a separate process, which could then be assigned a stricter
confinement with apparmor.
To manage notifications about this bug go to:
https://bugs.launchpad.net/click-reviewers-tools/+bug/1219644/+subscriptions
Follow ups