touch-packages team mailing list archive

Thread
Date

Re: [Bug 1219644] Re: Account plugins should be made confinable by apparmor

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Alberto Mardegan <1219644@xxxxxxxxxxxxxxxxxx>
Date: Mon, 09 Feb 2015 09:27:36 -0000
Reply-to: Bug 1219644 <1219644@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 02/03/2015 11:28 PM, Jamie Strandboge wrote:
> I started playing with this and have a few observations:
> * the account plugin is trying to access /proc/<pid>/attr/current - should this be explicitly denied to silence the denial?

No, I think that this happens because the account plugin code is calling
aa_gettaskcon(), but when creating the account the PID should actually
be the one from the account plugin itself, since it's the one making the
request.
I'll modify the plugin not to call aa_gettaskcon() if the PID to check
is == getpid().

> * the account plugin is trying to create /home/phablet/.cache/online-
accounts-ui/ -- this should be created on the account plugin's behalf

Indeed, I'll make sure that this is created before the plugin is
executed.

> * this account plugin seems to want the audio policy group. this isn't
a problem, it just wasn't mentioned before

I saw some weird denials, but it was working anyway. Good that you found
what it was :-)

About the last denial,

  Feb  3 21:32:09 ubuntu-phablet kernel: [ 5292.570730] type=1400
audit(1422999129.043:411): apparmor="DENIED" operation="mknod"
profile="com.ubuntu.reminders_evernote-account-plugin_0.5.latest"
name="/tmp/etilqs_Ka88o35o73fdKe8" pid=9590 comm="BrowserBlocking"
requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

I have no idea what this is; I guess it might be coming from oxide?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1219644

Title:
  Account plugins should be made confinable by apparmor

Status in tools to review click packages:
  Confirmed
Status in Online Accounts setup for Ubuntu Touch:
  Confirmed
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
  Confirmed

Bug description:
  With the current implementation, the QML files for account plugins are
  executed by the Online Accounts QML applet which in turn is executed
  within the System Settings process, which probably means that
  malicious account plugins could control everything that the System
  Settings process can (like entering/exiting the flight mode).

  Account plugins (or the Online Accounts applet itself) should probably
  be run in a separate process, which could then be assigned a stricter
  confinement with apparmor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/click-reviewers-tools/+bug/1219644/+subscriptions

References

[Bug 1219644] Re: Account plugins should be made confinable by apparmor
From: Jamie Strandboge, 2015-02-03