ubuntu-webapps-bugs team mailing list archive

Thread
Date

[Bug 1260048] Re: oxide should use an application specific location for pki/nss files

To: ubuntu-webapps-bugs@xxxxxxxxxxxxxxxxxxx
From: Chris Coulson <chris.coulson@xxxxxxxxxxxxx>
Date: Thu, 04 Sep 2014 12:31:48 -0000
Reply-to: Bug 1260048 <1260048@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: oxide/1.2
   Importance: Undecided
       Status: New

** Changed in: oxide/1.2
    Milestone: None => 1.2.1

** Changed in: oxide/1.2
     Assignee: (unassigned) => Chris Coulson (chrisccoulson)

** Changed in: oxide/1.2
   Importance: Undecided => Critical

** Changed in: oxide/1.2
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
WebApps bug tracking, which is subscribed to Oxide.
https://bugs.launchpad.net/bugs/1260048

Title:
  oxide should use an application specific location for pki/nss files

Status in Oxide Webview:
  Fix Released
Status in Oxide 1.2 series:
  Triaged

Bug description:
  Running oxide under confinement, I see the following denial:

  Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400
  audit(1386790378.642:1642): apparmor="DENIED" operation="open"
  parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test-
  oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725
  comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc"
  fsuid=1000 ouid=1000

  This requires the following rule:
    owner @{HOME}/.pki/nssdb/ rw,
    owner @{HOME}/.pki/nssdb/** rwk,

  But these rules are too lenient because this could disclose data to a
  malicious app and a malicious app could poison the databases.
  Therefore, these paths need to be made application specific.
  Specifically oxide should be adjusted to use
  $XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name"
  field in the Click manifest.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1260048/+subscriptions