ubuntu-webapps-bugs team mailing list archive

Thread
Date

[Bug 1260103] Re: oxide should use an app-specific path for shared memory files

To: ubuntu-webapps-bugs@xxxxxxxxxxxxxxxxxxx
From: Olivier Tilloy <olivier.tilloy@xxxxxxxxxxxxx>
Date: Wed, 24 Aug 2016 14:36:44 -0000
Reply-to: Bug 1260103 <1260103@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Proposed fix for oxide:
https://code.launchpad.net/~osomon/oxide/+git/oxide/+merge/303821.

** Also affects: oxide/1.17
   Importance: Undecided
       Status: New

** Changed in: oxide/1.17
     Assignee: (unassigned) => Olivier Tilloy (osomon)

** Changed in: oxide/1.17
   Importance: Undecided => Medium

** Changed in: oxide/1.17
       Status: New => Confirmed

** Changed in: oxide/1.17
    Milestone: None => 1.17.4

-- 
You received this bug notification because you are a member of Ubuntu
WebApps bug tracking, which is subscribed to Oxide.
https://bugs.launchpad.net/bugs/1260103

Title:
  oxide should use an app-specific path for shared memory files

Status in Canonical System Image:
  In Progress
Status in Oxide:
  In Progress
Status in Oxide 1.17 series:
  Confirmed
Status in webapps-sprint:
  Fix Committed
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Confirmed

Bug description:
  Oxide creates shared memory files as /run/shm/.org.chromium.Chromium.*. This results in an AppArmor rule like the following:
    owner /run/shm/.org.chromium.Chromium.* rwk, 

  But this rule is too lenient because a malicious app could enumerate
  these files and attack shared memory of other applications. Therefore,
  these paths need to be made application specific.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1260103/+subscriptions