** Changed in: bamf (Ubuntu)
Assignee: (unassigned) => Marco Trevisan (Treviño) (3v1n0)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to bamf in Ubuntu.
https://bugs.launchpad.net/bugs/1643910
Title:
BAMF_DESKTOP_FILE_HINT not set in correct place for unity7
Status in Snappy:
Triaged
Status in bamf package in Ubuntu:
Triaged
Bug description:
Occasionally when I pin items to the Unity7 launcher, the BAMF code
(as I'm told) incorrectly matches to /snap/app/revision/.... This is a
security issue because the Exec= line points to /snap/app/revision/...
which bypasses snap run (/snap/bin/...) and therefore snap-confine.
I'm told by Marcus (aka, 3v1n0 aka Trevinho) that this is because
BAMF_DESKTOP_FILE_HINT is not exported by snap env and instead only
injected in the desktop file that is created in
/var/lib/snapd/desktop/applications upon snap install. This means that
the wrong Exec= (ie, where it points to the binary) may occur in two
places:
1. when launching /snap/bin/... from the command line
2. when something in /var/lib/snapd/desktop/applications/*.desktop doesn't
match properly
In both cases, the initial launch is fine, but pinning the icon to the
launcher results in the wrong entry in the Exec= line and launching
from this pinned launcher entry after is unconfined. You can check by
doing:
1. launch application from the dash
2. run sudo aa-status and see if it is launched under confinement
3. pin the icon that is in the launcher
4. close the application, then launch from the pinned icon
5. run sudo aa-status and see if it is launched under confinement
This doesn't happen all the time. For example, vlc seems to work fine
both from the command line and from launching via a pinned launcher
entry. chrome-test on the other hand doesn't seem to work with either.
Related https://github.com/snapcore/snapd/pull/1580 -- puts
BAMF_DESKTOP_FILE_HINT in the desktop file instead of in the
environment, but Marco requested that this change
(https://github.com/snapcore/snapd/pull/1580#issuecomment-234546220).
https://trello.com/c/xP1hN3BF/152-improve-desktop-file-support-by-
adding-a-new-bamf-desktop-file-hint-environment-hint also discussed
this issue, but the card is archived and therefore it won't be worked
on.
I'm having trouble finding a simple reproducer (other than chrome-
test) but am told by Marco that the BAMF matching will always work if
BAMF_DESKTOP_FILE_HINT in the process' environment always points to
the desktop file in /var/lib/snapd/desktop/applications. I will
continue to look for a simple reproducer.
To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1643910/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
