[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Changed in: apparmor (Ubuntu) Assignee: Jamie Strandboge (jdstrand) = (unassigned) ** Changed in: apparmor (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Tags added: aa-feature -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
The apparmor portion of this bug is being tracked in 1370218 ** Changed in: apparmor (Ubuntu) Status: In Progress = Won't Fix ** Changed in: apparmor (Ubuntu) Importance: Medium = Undecided -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.28
---
apparmor-easyprof-ubuntu (1.2.28) utopic; urgency=medium
* ubuntu/calendar: add missing rule for org.freedesktop.DBus.Introspectable
on path /com/canonical/indicator/datetime/AlarmProperties (LP: #1374623)
* ubuntu/1.[12]/ubuntu-{sdk,webapp}: remove no longer needed rule for
/{,run/}shm/shm/WK2SharedMemory.[0-9]* (LP: #1197060)
* ubuntu/microphone:
- add temporary write access to /{run,dev}/shm/shmfd-* for QAudioRecorder
(LP: #1370218)
- explicitly deny read on /dev/
* ubuntu/1.1/webview: allow dbus send to RequestName on org.freedesktop.DBus
webapp-container needs corresponding 'bind' call on
org.freedesktop.Application, which we block elsewhere. webapp-container
shouldn't be doing this under confinement, but we allow this rule in
content_exchange, so just allow it to avoid confusion. (LP: #1357371)
-- Jamie Strandboge ja...@ubuntu.com Fri, 26 Sep 2014 15:21:37 -0500
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: Won't Fix = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197060
Title:
SDK webview applications should use an app-specific path for shared
memory files
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1197060/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Changed in: apparmor (Ubuntu) Assignee: John Johansen (jjohansen) = Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
We are transitioning to Oxide so fixing webkit is no longer needed. ** Changed in: apparmor-easyprof-ubuntu (Ubuntu Trusty) Status: Confirmed = Won't Fix ** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Status: Triaged = Won't Fix ** Changed in: qtwebkit-opensource-src (Ubuntu) Status: Confirmed = Won't Fix ** Changed in: apparmor (Ubuntu Trusty) Status: In Progress = Won't Fix ** No longer affects: ubuntu-ui-toolkit -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
I'm going to mark the qtwebkit-opensource-src task for Trusty as Won't Fix since SDK applications will be expected to use Oxide. ** Changed in: qtwebkit-opensource-src (Ubuntu Saucy) Status: Confirmed = Won't Fix ** Changed in: qtwebkit-opensource-src (Ubuntu Trusty) Status: Confirmed = Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: qtwebkit-opensource-src (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor-easyprof-ubuntu (Ubuntu T-series) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: qtwebkit-opensource-src (Ubuntu T-series) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Assignee: (unassigned) = chenwencai (13738772233-a) ** Changed in: apparmor-easyprof-ubuntu (Ubuntu T-series) Status: Confirmed = New ** Changed in: apparmor-easyprof-ubuntu (Ubuntu T-series) Assignee: (unassigned) = chenwencai (13738772233-a) ** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy) Assignee: (unassigned) = chenwencai (13738772233-a) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
Don't assign yourself to the bug unless you are working on the fix. ** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Assignee: chenwencai (13738772233-a) = (unassigned) ** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy) Assignee: chenwencai (13738772233-a) = (unassigned) ** Changed in: apparmor-easyprof-ubuntu (Ubuntu T-series) Assignee: chenwencai (13738772233-a) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy) Status: Triaged = Won't Fix ** Changed in: apparmor-easyprof-ubuntu (Ubuntu T-series) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Description changed:
Ubuntu SDK applications that use webkit webviews create shared memory files
as /run/shm/WK2SharedMemory*. This results in an AppArmor rule like the
following:
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
But this rule is too lenient because a malicious app could enumerate
these files and attack shared memory of other applications. Therefore,
these paths need to be made application specific. One suggestion is to
- use something like shm_open(%s-WK2SharedMemory % app id) instead of
- shm_open(WK2SharedMemory) where 'app id' will ultimately be the
- reverse domain name with Click packages (see bug #1197037 for details on
- 'app id').
+ use something like shm_open(%s-WK2SharedMemory % app_pkgname)
+ instead of shm_open(WK2SharedMemory) where 'app_pkgname' is the
+ name field in the Click manifest (see bug #1197037 for details).
Future work will allow for AppArmor IPC to handle this without
modifications to the SDK, but this may be 14.04 so we need a solution
for 13.10. I recommend fixing this bug after the other SDK bugs I filed
today, then talk to the security team before fixing this bug since it is
possible we will have something for 13.10 that doesn't require altering
the SDK.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197060
Title:
SDK webview applications should use an app-specific path for shared
memory files
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Changed in: qtwebkit-opensource-src (Ubuntu Saucy) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Also affects: apparmor (Ubuntu Saucy) Importance: Undecided Assignee: John Johansen (jjohansen) Status: In Progress ** Also affects: qtwebkit-opensource-src (Ubuntu Saucy) Importance: Undecided Assignee: Christian Dywan (kalikiana) Status: New ** Also affects: apparmor-easyprof-ubuntu (Ubuntu Saucy) Importance: Undecided Status: New ** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy) Status: New = Triaged ** Also affects: apparmor (Ubuntu T-series) Importance: Undecided Status: New ** Also affects: qtwebkit-opensource-src (Ubuntu T-series) Importance: Undecided Status: New ** Also affects: apparmor-easyprof-ubuntu (Ubuntu T-series) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu T-series) Status: New = In Progress ** Changed in: apparmor (Ubuntu T-series) Assignee: (unassigned) = John Johansen (jjohansen) ** Changed in: apparmor (Ubuntu Saucy) Status: In Progress = Won't Fix ** Changed in: apparmor (Ubuntu Saucy) Milestone: later = None ** Changed in: apparmor (Ubuntu Saucy) Assignee: John Johansen (jjohansen) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Changed in: ubuntu-ui-toolkit Assignee: Timo Jyrinki (timo-jyrinki) = (unassigned) ** Changed in: qtwebkit-opensource-src (Ubuntu) Assignee: (unassigned) = Christian Dywan (kalikiana) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Also affects: qtwebkit-opensource-src (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Project changed: ubuntu-qtcreator-plugins = ubuntu-ui-toolkit -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Changed in: ubuntu-qtcreator-plugins Assignee: (unassigned) = Timo Jyrinki (timo-jyrinki) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197060 Title: SDK webview applications should use an app-specific path for shared memory files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-qtcreator-plugins/+bug/1197060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1197060] Re: SDK webview applications should use an app-specific path for shared memory files
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Status: New = In Progress
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) = John Johansen (jjohansen)
** Description changed:
Ubuntu SDK applications that use webkit webviews create shared memory files
as /run/shm/WK2SharedMemory*. This results in an AppArmor rule like the
following:
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
But this rule is too lenient because a malicious app could enumerate
these files and attack shared memory of other applications. Therefore,
these paths need to be made application specific. One suggestion is to
use something like shm_open(%s-WK2SharedMemory % app id) instead of
shm_open(WK2SharedMemory) where 'app id' will ultimately be the
reverse domain name with Click packages (see bug #1197037 for details on
'app id').
- Future work may allow for AppArmor IPC to handle this without
+ Future work will allow for AppArmor IPC to handle this without
modifications to the SDK, but this may be 14.04 so we need a solution
for 13.10.
** Changed in: apparmor (Ubuntu)
Milestone: None = later
** Description changed:
Ubuntu SDK applications that use webkit webviews create shared memory files
as /run/shm/WK2SharedMemory*. This results in an AppArmor rule like the
following:
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
But this rule is too lenient because a malicious app could enumerate
these files and attack shared memory of other applications. Therefore,
these paths need to be made application specific. One suggestion is to
use something like shm_open(%s-WK2SharedMemory % app id) instead of
shm_open(WK2SharedMemory) where 'app id' will ultimately be the
reverse domain name with Click packages (see bug #1197037 for details on
'app id').
Future work will allow for AppArmor IPC to handle this without
modifications to the SDK, but this may be 14.04 so we need a solution
- for 13.10.
+ for 13.10. I recommend fixing this bug after the other SDK bugs I filed
+ today, then talk to the security team before fixing this bug since it is
+ possible we will have something for 13.10 that doesn't require altering
+ the SDK.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197060
Title:
SDK webview applications should use an app-specific path for shared
memory files
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-qtcreator-plugins/+bug/1197060/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
