For current (click) apps on the phone, the APP_PKGNAME variable is used to parametrize apparmor policies. According to https://wiki.ubuntu.com/AppStore/Interfaces/ApplicationId, this is the name of the click package (e.g. "com.ubuntu.foo"). However there are currently no existing rules to allow /{dev,run}/shm/*${APP_PKGNAME}*, so apparmor-easyprof-ubuntu would need to be updated to add such a rule.
I’m fine with using PathService, but that will result in a slightly more intrusive patch to chromium. I think I’d rather rely entirely on environment variable, rather than adding a command-line option. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1260103 Title: oxide should use an app-specific path for shared memory files Status in Oxide: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Confirmed Bug description: Oxide creates shared memory files as /run/shm/.org.chromium.Chromium.*. This results in an AppArmor rule like the following: owner /run/shm/.org.chromium.Chromium.* rwk, But this rule is too lenient because a malicious app could enumerate these files and attack shared memory of other applications. Therefore, these paths need to be made application specific. To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1260103/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp