This is how the code that overrides the path for shared memory in oxide
would look like. How does that look?
base::FilePath GetSharedMemoryPath() {
// snap packages
const char* tmp = getenv("SNAP_NAME");
if (tmp) {
return base::FilePath(std::string("/dev/shm/snap.") + tmp + ".oxide");
}
// click packages
tmp = getenv("APP_PKGNAME");
if (tmp) {
return base::FilePath(std::string("/dev/shm/") + tmp + ".oxide");
}
// default
return base::FilePath("/dev/shm");
}
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1260103
Title:
oxide should use an app-specific path for shared memory files
Status in Oxide:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Confirmed
Bug description:
Oxide creates shared memory files as /run/shm/.org.chromium.Chromium.*. This
results in an AppArmor rule like the following:
owner /run/shm/.org.chromium.Chromium.* rwk,
But this rule is too lenient because a malicious app could enumerate
these files and attack shared memory of other applications. Therefore,
these paths need to be made application specific.
To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1260103/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
