[Bug 1228236] [NEW] webbrowser-app re-execs itself which breaks webapps under application confinement

Fri, 20 Sep 2013 09:38:30 -0700 

Public bug reported:

When a webapp is launched via the upstart job, webbrowser-app re-execs
itself, causing an apparmor denial and failure to launch the browser:

First, install the facebook app from the appstore.

Then, from adb shell:
root@ubuntu-phablet:/# sudo -H -u phablet -i
phablet@ubuntu-phablet:~$ start application 
APP_ID=com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0

This results in the following denial in /var/log/syslog:
Sep 20 15:58:17 ubuntu-phablet kernel: [ 6505.474410] type=1400 
audit(1379692697.211:80): apparmor="DENIED" operation="exec" parent=1479 
profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0" 
name="/usr/bin/webbrowser-app" pid=6248 comm="sh" requested_mask="x" 
denied_mask="x" fsuid=32011 ouid=0

Adding the following rule to 
/var/lib/apparmor/profiles/click_com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0:
  /usr/bin/webbrowser-app rmix,

and reloading policy with 'sudo apparmor_parser -r
/var/lib/apparmor/profiles/click_com.ubuntu.developer.webapps.webapp-
facebook_webapp-facebook_1.0' works around the issue.

This is a harmless addition to the ubuntu-webapp template, so I will do
that. However I'm concerned that HTML5/PhoneGap apps that use a webview
may also suffer from this, so it is worth investigating. That said, we
do have an rmix rule for qtchooser in the ubuntu-sdk template, so we
might be ok there.

Interestingly, the re-exec only happens when running under upstart-app-
launch, not when using aa-exec-click.

** Affects: apparmor-easyprof-ubuntu (Ubuntu)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Affects: upstart-app-launch (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: webbrowser-app (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: apparmor-easyprof-ubuntu (Ubuntu Saucy)
     Importance: Critical
     Assignee: Jamie Strandboge (jdstrand)
         Status: In Progress

** Affects: upstart-app-launch (Ubuntu Saucy)
     Importance: Undecided
         Status: New

** Affects: webbrowser-app (Ubuntu Saucy)
     Importance: Undecided
         Status: New


** Tags: application-confinement

** Also affects: webbrowser-app (Ubuntu Saucy)
   Importance: Undecided
       Status: New

** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy)
       Status: New => In Progress

** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy)
   Importance: Undecided => Critical

** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1228236

Title:
  webbrowser-app re-execs itself which breaks webapps under application
  confinement

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1228236/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to