** Description changed: Occasionally when I pin items to the Unity7 launcher, the BAMF code (as I'm told) incorrectly matches to /snap/app/revision/.... This is a security issue because the Exec= line points to /snap/app/revision/... which bypasses snap run (/snap/bin/...) and therefore snap-confine. I'm told by Marcus (aka, 3v1n0 aka Trevinho) that this is because BAMF_DESKTOP_FILE_HINT is not exported by snap env and instead only injected in the desktop file that is created in /var/lib/snapd/desktop/applications upon snap install. This means that the wrong Exec= (ie, where it points to the binary) may occur in two places: 1. when launching /snap/bin/... from the command line 2. when something in /var/lib/snapd/desktop/applications/*.desktop doesn't match properly In both cases, the initial launch is fine, but pinning the icon to the launcher results in the wrong entry in the Exec= line and launching from - this pinned launcher entry after is unconfined. + this pinned launcher entry after is unconfined. You can check by doing: + + 1. launch application from the dash + 2. run sudo aa-status and see if it is launched under confinement + 3. pin the icon that is in the launcher + 4. close the application, then launch from the pinned icon + 5. run sudo aa-status and see if it is launched under confinement This doesn't happen all the time. For example, vlc seems to work fine both from the command line and from launching via a pinned launcher entry. chrome-test on the other hand doesn't seem to work with either. Related https://github.com/snapcore/snapd/pull/1580 -- puts BAMF_DESKTOP_FILE_HINT in the desktop file instead of in the environment, but Marco requested that this change (https://github.com/snapcore/snapd/pull/1580#issuecomment-234546220). https://trello.com/c/xP1hN3BF/152-improve-desktop-file-support-by- adding-a-new-bamf-desktop-file-hint-environment-hint also discussed this issue, but the card is archived and therefore it won't be worked on. I'm having trouble finding a simple reproducer (other than chrome-test) but am told by Marco that the BAMF matching will always work if BAMF_DESKTOP_FILE_HINT in the process' environment always points to the desktop file in /var/lib/snapd/desktop/applications. I will continue to look for a simple reproducer. + + I can say that doing this: + BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chrome-test_chrome-test.desktop /snap/bin/chrome-test + + then pinning the resulting entry results in the wrong Exec= in the + pinned launcher item.
** Description changed: Occasionally when I pin items to the Unity7 launcher, the BAMF code (as I'm told) incorrectly matches to /snap/app/revision/.... This is a security issue because the Exec= line points to /snap/app/revision/... which bypasses snap run (/snap/bin/...) and therefore snap-confine. I'm told by Marcus (aka, 3v1n0 aka Trevinho) that this is because BAMF_DESKTOP_FILE_HINT is not exported by snap env and instead only injected in the desktop file that is created in /var/lib/snapd/desktop/applications upon snap install. This means that the wrong Exec= (ie, where it points to the binary) may occur in two places: 1. when launching /snap/bin/... from the command line 2. when something in /var/lib/snapd/desktop/applications/*.desktop doesn't match properly In both cases, the initial launch is fine, but pinning the icon to the launcher results in the wrong entry in the Exec= line and launching from this pinned launcher entry after is unconfined. You can check by doing: 1. launch application from the dash 2. run sudo aa-status and see if it is launched under confinement 3. pin the icon that is in the launcher 4. close the application, then launch from the pinned icon 5. run sudo aa-status and see if it is launched under confinement This doesn't happen all the time. For example, vlc seems to work fine both from the command line and from launching via a pinned launcher entry. chrome-test on the other hand doesn't seem to work with either. Related https://github.com/snapcore/snapd/pull/1580 -- puts BAMF_DESKTOP_FILE_HINT in the desktop file instead of in the environment, but Marco requested that this change (https://github.com/snapcore/snapd/pull/1580#issuecomment-234546220). https://trello.com/c/xP1hN3BF/152-improve-desktop-file-support-by- adding-a-new-bamf-desktop-file-hint-environment-hint also discussed this issue, but the card is archived and therefore it won't be worked on. I'm having trouble finding a simple reproducer (other than chrome-test) but am told by Marco that the BAMF matching will always work if BAMF_DESKTOP_FILE_HINT in the process' environment always points to the desktop file in /var/lib/snapd/desktop/applications. I will continue to look for a simple reproducer. - - I can say that doing this: - BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chrome-test_chrome-test.desktop /snap/bin/chrome-test - - then pinning the resulting entry results in the wrong Exec= in the - pinned launcher item. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1643910 Title: BAMF_DESKTOP_FILE_HINT not set in correct place for unity7 To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1643910/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
