** Changed in: oxide
Milestone: None => branch-1.3
** Changed in: oxide
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
WebApps bug tracking, which is subscribed to Oxide.
https://bugs.launchpad.net/bugs/1260048
Title:
oxide should use an application specific location for pki/nss files
Status in Oxide Webview:
Fix Released
Bug description:
Running oxide under confinement, I see the following denial:
Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400
audit(1386790378.642:1642): apparmor="DENIED" operation="open"
parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test-
oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725
comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc"
fsuid=1000 ouid=1000
This requires the following rule:
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/** rwk,
But these rules are too lenient because this could disclose data to a
malicious app and a malicious app could poison the databases.
Therefore, these paths need to be made application specific.
Specifically oxide should be adjusted to use
$XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name"
field in the Click manifest.
To manage notifications about this bug go to:
https://bugs.launchpad.net/oxide/+bug/1260048/+subscriptions
--
Mailing list: https://launchpad.net/~ubuntu-webapps-bugs
Post to : ubuntu-webapps-bugs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-webapps-bugs
More help : https://help.launchpad.net/ListHelp
