Public bug reported:
Ubuntu SDK applications that use webkit webviews create shared memory files as
/run/shm/WK2SharedMemory*. This results in an AppArmor rule like the following:
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
But this rule is too lenient because a malicious app could enumerate
these files and attack shared memory of other applications. Therefore,
these paths need to be made application specific. One suggestion is to
use something like shm_open("%s-WK2SharedMemory" % <app id>") instead of
shm_open("WK2SharedMemory") where '<app id>' will ultimately be the
reverse domain name with Click packages (see bug #1197037 for details on
'<app id>').
Future work may allow for AppArmor IPC to handle this without
modifications to the SDK, but this may be 14.04 so we need a solution
for 13.10.
** Affects: ubuntu-qtcreator-plugins
Importance: Undecided
Status: New
** Affects: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided
Status: New
** Tags: application-confinement
** Description changed:
Ubuntu SDK applications that use webkit webviews create shared memory files
as /run/shm/WK2SharedMemory*. This results in an AppArmor rule like the
following:
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
But this rule is too lenient because a malicious app could enumerate
these files and attack shared memory of other applications. Therefore,
these paths need to be made application specific. One suggestion is to
use something like shm_open("%s-WK2SharedMemory" % <app id>") instead of
shm_open("WK2SharedMemory") where '<app id>' will ultimately be the
reverse domain name with Click packages (see bug #1197037 for details on
'<app id>').
Future work may allow for AppArmor IPC to handle this without
- modifications to the SDK.
+ modifications to the SDK, but this may be 14.04.
** Description changed:
Ubuntu SDK applications that use webkit webviews create shared memory files
as /run/shm/WK2SharedMemory*. This results in an AppArmor rule like the
following:
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
But this rule is too lenient because a malicious app could enumerate
these files and attack shared memory of other applications. Therefore,
these paths need to be made application specific. One suggestion is to
use something like shm_open("%s-WK2SharedMemory" % <app id>") instead of
shm_open("WK2SharedMemory") where '<app id>' will ultimately be the
reverse domain name with Click packages (see bug #1197037 for details on
'<app id>').
Future work may allow for AppArmor IPC to handle this without
- modifications to the SDK, but this may be 14.04.
+ modifications to the SDK, but this may be 14.04 so we need a solution
+ for 13.10.
** Tags added: application-confinement
** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197060
Title:
SDK webview applications should use an app-specific path for shared
memory files
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-qtcreator-plugins/+bug/1197060/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
