With newer oxide on 14.10, we are hitting this again:
apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.webapps.webapp-amazon_webapp-amazon_1.0.9
name=/home/phablet/.pki/ pid=30367 comm=webapp-containe requested_mask=c
denied_mask=c fsuid=32011 ouid=32011
Seems that oxide should
I'm going to mark this as 'High' for now since confined apps will have
this denial. This may need to be moved to Critical.
** Changed in: oxide
Importance: Medium = High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Branch linked: lp:oxide
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1260048
Title:
oxide should use an application specific location for pki/nss files
To manage notifications about this bug
nssdb is for storing new root certificates and Oxide doesn't support
updating those. Furthermore, upstream will be moving away from nss at
some point anyway. For the time being we can initialize nss without user
db. Marking Critical, rtm14, and touch-2014-09-11. Removing apparmor-
easyprof-ubuntu
Reducing the priority to medium for now since apps can't update the
nssdb now anyway. When they can, this bug will block the functionality
from working and see the priority may change again.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
This will be the new policy until this bug is fixed:
# LP: #1260048 - only allow 'r' for now, since 'w' allow for db poisoning
owner @{HOME}/.pki/nssdb/ r,
owner @{HOME}/.pki/nssdb/** rk,
deny @{HOME}/.pki/nssdb/ w,
deny @{HOME}/.pki/nssdb/** w,
--
You received this bug notification
apparmor-easyprof-ubuntu (1.1.11) trusty; urgency=medium
* 1.0/ubuntu-*: explicitly deny access to oxide files so webbrowser-app's
fallback mechanism to QtWebKit works correctly. This is needed so 13.10
framework webapps don't regress
* 1.1/webview: prevent certificate db poisoning
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1260048
Title:
oxide should use an application specific location for
This definitely needs to get addressed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1260048
Title:
oxide should use an application specific location for pki/nss files
To manage notifications
Note, these rules are currently in the webview policy group. If this
isn't going to be fixed soon, should we at least remove 'w' access from
the policy so we only have information disclosure as opposed to db
poisoning?
--
You received this bug notification because you are a member of Ubuntu
I agree, removing 'w' would make sense...although I suspect that will
prevent users from accepting self-signed certs in the browser. Perhaps
that isn't important for the moment, I'm not sure if we even have a
dialog for that.
--
You received this bug notification because you are a member of
We do not have a dialog for that. That is bug 1214034.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1260048
Title:
oxide should use an application specific location for pki/nss files
To manage
** Changed in: oxide
Assignee: (unassigned) = Chris Coulson (chrisccoulson)
** Changed in: oxide
Status: New = Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1260048
Title:
13 matches
Mail list logo