With newer oxide on 14.10, we are hitting this again: apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.webapps.webapp-amazon_webapp-amazon_1.0.9" name="/home/phablet/.pki/" pid=30367 comm="webapp-containe" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
Seems that oxide should allow for specifying an alternate shared nssdb. Once it can do that, the UbuntuWebview could examine "applicationName" from MainView like with other QML components and do this for the app automatically. webapp-container, html5-container, cordova, et al would need to setup Oxide to do this as well. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1260048 Title: oxide should use an application specific location for pki/nss files Status in Oxide Webview: Triaged Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Confirmed Bug description: Running oxide under confinement, I see the following denial: Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400 audit(1386790378.642:1642): apparmor="DENIED" operation="open" parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test- oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725 comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000 This requires the following rule: owner @{HOME}/.pki/nssdb/ rw, owner @{HOME}/.pki/nssdb/** rwk, But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically oxide should be adjusted to use $XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name" field in the Click manifest. To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1260048/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp