nssdb is for storing new root certificates and Oxide doesn't support updating those. Furthermore, upstream will be moving away from nss at some point anyway. For the time being we can initialize nss without user db. Marking Critical, rtm14, and touch-2014-09-11. Removing apparmor- easyprof-ubuntu task since there is nothing to do.
** No longer affects: apparmor-easyprof-ubuntu (Ubuntu) ** Changed in: oxide Status: Triaged => In Progress ** Changed in: oxide Importance: High => Critical ** Tags added: rtm14 touch-2014-09-03 ** Tags removed: touch-2014-09-03 ** Tags added: touch-2014-09-11 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1260048 Title: oxide should use an application specific location for pki/nss files Status in Oxide Webview: In Progress Bug description: Running oxide under confinement, I see the following denial: Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400 audit(1386790378.642:1642): apparmor="DENIED" operation="open" parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test- oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725 comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000 This requires the following rule: owner @{HOME}/.pki/nssdb/ rw, owner @{HOME}/.pki/nssdb/** rwk, But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically oxide should be adjusted to use $XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name" field in the Click manifest. To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1260048/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp