oxide should use an application specific location for pki/nss files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Oxide |
Fix Released
|
Critical
|
Chris Coulson | ||
1.2 |
Fix Released
|
Critical
|
Chris Coulson |
Bug Description
Running oxide under confinement, I see the following denial:
Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400 audit(138679037
This requires the following rule:
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically oxide should be adjusted to use $XDG_DATA_
Changed in oxide: | |
assignee: | nobody → Chris Coulson (chrisccoulson) |
status: | New → Triaged |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
status: | New → Confirmed |
Changed in oxide: | |
milestone: | none → branch-1.3 |
status: | In Progress → Fix Released |
This definitely needs to get addressed.