Ubuntu
apparmor-easyprof-ubuntu package

Click apps need access to their own Online Accounts files

Bug #1278859 reported by Alberto Mardegan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

Online Accounts can be extended with new account providers and services provided in click packages. A click hook will install these files in the correct place under ~/.local/share/accounts/{provider,services}/ .

Indeed, click applications should be able to use the account they install, so they need read access to these directories (the "accounts" apparmor template already gives access to the system locations: "/usr/share/accounts/** r,"). Therefore, I'd like to suggest adding the following line to the apparmor "accounts" template:

    owner @{HOME}/.local/share/accounts/** r,

Given that these files are installed under ~/.local/share/accounts/ as symlinks, this means that apps will dereference the symlinks in this directory to access their own accounts provider (which is in an app-specific directory). This is not an information leak on its own because users of this policy group have read access to accounts.db.

See original description
Jamie Strandboge (jdstrand)
description: updated
tags: added: application-confinement
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.4

---------------
apparmor-easyprof-ubuntu (1.1.4) trusty; urgency=medium

  * 1.*/ubuntu-sdk: adjust for ubuntu-html5-app-launcher (LP: #1274640)
    - allow reexec for /usr/bin/ubuntu-html5-app-launcher to handle HTML5 apps
      launched via upstart-app-launch
    - allow read access to /usr/share/ubuntu-html5-app-launcher/**
  * 1.*/accounts:
    - allow read on @{HOME}/.local/share/accounts/** to dereference click
      symlinks for online accounts providers (LP: #1278859)
    - add comment about usage of com.nokia.singlesignonui.cookiesForIdentity
  * 1.*/networking: finetune DownloadManager DBus access (LP: #1277578)
    - explicitly allow safe and explicitly disallow unsafe DownloadManager
      APIs
    - restrict apps to their own downloads
  * 1.*/ubuntu-webapp: allow the webapps access to SignonUi API for retrieving
    web cookies for an account (com.nokia.singlesignonui.cookiesForIdentity).
    This is being added to the ubuntu-webapp template instead of the accounts
    policy group because this API should only be available to the webapp
    container and is not needed to use online accounts in general
    (LP: #1278934)
 -- Jamie Strandboge <email address hidden> Wed, 12 Feb 2014 09:20:58 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.