Oxide

  1. Bug #1260098
  2. Activity log

Activity log for bug #1260098

Date Who What changed Old value New value Message
2013-12-11 22:19:29 Jamie Strandboge bug added bug
2013-12-11 22:20:43 Jamie Strandboge description When running oxide, I get the following apparmor denials: Dec 11 16:16:48 localhost kernel: [234482.172630] type=1400 audit(1386800208.786:2180): apparmor="DENIED" operation="open" parent=22731 profile="com.ubuntu.developer.jdstrand.test-oxide_test-oxide_0.1" name="/tmp/" pid=9220 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Dec 11 16:16:48 localhost kernel: [234482.172659] type=1400 audit(1386800208.786:2181): apparmor="DENIED" operation="open" parent=22731 profile="com.ubuntu.developer.jdstrand.test-oxide_test-oxide_0.1" name="/var/tmp/" pid=9220 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Dec 11 16:16:49 localhost kernel: [234482.481748] Oxide seems to work ok otherwise, but these denials are noisy and could cause confusion. Oxide should be honoring TMPDIR first, then fall back to /tmp and /var/tmp if it isn't set. While we could silence the denials like so: deny /tmp/ r, deny /var/tmp/ r, this could break future profiles. When running oxide, I get the following apparmor denials: Dec 11 16:16:48 localhost kernel: [234482.172630] type=1400 audit(1386800208.786:2180): apparmor="DENIED" operation="open" parent=22731 profile="com.ubuntu.developer.jdstrand.test-oxide_test-oxide_0.1" name="/tmp/" pid=9220 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Dec 11 16:16:48 localhost kernel: [234482.172659] type=1400 audit(1386800208.786:2181): apparmor="DENIED" operation="open" parent=22731 profile="com.ubuntu.developer.jdstrand.test-oxide_test-oxide_0.1" name="/var/tmp/" pid=9220 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Dec 11 16:16:49 localhost kernel: [234482.481748] Oxide seems to work ok otherwise, but these denials are noisy and could cause confusion. Oxide should be honoring TMPDIR first, then fall back to /tmp and /var/tmp if it isn't set. While we could silence the denials like so:   deny /tmp/ r,   deny /var/tmp/ r, this could break future profiles. Allowing the read allows enumerating files in these directories, which could leak information and should not generally be needed.
2013-12-11 22:20:56 Jamie Strandboge oxide: importance Medium Low
2013-12-11 22:21:05 Jamie Strandboge bug task added apparmor-easyprof-ubuntu (Ubuntu)
2013-12-11 22:21:13 Jamie Strandboge apparmor-easyprof-ubuntu (Ubuntu): importance Undecided Low
2014-11-03 16:07:32 Jamie Strandboge apparmor-easyprof-ubuntu (Ubuntu): status New Confirmed