oxide's chrome-sandbox needs access to @{PROC}/[0-9]*/oom_* which may conflict with application lifecycle

Bug #1260115 reported by Jamie Strandboge on 2013-12-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Oxide
Medium
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Critical
Jamie Strandboge

Bug Description

The following accesses are required by chrome-sandbox:
owner @{PROC}/[0-9]*/oom_adj w,
owner @{PROC}/[0-9]*/oom_score_adj w,

It needs to be confirmed that chrome-sandbox's adjustments will not interfere with application lifecycle.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
importance: Undecided → Medium
tags: added: application-confinement
Jamie Strandboge (jdstrand) wrote :

This access was confirmed to interfere with application lifecycle and provides an easy way for apps to adjust their own OOM scores. apparmor-easyprof-ubuntu needs to remove the policy allowing writes to these proc entries.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
importance: Medium → Critical
status: New → In Progress
tags: added: rtm14 touch-2014-09-29
Jamie Strandboge (jdstrand) wrote :

Oxide was checked to handled the failure to write to the oom files gracefully. We will not be adjusting it for this bug but instead just silently deny the accesses.

Changed in oxide:
status: New → Won't Fix
tags: added: touch-2014-10-09
removed: touch-2014-09-29
Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.29

---------------
apparmor-easyprof-ubuntu (1.2.29) utopic; urgency=medium

  * ubuntu/webview: explicitly deny write access to @{PROC}/[0-9]*/oom_adj
    and @{PROC}/[0-9]*/oom_score_adj. This is confirmed as a way to escape
    application lifecycle (LP: #1260115)
 -- Jamie Strandboge <email address hidden> Mon, 29 Sep 2014 12:28:39 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers