Unsafe m_iconCacheDir handling may result in deletion of some files in home directory

Version: sni-qt_0.2.5-0ubuntu1_amd64

---- SRU info ----

[Impact]
Bug can cause removal of several files in the home directory of users if they run an application which uses sni-qt on a system with a non-writable temporary dir (/tmp or the dir pointed to by $TMPDIR).

See comment https://bugs.launchpad.net/ubuntu/+source/sni-qt/+bug/874447/comments/4 for more details on which files may be removed.

sni-qt creates a temp dir for its iconcache at startup. This temp dir is removed when the application quits as part of sni-qt cleanup code. This can cause some files in the home dir to be removed if the temp dir creation failed.

[Development Fix]
Bug has been fixed by:
- Checking the temporary dir was created before calling the FsUtils::recursiveRm() function.
- To avoid undefined behavior, sni-qt will also disable itself if it can't create its temp dir for the iconcache.

The fix is available here: http://bazaar.launchpad.net/~agateau/sni-qt/trunk/revision/91

[Test Case]
- Create a test user.
- List files from the home folder: find > /tmp/before
- Start an application using sni-qt, for example Clementine, like this: TMPDIR=/ clementine
- Quit the application with Ctrl+Q.
- List files again: find > /tmp/after
- Compare the two lists, some files are likely gone

[Regression Potential]
No regression expected.

---- Original report ----

The m_iconCacheDir variable is used unchecked throughout sni-qt. This may result in deletion of home directory.

This was found by an apparmor "DENIED" while running a sandboxed application (apparmor error data: operation="unlink" name="/home/user/.bash_history").

Lets assume we /tmp writes blocked and we have HOME/.* writes blocked.

1. statusnotifieritemfactory.cpp: FsUtils::generateTempDir is used to generate a temporary IconCache location.

[...]
StatusNotifierItemFactory::StatusNotifierItemFactory()
: m_isAvailable(false)
{
    QString tempSubDir = QString("sni-qt_%1_%2")
        .arg(QCoreApplication::applicationFilePath().section('/', -1))
        .arg(QCoreApplication::applicationPid());
    m_iconCacheDir = FsUtils::generateTempDir(tempSubDir);
    [...]

2. fsutils.cpp: Returns an empty QString if generation of file system objects failed.

QString generateTempDir(const QString& prefix)
{
    QDir dir = QDir::temp();
    if (!dir.mkpath(".")) {
        qCritical("Failed to generate temporary file for prefix %s: could not create %s",
            qPrintable(prefix), qPrintable(dir.path()));
        return QString();
    }

    QString tmpl = QString("%1/%2-XXXXXX")
        .arg(dir.path())
        .arg(prefix);
    QByteArray ba = QFile::encodeName(tmpl);
    const char* name = mkdtemp(ba.data());
    if (!name) {
        qCritical("Failed to generate temporary file for prefix %s: %s",
            qPrintable(prefix), strerror(errno));
        return QString();
    }
    return QFile::encodeName(name);
}

3. statusnotifieritemfactory.cpp: generateTempDir may have returned an empty QString (or another invalid location), which we are using as m_iconCacheDir

[...]
    m_iconCacheDir = FsUtils::generateTempDir(tempSubDir);
    SNI_VAR(m_iconCacheDir);

    m_iconCache = new IconCache(m_iconCacheDir, this);
[...]

4. iconcache.cpp: IconCache will be created with an empty QString (or another invalid location). If directory creation fails there is an error message printed, but the error stays unchecked.

IconCache::IconCache(const QString& baseDir, QObject* parent)
: QObject(parent)
, m_themePath(baseDir + "/icons")
{
    QDir dir(baseDir);
    bool ok = dir.mkdir("icons");
    if (!ok) {
        qCritical("Could not create '%s' dir for SNI icon cache", qPrintable(m_themePath));
        m_themePath = QString();
        return;
    }
}

5. statusnotifieritemfactory.cpp: So when closing an application using sni-qt m_iconCacheDir is wiped.

 StatusNotifierItemFactory::~StatusNotifierItemFactory()
{
    SNI_DEBUG;
    FsUtils::recursiveRm(m_iconCacheDir);
}