SDK webview applications should use an app-specific path for shared memory files

Bug #1197060 reported by Jamie Strandboge on 2013-07-02
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
John Johansen
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
qtwebkit-opensource-src (Ubuntu)
High
Christian Dywan
Saucy
High
Christian Dywan
Trusty
Undecided
Unassigned

Bug Description

Ubuntu SDK applications that use webkit webviews create shared memory files as /run/shm/WK2SharedMemory*. This results in an AppArmor rule like the following:
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,

But this rule is too lenient because a malicious app could enumerate these files and attack shared memory of other applications. Therefore, these paths need to be made application specific. One suggestion is to use something like shm_open("%s-WK2SharedMemory" % <app_pkgname>") instead of shm_open("WK2SharedMemory") where '<app_pkgname>' is the "name" field in the Click manifest (see bug #1197037 for details).

Future work will allow for AppArmor IPC to handle this without modifications to the SDK, but this may be 14.04 so we need a solution for 13.10. I recommend fixing this bug after the other SDK bugs I filed today, then talk to the security team before fixing this bug since it is possible we will have something for 13.10 that doesn't require altering the SDK.

description: updated
description: updated
tags: added: application-confinement
Changed in apparmor (Ubuntu):
status: New → In Progress
assignee: nobody → John Johansen (jjohansen)
description: updated
Changed in apparmor (Ubuntu):
milestone: none → later
description: updated
Changed in ubuntu-qtcreator-plugins:
assignee: nobody → Timo Jyrinki (timo-jyrinki)
affects: ubuntu-qtcreator-plugins → ubuntu-ui-toolkit
Changed in ubuntu-ui-toolkit:
assignee: Timo Jyrinki (timo-jyrinki) → nobody
Changed in qtwebkit-opensource-src (Ubuntu):
assignee: nobody → Christian Dywan (kalikiana)
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: New → Triaged
Changed in apparmor (Ubuntu Saucy):
assignee: John Johansen (jjohansen) → nobody
milestone: later → none
status: In Progress → Won't Fix
Changed in qtwebkit-opensource-src (Ubuntu Saucy):
importance: Undecided → High
description: updated
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Triaged → Won't Fix
Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → chenwencai (13738772233-a)
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
assignee: nobody → chenwencai (13738772233-a)
Dmitry Shachnev (mitya57) wrote :

Don't assign yourself to the bug unless you are working on the fix.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: chenwencai (13738772233-a) → nobody
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
assignee: chenwencai (13738772233-a) → nobody
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in qtwebkit-opensource-src (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

I'm going to mark the qtwebkit-opensource-src task for Trusty as Won't Fix since SDK applications will be expected to use Oxide.

Changed in qtwebkit-opensource-src (Ubuntu Saucy):
status: Confirmed → Won't Fix
Changed in qtwebkit-opensource-src (Ubuntu Trusty):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand) wrote :

We are transitioning to Oxide so fixing webkit is no longer needed.

Changed in apparmor-easyprof-ubuntu (Ubuntu Trusty):
status: Confirmed → Won't Fix
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Triaged → Won't Fix
Changed in qtwebkit-opensource-src (Ubuntu):
status: Confirmed → Won't Fix
Changed in apparmor (Ubuntu Trusty):
status: In Progress → Won't Fix
no longer affects: ubuntu-ui-toolkit
Changed in apparmor (Ubuntu):
assignee: John Johansen (jjohansen) → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.28

---------------
apparmor-easyprof-ubuntu (1.2.28) utopic; urgency=medium

  * ubuntu/calendar: add missing rule for org.freedesktop.DBus.Introspectable
    on path /com/canonical/indicator/datetime/AlarmProperties (LP: #1374623)
  * ubuntu/1.[12]/ubuntu-{sdk,webapp}: remove no longer needed rule for
    /{,run/}shm/shm/WK2SharedMemory.[0-9]* (LP: #1197060)
  * ubuntu/microphone:
    - add temporary write access to /{run,dev}/shm/shmfd-* for QAudioRecorder
      (LP: #1370218)
    - explicitly deny read on /dev/
  * ubuntu/1.1/webview: allow dbus send to RequestName on org.freedesktop.DBus
    webapp-container needs corresponding 'bind' call on
    org.freedesktop.Application, which we block elsewhere. webapp-container
    shouldn't be doing this under confinement, but we allow this rule in
    content_exchange, so just allow it to avoid confusion. (LP: #1357371)
 -- Jamie Strandboge <email address hidden> Fri, 26 Sep 2014 15:21:37 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Won't Fix → Fix Released
Changed in apparmor (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
importance: Undecided → Medium
tags: added: aa-feature
Jamie Strandboge (jdstrand) wrote :

The apparmor portion of this bug is being tracked in 1370218

Changed in apparmor (Ubuntu):
status: In Progress → Won't Fix
importance: Medium → Undecided
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints