| 2009-08-26 15:55:09 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2009-08-26 15:55:37 |
Jamie Strandboge |
linux (Ubuntu): importance |
Undecided |
Medium |
|
| 2009-08-26 15:55:37 |
Jamie Strandboge |
linux (Ubuntu): status |
New |
In Progress |
|
| 2009-08-26 15:55:37 |
Jamie Strandboge |
linux (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
| 2009-08-26 15:57:32 |
Jamie Strandboge |
description |
Karmic will be shipping an apparmor profile for firefox (bug #382917). This is a spec for the security team. Due to packaging constraints and maintenance, it must use matching for the profile name. Eg, with a profile name specified like this:
/usr/lib/firefox-3.5.*/firefox {
...
/usr/lib/firefox-3.5.2/firefox attaches and works (good).
However, this causes problems:
a) it improperly matches the *files* /usr/lib/firefox-3.5.foo, /usr/lib/firefox-3.5.bar. This is wrong and could cause problems if other versions of firefox are installed.
b) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is available
c) '/usr/bin/** px' won't attach if the profiled is confined
These issues are a surprising side-effect of using matching in the profile name, and will cause bugs and problems when people modify the firefox profile or develop their own profiles using profile name matching. |
Karmic will be shipping an apparmor profile for firefox (bug #382917). This is a spec for the security team. Due to packaging constraints and maintenance, it must use matching for the profile name. Eg, with a profile name specified like this:
/usr/lib/firefox-3.5.*/firefox {
...
/usr/lib/firefox-3.5.2/firefox attaches and works (good).
However, this causes problems:
a) it improperly matches the *files* /usr/lib/firefox-3.5.foo, /usr/lib/firefox-3.5.bar
b) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is available
c) '/usr/bin/** px' won't attach if the profiled is confined
These issues are a surprising side-effect of using matching in the profile name, and will cause bugs and problems when people modify the firefox profile or develop their own profiles using profile name matching. |
|
| 2009-08-26 16:06:40 |
Jamie Strandboge |
description |
Karmic will be shipping an apparmor profile for firefox (bug #382917). This is a spec for the security team. Due to packaging constraints and maintenance, it must use matching for the profile name. Eg, with a profile name specified like this:
/usr/lib/firefox-3.5.*/firefox {
...
/usr/lib/firefox-3.5.2/firefox attaches and works (good).
However, this causes problems:
a) it improperly matches the *files* /usr/lib/firefox-3.5.foo, /usr/lib/firefox-3.5.bar
b) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is available
c) '/usr/bin/** px' won't attach if the profiled is confined
These issues are a surprising side-effect of using matching in the profile name, and will cause bugs and problems when people modify the firefox profile or develop their own profiles using profile name matching. |
Karmic will be shipping an apparmor profile for firefox (bug #382917). This is a spec for the security team. Due to packaging constraints and maintenance, it must use matching for the profile name. Eg, with a profile name specified like this:
/usr/lib/firefox-3.5.*/firefox {
...
/usr/lib/firefox-3.5.2/firefox attaches and works (good).
However, this causes problems:
a) profile is attached from unconfined, but not from confined processes. This reduces the security of the already shipping AppArmor profile for evince, which allows transitions to firefox
b) it improperly matches the *files* /usr/lib/firefox-3.5.foo, /usr/lib/firefox-3.5.bar
c) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is available
d) '/usr/bin/** px' won't attach if the profiled is confined
These issues are a surprising side-effect of using matching in the profile name, and will cause bugs and problems when people modify the firefox profile or develop their own profiles using profile name matching. |
|
| 2009-09-08 12:30:07 |
Launchpad Janitor |
linux (Ubuntu): status |
In Progress |
Fix Released |
|
| 2009-09-18 13:17:07 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/karmic/linux-fsl-imx51 |
|
