2013-10-08 15:19:52 |
Jamie Strandboge |
bug |
|
|
added bug |
2013-10-08 15:22:37 |
Jamie Strandboge |
tags |
|
application-confinement |
|
2013-10-08 15:22:44 |
Jamie Strandboge |
description |
The security team noticed the following apparmor denial:
[ 86.069189] type=1400 audit(1381243063.185:73): apparmor="DENIED" operation="connect" parent=1550 profile="com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.3" name="/tmp/mir_socket" pid=2270 comm="webbrowser-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011
Discussing this with the mir team, the mir socket is needed by all apps. However, the default location is:
$ ls -l /tmp/mir_socket
srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket
This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket).
It seems that XDG_RUNTIME_DIR would be a reasonable default:
$ set|grep XDG
XDG_RUNTIME_DIR=/run/user/32011
$ ls -ld /run/user/32011/
drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/
It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions. |
The security team noticed the following apparmor denial:
[ 86.069189] type=1400 audit(1381243063.185:73): apparmor="DENIED" operation="connect" parent=1550 profile="com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.3" name="/tmp/mir_socket" pid=2270 comm="webbrowser-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011
Discussing this with the mir team, the mir socket is needed by all apps. However, the default location is:
$ ls -l /tmp/mir_socket
srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket
This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket).
It seems that XDG_RUNTIME_DIR would be a reasonable default:
$ set|grep XDG
XDG_RUNTIME_DIR=/run/user/32011
$ ls -ld /run/user/32011/
drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/
It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions. There is urgency on deciding the proper location because apparmor-easyprof-ubuntu will need to be adjusted to use it, otherwise click apps will break when we switch to mir by default. alan_g tells me that clients may either set MIR_SOCKET or pass a filename, so more than just mir may need to be adjusted. |
|
2013-10-08 15:22:51 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Saucy |
|
2013-10-08 15:22:51 |
Jamie Strandboge |
bug task added |
|
mir (Ubuntu Saucy) |
|
2013-10-08 15:23:05 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu) |
|
2013-10-08 16:31:18 |
Jamie Strandboge |
description |
The security team noticed the following apparmor denial:
[ 86.069189] type=1400 audit(1381243063.185:73): apparmor="DENIED" operation="connect" parent=1550 profile="com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.3" name="/tmp/mir_socket" pid=2270 comm="webbrowser-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011
Discussing this with the mir team, the mir socket is needed by all apps. However, the default location is:
$ ls -l /tmp/mir_socket
srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket
This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket).
It seems that XDG_RUNTIME_DIR would be a reasonable default:
$ set|grep XDG
XDG_RUNTIME_DIR=/run/user/32011
$ ls -ld /run/user/32011/
drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/
It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions. There is urgency on deciding the proper location because apparmor-easyprof-ubuntu will need to be adjusted to use it, otherwise click apps will break when we switch to mir by default. alan_g tells me that clients may either set MIR_SOCKET or pass a filename, so more than just mir may need to be adjusted. |
The security team noticed the following apparmor denial:
[ 86.069189] type=1400 audit(1381243063.185:73): apparmor="DENIED" operation="connect" parent=1550 profile="com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.3" name="/tmp/mir_socket" pid=2270 comm="webbrowser-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011
Discussing this with the mir team, the mir socket is needed by all native GL apps. However, the default location is:
$ ls -l /tmp/mir_socket
srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket
This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket).
It seems that XDG_RUNTIME_DIR would be a reasonable default:
$ set|grep XDG
XDG_RUNTIME_DIR=/run/user/32011
$ ls -ld /run/user/32011/
drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/
It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions. There is urgency on deciding the proper location because apparmor-easyprof-ubuntu will need to be adjusted to use it, otherwise click apps will break when we switch to mir by default. alan_g tells me that clients may either set MIR_SOCKET or pass a filename, so more than just mir may need to be adjusted. |
|
2013-10-08 16:52:28 |
Alan Griffiths |
branch linked |
|
lp:~mir-team/mir/fix-1236912 |
|
2013-10-08 18:25:33 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
New |
Triaged |
|
2013-10-08 18:25:38 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): importance |
Undecided |
High |
|
2013-10-08 18:25:40 |
Jamie Strandboge |
mir (Ubuntu Saucy): importance |
Undecided |
High |
|
2013-10-08 18:25:42 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): assignee |
|
Jamie Strandboge (jdstrand) |
|
2013-10-08 18:25:47 |
Jamie Strandboge |
mir (Ubuntu Saucy): status |
New |
Confirmed |
|
2013-10-11 16:00:31 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
Triaged |
Confirmed |
|
2013-12-12 17:49:38 |
Jamie Strandboge |
mir (Ubuntu Saucy): status |
Confirmed |
Won't Fix |
|
2013-12-12 17:49:42 |
Jamie Strandboge |
mir (Ubuntu): status |
Confirmed |
Fix Released |
|
2013-12-12 17:49:49 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
Confirmed |
Won't Fix |
|
2013-12-12 17:49:56 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): status |
Confirmed |
In Progress |
|
2013-12-13 01:52:14 |
Daniel van Vugt |
bug task added |
|
mir |
|
2013-12-13 01:52:28 |
Daniel van Vugt |
mir: status |
New |
Fix Released |
|
2013-12-13 01:52:32 |
Daniel van Vugt |
mir: importance |
Undecided |
High |
|
2013-12-13 01:52:41 |
Daniel van Vugt |
mir: assignee |
|
Alan Griffiths (alan-griffiths) |
|
2013-12-13 01:53:03 |
Daniel van Vugt |
bug task deleted |
mir (Ubuntu Saucy) |
|
|
2013-12-20 14:27:29 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/apparmor-easyprof-ubuntu |
|
2013-12-20 14:38:37 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu): status |
In Progress |
Fix Released |
|