The security team noticed the following apparmor denial:
[ 86.069189] type=1400 audit(1381243063.185:73): apparmor="DENIED" operation="connect" parent=1550 profile="com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.3" name="/tmp/mir_socket" pid=2270 comm="webbrowser-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011
Discussing this with the mir team, the mir socket is needed by all apps. However, the default location is:
$ ls -l /tmp/mir_socket
srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket
This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket).
It seems that XDG_RUNTIME_DIR would be a reasonable default:
$ set|grep XDG
XDG_RUNTIME_DIR=/run/user/32011
$ ls -ld /run/user/32011/
drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/
It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions.
The security team noticed the following apparmor denial: 3.185:73) : apparmor="DENIED" operation="connect" parent=1550 profile= "com.ubuntu. developer. webapps. webapp- twitter_ webapp- twitter_ 1.0.3" name="/ tmp/mir_ socket" pid=2270 comm="webbrowse r-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011
[ 86.069189] type=1400 audit(138124306
Discussing this with the mir team, the mir socket is needed by all apps. However, the default location is:
$ ls -l /tmp/mir_socket
srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket
This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket).
It seems that XDG_RUNTIME_DIR would be a reasonable default: DIR=/run/ user/32011
$ set|grep XDG
XDG_RUNTIME_
$ ls -ld /run/user/32011/
drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/
It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions.