webbrowser-app should use app-specific paths when using --webapp

Bug #1226085 reported by Jamie Strandboge on 2013-09-16
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
High
Unassigned
Saucy
High
Unassigned
webbrowser-app (Ubuntu)
High
Olivier Tilloy
Saucy
High
Olivier Tilloy

Bug Description

The webbrowser-app stores its cache, cookies and various other files in ~/.cache/webbrowser-app and ~/.local/share/webbrowser-app.

This results in AppArmor rules like the following:
  owner @{HOME}/.cache/webbrowser-app/ rw,
  owner @{HOME}/.cache/webbrowser-app/** rwk,
  owner @{HOME}/.local/share/webbrowser-app/ rw,
  owner @{HOME}/.local/share/webbrowser-app/** rwk,

But these rules are too lenient and these paths need to be made webapp specific so that arbitrary webapps don't have access to global cookies, cache, etc. Specifically webbrowser-app should be adjusted to use $XDG_DATA_HOME/<app_pkgname> for webapps, where '<app_pkgname>' is the "name" field in the Click manifest (see bug #1197037 for details).

Note, APP_ID is set in the environment for click packages and the app_pkgname can be derived from the APP_ID by doing:
app_pkgname = appid.split('_')[0]

Related branches

Changed in webbrowser-app (Ubuntu Saucy):
status: New → Triaged
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: New → Triaged
Changed in webbrowser-app (Ubuntu Saucy):
importance: Undecided → High
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
importance: Undecided → High
description: updated
tags: added: application-confinement
description: updated
Olivier Tilloy (osomon) on 2013-09-16
Changed in webbrowser-app (Ubuntu Saucy):
assignee: nobody → Olivier Tilloy (osomon)
Olivier Tilloy (osomon) on 2013-09-16
Changed in webbrowser-app (Ubuntu Saucy):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.22+13.10.20130919.3-0ubuntu1

---------------
webbrowser-app (0.22+13.10.20130919.3-0ubuntu1) saucy; urgency=low

  [ Alexandre Abreu ]
  * Add a 'maximized' command line parameter mostly to enhance the
    control for webapps launch.

  [ Olivier Tilloy ]
  * Use the value of APP_ID to set the application name. This ensures
    that webapps (which run with a unique app ID) will write their data
    where they ought to, and that they won’t have access to other apps’
    cache and cookies. (LP: #1226085)
  * Add a unity action to clear the navigation history.
  * Override the UA string for facebook.com to ensure we’re getting
    touch-enabled content. Without this override, we were getting
    unstyled mobile content from the 90s. Impersonating an iphone or
    android would offer to install the respective applications when
    logging in. The 'Firefox' token gets us the right content (and
    pretending to be AppleWebKit seems to be necessary too, otherwise
    the layout is busted). (LP: #1215002)

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 318
 -- Ubuntu daily release <email address hidden> Thu, 19 Sep 2013 15:52:17 +0000

Changed in webbrowser-app (Ubuntu Saucy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.32

---------------
apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low

  * accounts:
    - needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
      access to .config/libaccounts-glib/accounts.db*.
    - read access to /usr/share/accounts/**
    - deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
  * refine audio policy group:
    - remove /tmp/ accesses now that TMPDIR is set by the sandbox
    - allow access to only the native socket (ie, disallow dbus-socket (only
      needed by pacmd), access to pid and the cli debugging socket)
      (LP: #1211380)
    - remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
      exist when click apps run
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
  * camera:
    - add rw for /dev/ashmem. This will go away when camera moves to HAL
    - rw /run/shm/hybris_shm_data
    - add read on /android/system/media/audio/ui/camera_click.ogg
  * connectivity:
    - add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
      QNetworkInterface
    - add commented out rules for ofono (LP: 1226844)
  * finalize content_exchange policy for the content-hub. We now have two
    different policy groups: content_exchange for requesting/importing data
    and content_exchange_source for providing/exporting data
  * microphone:
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - add gstreamer and pulseaudio accesses and silence ALSA denials (we
      force pulseaudio). Eventually we should consolidate these and the ones
      in audio into a separate abstraction.
  * networking
    - explicitly deny access to NetworkManager. This technically should be
      needed at all, but depending on how apps connect, the lowlevel
      libraries get NM involved. Do the same for ofono
    - add access to the download manager (LP: #1227860)
  * video: add gstreamer accesses. Eventually we should consolidate these
    and the ones in audio into a gstreamer abstraction
  * add the following new reserved policy groups (reserved because they need
    integration with trust-store to be used by untrusted apps):
    - calendar - to access /org/gnome/evolution/dataserver/SourceManager,
      /org/gnome/evolution/dataserver/CalendarFactory and
      /org/gnome/evolution/dataserver/Calendar/**
    - contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
      Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
    - history - to access com.canonical.HistoryService
  * remove unused policy groups. This would normally constitute a new minor
    version, but no one is using these yet. When there is an API to use for
    this sort of thing, we can reintroduce them
    - read_connectivity_details
    - bluetooth (no supported Qt5 API for these per the SDK team)
    - nfc (no supported Qt5 API for these per the SDK team)
  * ubuntu* templates:
    - remove workaround HUD rule for DBus access to hud/applications/* now
      ...

Read more...

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers