I'm going to mark this as 'High' for now since confined apps will have this denial. This may need to be moved to Critical.
** Changed in: oxide Importance: Medium => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1260048 Title: oxide should use an application specific location for pki/nss files Status in Oxide Webview: Triaged Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Confirmed Bug description: Running oxide under confinement, I see the following denial: Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400 audit(1386790378.642:1642): apparmor="DENIED" operation="open" parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test- oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725 comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000 This requires the following rule: owner @{HOME}/.pki/nssdb/ rw, owner @{HOME}/.pki/nssdb/** rwk, But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically oxide should be adjusted to use $XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name" field in the Click manifest. To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1260048/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
