[Touch-packages] [Bug 1219644] Re: Account plugins should be made confinable by apparmor

Tue, 03 Feb 2015 13:56:25 -0800 

Using this for the evernote-account-plugin.apparmor:
{
    "template": "ubuntu-account-plugin",
    "policy_groups": [
        "accounts",
        "audio",
        "networking",
        "webview"
    ],
    "policy_version": 1.2
}

with apparmor-easyprof-ubuntu 1.3.4 (pending upload), I can successfully create 
an account under confinement. The reminders app itself is unable to use the 
account (I can start it, but it never leaves the splash screen). There are some 
denials:
...
Feb  3 21:37:50 ubuntu-phablet kernel: [ 5634.484968] type=1400 
audit(1422999470.948:429): apparmor="DENIED" operation="mknod" 
profile="com.ubuntu.reminders_evernote-account-plugin_0.5.latest" 
name="/tmp/etilqs_R5PWXVRkWjQcVBC" pid=10898 comm="BrowserBlocking" 
requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1219644

Title:
  Account plugins should be made confinable by apparmor

Status in tools to review click packages:
  Confirmed
Status in Online Accounts setup for Ubuntu Touch:
  Fix Released
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Confirmed
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
  Fix Released

Bug description:
  With the current implementation, the QML files for account plugins are
  executed by the Online Accounts QML applet which in turn is executed
  within the System Settings process, which probably means that
  malicious account plugins could control everything that the System
  Settings process can (like entering/exiting the flight mode).

  Account plugins (or the Online Accounts applet itself) should probably
  be run in a separate process, which could then be assigned a stricter
  confinement with apparmor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/click-reviewers-tools/+bug/1219644/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to