Ubuntu UI Toolkit

SDK and cordova webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases

Bug #1197056 reported by Jamie Strandboge
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Cordova Ubuntu
Fix Released
High
Maxim Ermilov
Ubuntu HTML5 UI SDK
Fix Released
Undecided
Unassigned
Ubuntu UI Toolkit
Fix Released
Undecided
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
High
Jamie Strandboge
Saucy
Fix Released
High
Jamie Strandboge
Trusty
Fix Released
High
Jamie Strandboge
cordova-ubuntu (Ubuntu)
Fix Released
High
Unassigned
Trusty
Won't Fix
High
Unassigned
ubuntu-html5-theme (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
ubuntu-ui-toolkit (Ubuntu)
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned

Bug Description

Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db
~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db

This results in AppArmor rules like the following:
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/WebpageIcons.db" rwk,
owner "@{HOME}/.local/share/Qt Project/QtQmlViewer/.QtWebKit/cookies.db" rwk,

But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically webbrowser-app should be adjusted to use $XDG_DATA_HOME/<app_pkgname> for webapps, where '<app_pkgname>' is the "name" field in the Click manifest (see bug #1197037 for details).

The same bug affects cordova-ubuntu, but writes are to @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit resulting in these too-lenient rules:
  owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/WebpageIcons.db" rwk,
  owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/cookies.db" rwk,
  owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/" r,
  owner "@{HOME}/.local/share/cordova-ubuntu*/.QtWebKit/LocalStorage/**" rwk,

See original description

Related branches

lp:~kalikiana/ubuntu-ui-toolkit/appname
PS Jenkins bot: Approve (continuous-integration)
Zsombor Egri: Approve
Tim Peeters: Pending requested
Diff: 376 lines (+286/-0)
9 files modified
modules/Ubuntu/Components/MainView.qml (+5/-0)
modules/Ubuntu/Components/plugin/plugin.cpp (+7/-0)
modules/Ubuntu/Components/plugin/plugin.pro (+2/-0)
modules/Ubuntu/Components/plugin/ucapplication.cpp (+57/-0)
modules/Ubuntu/Components/plugin/ucapplication.h (+53/-0)
tests/unit/tst_mainview/AppName.qml (+23/-0)
tests/unit/tst_mainview/tst_mainview.cpp (+132/-0)
tests/unit/tst_mainview/tst_mainview.pro (+6/-0)
tests/unit/unit.pro (+1/-0)
lp:ubuntu/saucy-proposed/apparmor-easyprof-ubuntu
lp:~abreu-alexandre/ubuntu-html5-theme/fix-applicationname
PS Jenkins bot: Approve (continuous-integration)
David Barth: Approve
Diff: 17 lines (+7/-0)
1 file modified
src/ubuntu-html5-app-launcher/main.cpp (+7/-0)
lp:ubuntu/trusty-proposed/ubuntu-html5-theme
lp:ubuntu/trusty-proposed/apparmor-easyprof-ubuntu
Jamie Strandboge (jdstrand)
tags: added: application-confinement
summary: SDK webview applications should not use ~/.local/share/Qt
- Project/QtQmlViewer/.QtWebKit/ for its databases
+ Project/QtQmlViewer/.QtWebKit/ for their databases
description: updated
Juhapekka Piiroinen (juhapekka-piiroinen)
Changed in ubuntu-qtcreator-plugins:
assignee: nobody → Timo Jyrinki (timo-jyrinki)
Juhapekka Piiroinen (juhapekka-piiroinen)
affects: ubuntu-qtcreator-plugins → ubuntu-ui-toolkit
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Zoltan Balogh (bzoltan) wrote : Re: SDK webview applications should not use ~/.local/share/Qt Project/QtQmlViewer/.QtWebKit/ for their databases

The day is coming when oneliners will rule the World again:

sudo apt-get install webbrowser-app -y;unset XDG_DATA_HOME;webbrowser-app & sleep 1;ls -l /proc/`ps aux | grep webbrowser-app|awk '{print $2}'|head -1`/fd|grep webbrowser-app;killall -9 webbrowser-app;export XDG_DATA_HOME=/tmp;webbrowser-app & sleep 1;ls -l /proc/`ps aux | grep webbrowser-app|awk '{print $2}'|head -1`/fd|grep webbrowser-app;killall -9 webbrowser-app;unset XDG_DATA_HOME

So setting the XDG_[.*] variables sounds a viable workaround

Jamie Strandboge (jdstrand)
Changed in ubuntu-ui-toolkit:
assignee: Timo Jyrinki (timo-jyrinki) → nobody
Changed in qtdeclarative-opensource-src (Ubuntu):
assignee: nobody → Christian Dywan (kalikiana)
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: SDK webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases

This also affects cordova-ubuntu.

summary: - SDK webview applications should not use ~/.local/share/Qt
- Project/QtQmlViewer/.QtWebKit/ for their databases
+ SDK webview applications should not use ~/.local/share/*/.QtWebKit/ for
+ their databases
description: updated
Pat McGowan (pat-mcgowan)
Changed in cordova-ubuntu:
assignee: nobody → Alexandre Abreu (abreu-alexandre)
importance: Undecided → High
assignee: Alexandre Abreu (abreu-alexandre) → Maxim Ermilov (zaspire)
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in qtdeclarative-opensource-src (Ubuntu Saucy):
importance: Undecided → High
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:ubuntu-ui-toolkit at revision 752, scheduled for release in ubuntu-ui-toolkit, milestone Unknown

Changed in ubuntu-ui-toolkit:
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-ui-toolkit - 0.1.46+13.10.20130925.1-0ubuntu1

---------------
ubuntu-ui-toolkit (0.1.46+13.10.20130925.1-0ubuntu1) saucy; urgency=low

  [ Timo Jyrinki ]
  * Temporarily disable the jokes example in order to not have
    qtmultimedia dependency from examples that is not used otherwise.
    This lessens the dependency chains of packages. It can be added back
    after Ubuntu 13.10.
  * Fix regression in qmlscene usage (LP: #1229541). (LP: #1229541)

  [ Christian Dywan ]
  * Set QCoreApplication::applicationName based on MainView. (LP:
    #1197056, #1197051, #1224126)
  * Include subfolders of Components in api check.

  [ Zsombor Egri ]
  * Organizer EDS (Evolution Data Server) integration.
  * StateSaver attached component.
  * Fix alarm status reporting, updating documentation on asynchronous
    behavior of save and cancel operations. Alarm status notification
    reports the operation the status refers to. (LP: #1226516)
  * Dialer + DialerHand components required for TimePicker. .

  [ Leo Arias ]
  * Added UbuntuUIToolkitAppTestCase as a base test case for the
    autopilot tests. (LP: #1227355)
  * Added the autopilot emulator for toggles.

  [ Nick Dedekind ]
  * Added clipping to tab bar. (LP: #1226104)

  [ Alberto Mardegan ]
  * Support re-attaching to a different QQuickView Make the plugin
    correctly handle the case when the QQuickView is destroyed and a new
    one is created: this is done by avoiding using static variables, and
    instead binding the data to the QQmlEngine, QQmlContext or QWindow
    as appropriate. . (LP: #1221707)

  [ Dennis O'Flaherty ]
  * Reword the description for easier reading.

  [ tpeeters ]
  * Fix warnings when running gallery-app autopilot tests. (LP:
    #1223329, #1223326)
  * Smarter automatic updating of Panel's opened property. Panel.open()
    and Panel.close() should be used to open/close a Panel, or when
    using a toolbar with ToolbarItems from a Page, set Page.tools.opened
    to open/close the toolbar. No API or behavior changes since the
    panel-open-close branch. Toolbar behavior changes will be done in a
    following MR.

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 765
 -- Ubuntu daily release <email address hidden> Wed, 25 Sep 2013 07:08:56 +0000

Changed in ubuntu-ui-toolkit (Ubuntu Saucy):
status: New → Fix Released
Florian Boucault (fboucault)
Changed in ubuntu-ui-toolkit:
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Triaged → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in qtdeclarative-opensource-src (Ubuntu Saucy):
status: New → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.35

---------------
apparmor-easyprof-ubuntu (1.0.35) saucy; urgency=low

  * apparmor-easyprof-ubuntu.install: install data/hardware/*, thus allowing
    porters, OEMs, etc to ship their own policy without having to modify this
    package (LP: #1197133)
  * add data/hardware/graphics.d/* and data/hardware/audio.d/*, namespaced to
    this package. We will move these out to lxc-android-config later
  * tests/test-data.py: adjust to test data/hardware/*
  * accounts: move to reserved status until LP: 1230091 is fixed
  * calendar: remove workaround rule for gio DBus path (LP: #1227295)
  * add usermetrics policy group so apps can update the infographic
  * ubuntu-* templates:
    - allow StartServiceByName on the system bus too. This is needed by the
      new usermetrics policy group and we will presumably have more going
      forward (eg location)
    - account for /org/freedesktop/dbus object path. This seems to be used by
      the python DBus bindings (eg, friends)
    - move hardware specific accesses out of the templates into
      hardware/graphics.d/ in preparation of the move to shipping these in
      lxc-android-config (note, this doesn't change apparmor policy in any
      way)
    - add 'r' to dbus system bus socket (LP: #1208988)
    - add ixr access to thumbnailer helper (LP: #1234543)
    - finetune HUD access
    - don't use ibus abstraction but instead use 'r' access for
      owner @{HOME}/.config/ibus/**
    - don't use freedesktop.org abstraction but instead add read accesses
      for /usr/share/icons and various mime files
    - updates for new gstreamer
      - move in gstreamer accesses from audio policy groupd due to hybris
  * ubuntu-sdk template:
    - remove workaround paths now that ubuntu-ui-toolkit is using
      QCoreApplication::applicationName based on MainView's applicationName
      (LP: #1197056, #1197051, #1224126, LP: #1231863)
  * ubuntu-webapp template:
    - allow read access to /usr/share/unity-webapps/userscripts/**
    - allow rix to gst-plugin-scanner
  * add reserved friends policy group (reserved because it needs integration
    with trust-store to be used by untrusted apps)
  * remove peer from receive DBus rules in the ubuntu-* templates and the
    contacts, history, and location policy groups (LP: #1233895)
  * audio:
    - move gstreamer stuff out to templates since hybris pulls it in for all
      apps
    - include hardware/audio.d for hardware specific accesses
 -- Jamie Strandboge <email address hidden> Mon, 07 Oct 2013 13:18:27 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can the Ubuntu Cordova task be closed or is it still affected?

no longer affects: qtdeclarative-opensource-src (Ubuntu)
no longer affects: qtdeclarative-opensource-src (Ubuntu Saucy)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Cordova is still affected-- confirmed on unity7 (desktop) and unity8 (touch/mako). Here is the apparmor policy needed for cordova-ubuntu-2.8 on trusty using com.ubuntu.developer.abreu-alexandre.cordova-qrcode-reader 1.0.4:
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/ rw,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/ rw,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/cache/ rw,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/cache/** rw,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/Databases/ rw,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/Databases/** rwk,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/LocalStorage/ rw,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/LocalStorage/** rwk,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/WebpageIcons.db* rwk,
  owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/cookies.db* rwk,

cordova-ubuntu needs to somehow determine the click manifest "name" and adjust @{HOME}/.local/share/cordova-ubuntu-2.8 to be @{HOME}/.local/share/<click package name>.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Re-opening the apparmor-easyprof-ubuntu task to remove workaround accesses in 1.0.42.

Changed in cordova-ubuntu (Ubuntu Trusty):
importance: Undecided → High
status: New → Confirmed
Changed in apparmor-easyprof-ubuntu (Ubuntu Trusty):
status: Fix Released → Triaged
Jamie Strandboge (jdstrand)
summary: - SDK webview applications should not use ~/.local/share/*/.QtWebKit/ for
- their databases
+ SDK and cordova webview applications should not use
+ ~/.local/share/*/.QtWebKit/ for their databases
Changed in cordova-ubuntu:
status: New → Confirmed
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:ubuntu-html5-theme at revision 114, scheduled for release in ubuntu-html5-theme, milestone 14.02

Changed in ubuntu-html5-theme:
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-html5-theme - 0.1+14.04.20140203-0ubuntu1

---------------
ubuntu-html5-theme (0.1+14.04.20140203-0ubuntu1) trusty; urgency=low

  [ Alexandre Abreu ]
  * fix sdk package for now bc unity-webapps-qml hasn't been uploaded
    yet.

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 119
 -- Ubuntu daily release <email address hidden> Mon, 03 Feb 2014 14:15:30 +0000

Changed in ubuntu-html5-theme (Ubuntu Trusty):
status: New → Fix Released
Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu Trusty):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.3

---------------
apparmor-easyprof-ubuntu (1.1.3) trusty; urgency=medium

  * 1.1/webview: updates for oxide
  * 1.1/ubuntu-sdk: remove workaround policy for LP: #1197056 (cordova webview
    applications should not use ~/.local/share)
  * 1.*/ubuntu-sdk: all to receive Open on org.freedesktop.Application to
    allow UriHandler in the SDK to work with already running apps. Patch
    thanks to Ken Vandine.
  * implement autopkgtests
    - add debian/tests/control
    - add debian/tests/install_*
    - adjust debian/control for XS-Testsuite
 -- Jamie Strandboge <email address hidden> Wed, 05 Feb 2014 16:54:26 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu Trusty):
status: In Progress → Fix Released
Adnane Belmadiaf (daker)
Changed in ubuntu-html5-theme:
status: Fix Committed → Fix Released
Maxim Ermilov (zaspire)
Changed in cordova-ubuntu:
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand)
Changed in cordova-ubuntu (Ubuntu Trusty):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking cordova-ubuntu as 'Fix Released' based on status of bug #1217439.

Changed in cordova-ubuntu (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.