oxide should use an application specific location for pki/nss files

Bug #1260048 reported by Jamie Strandboge
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Oxide
Fix Released
Critical
Chris Coulson
1.2
Fix Released
Critical
Chris Coulson

Bug Description

Running oxide under confinement, I see the following denial:

Dec 11 13:32:58 localhost kernel: [224656.316855] type=1400 audit(1386790378.642:1642): apparmor="DENIED" operation="open" parent=3635 profile="com.ubuntu.developer.jdstrand.test-oxide_test-oxide_0.1" name="/home/jamie/.pki/nssdb/cert9.db" pid=21725 comm="Chrome_IOThread" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000

This requires the following rule:
  owner @{HOME}/.pki/nssdb/ rw,
  owner @{HOME}/.pki/nssdb/** rwk,

But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically oxide should be adjusted to use $XDG_DATA_HOME/<app_pkgname>, where '<app_pkgname>' is the "name" field in the Click manifest.

Changed in oxide:
assignee: nobody → Chris Coulson (chrisccoulson)
status: New → Triaged
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This definitely needs to get addressed.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Note, these rules are currently in the webview policy group. If this isn't going to be fixed soon, should we at least remove 'w' access from the policy so we only have information disclosure as opposed to db poisoning?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I agree, removing 'w' would make sense...although I suspect that will prevent users from accepting self-signed certs in the browser. Perhaps that isn't important for the moment, I'm not sure if we even have a dialog for that.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We do not have a dialog for that. That is bug 1214034.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This will be the new policy until this bug is fixed:
  # LP: #1260048 - only allow 'r' for now, since 'w' allow for db poisoning
  owner @{HOME}/.pki/nssdb/ r,
  owner @{HOME}/.pki/nssdb/** rk,
  deny @{HOME}/.pki/nssdb/ w,
  deny @{HOME}/.pki/nssdb/** w,

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

apparmor-easyprof-ubuntu (1.1.11) trusty; urgency=medium

  * 1.0/ubuntu-*: explicitly deny access to oxide files so webbrowser-app's
    fallback mechanism to QtWebKit works correctly. This is needed so 13.10
    framework webapps don't regress
  * 1.1/webview: prevent certificate db poisoning and disallow write access to
    @{HOME}/.pki/nssdb/*. Note, while this prevents cert attacks, it doesn't
    prevent information disclosure so once LP: 1260048 is fixed in oxide, we
    can remove the read access.

Leaving the apparmor-easyprof-ubuntu task open since whenever oxide is updated we'll want to remove the workaround policy.

Changed in oxide:
importance: High → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Reducing the priority to medium for now since apps can't update the nssdb now anyway. When they can, this bug will block the functionality from working and see the priority may change again.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

With newer oxide on 14.10, we are hitting this again:
apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.webapps.webapp-amazon_webapp-amazon_1.0.9" name="/home/phablet/.pki/" pid=30367 comm="webapp-containe" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

Seems that oxide should allow for specifying an alternate shared nssdb. Once it can do that, the UbuntuWebview could examine "applicationName" from MainView like with other QML components and do this for the app automatically. webapp-container, html5-container, cordova, et al would need to setup Oxide to do this as well.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'm going to mark this as 'High' for now since confined apps will have this denial. This may need to be moved to Critical.

Changed in oxide:
importance: Medium → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

nssdb is for storing new root certificates and Oxide doesn't support updating those. Furthermore, upstream will be moving away from nss at some point anyway. For the time being we can initialize nss without user db. Marking Critical, rtm14, and touch-2014-09-11. Removing apparmor-easyprof-ubuntu task since there is nothing to do.

no longer affects: apparmor-easyprof-ubuntu (Ubuntu)
Changed in oxide:
status: Triaged → In Progress
importance: High → Critical
tags: added: rtm14 touch-2014-09-03
tags: added: touch-2014-09-11
removed: touch-2014-09-03
Changed in oxide:
milestone: none → branch-1.3
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.