Oxide

webapp-container apps or even straight WebView apps in QML all want to read /proc/$pid/mounts and /dev/disk/by-label/ on startup

Bug #1458923 reported by Oliver Grawert on 2015-05-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Oxide	New	Undecided	Unassigned
	oxide-qt (Ubuntu)	New	Undecided	Unassigned

Bug Description

opening a webapp-container app or any of my alternate webapp-container apps (which is just a WebView in some QML wrapping) produces the lines below for every app on startup.

May 26 17:48:08 ubuntu-phablet kernel: [17236.280884] type=1400 audit(1432655288.390:220): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.ogra.zdnet-de_zdnet-de_0.2" name="/proc/6880/mounts" pid=6880 comm="webapp-containe" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
May 26 17:48:08 ubuntu-phablet kernel: [17236.281059] type=1400 audit(1432655288.390:221): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.ogra.zdnet-de_zdnet-de_0.2" name="/dev/disk/by-label/" pid=6880 comm="webapp-containe" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0

Tags:

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-05-26:

From IRC:
10:54 < ogra_> i dont think its the webbrowser app since i see it in plain WebView as well

affects:

webbrowser-app (Ubuntu) → oxide-qt (Ubuntu)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-05-26:

I'm not sure why oxide is trying to access /proc/*/mounts and /dev/disk/by-label/, but access to the first is an information leak and the second, while harmless enough in and of itself, likely will lead to additional accesses that are not allowed.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-05-26:

As it stands now, this is not a security issue because the security policy is blocking it, but it does create log entries that are confusing on each webapp launch.

tags:

added: application-confinement

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-05-26:

Also from IRC, this appears to be new in 'recent (vivid) images'

summary:

webapp-container apps or even straight WebView apps in QML all want to
- read /proc/$pid/mounts on startup
+ read /proc/$pid/mounts and /dev/disk/by-label/ on startup

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.