SDK and cordova webview applications should not use ~/.local/share/*/.QtWebKit/ for their databases
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cordova Ubuntu |
Fix Released
|
High
|
Maxim Ermilov | ||
Ubuntu HTML5 UI SDK |
Fix Released
|
Undecided
|
Unassigned | ||
Ubuntu UI Toolkit |
Fix Released
|
Undecided
|
Unassigned | ||
apparmor-easyprof-ubuntu (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
Saucy |
Fix Released
|
High
|
Jamie Strandboge | ||
Trusty |
Fix Released
|
High
|
Jamie Strandboge | ||
cordova-ubuntu (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Won't Fix
|
High
|
Unassigned | ||
ubuntu-html5-theme (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
ubuntu-ui-toolkit (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Saucy |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Ubuntu SDK applications that use webkit webviews store webkit databases in places like this:
~/.local/share/Qt Project/
~/.local/share/Qt Project/
This results in AppArmor rules like the following:
owner "@{HOME}
owner "@{HOME}
But these rules are too lenient because this could disclose data to a malicious app and a malicious app could poison the databases. Therefore, these paths need to be made application specific. Specifically webbrowser-app should be adjusted to use $XDG_DATA_
The same bug affects cordova-ubuntu, but writes are to @{HOME}
owner "@{HOME}
owner "@{HOME}
owner "@{HOME}
owner "@{HOME}
Related branches
- PS Jenkins bot: Approve (continuous-integration)
- Zsombor Egri: Approve
- Tim Peeters: Pending requested
-
Diff: 376 lines (+286/-0)9 files modifiedmodules/Ubuntu/Components/MainView.qml (+5/-0)
modules/Ubuntu/Components/plugin/plugin.cpp (+7/-0)
modules/Ubuntu/Components/plugin/plugin.pro (+2/-0)
modules/Ubuntu/Components/plugin/ucapplication.cpp (+57/-0)
modules/Ubuntu/Components/plugin/ucapplication.h (+53/-0)
tests/unit/tst_mainview/AppName.qml (+23/-0)
tests/unit/tst_mainview/tst_mainview.cpp (+132/-0)
tests/unit/tst_mainview/tst_mainview.pro (+6/-0)
tests/unit/unit.pro (+1/-0)
- PS Jenkins bot: Approve (continuous-integration)
- David Barth: Approve
-
Diff: 17 lines (+7/-0)1 file modifiedsrc/ubuntu-html5-app-launcher/main.cpp (+7/-0)
tags: | added: application-confinement |
summary: |
SDK webview applications should not use ~/.local/share/Qt - Project/QtQmlViewer/.QtWebKit/ for its databases + Project/QtQmlViewer/.QtWebKit/ for their databases |
description: | updated |
Changed in ubuntu-qtcreator-plugins: | |
assignee: | nobody → Timo Jyrinki (timo-jyrinki) |
affects: | ubuntu-qtcreator-plugins → ubuntu-ui-toolkit |
description: | updated |
Changed in ubuntu-ui-toolkit: | |
assignee: | Timo Jyrinki (timo-jyrinki) → nobody |
Changed in qtdeclarative-opensource-src (Ubuntu): | |
assignee: | nobody → Christian Dywan (kalikiana) |
Changed in cordova-ubuntu: | |
assignee: | nobody → Alexandre Abreu (abreu-alexandre) |
importance: | Undecided → High |
assignee: | Alexandre Abreu (abreu-alexandre) → Maxim Ermilov (zaspire) |
description: | updated |
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy): | |
status: | New → Triaged |
Changed in qtdeclarative-opensource-src (Ubuntu Saucy): | |
importance: | Undecided → High |
description: | updated |
Changed in ubuntu-ui-toolkit: | |
status: | Fix Committed → Fix Released |
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy): | |
status: | Triaged → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in qtdeclarative-opensource-src (Ubuntu Saucy): | |
status: | New → Won't Fix |
summary: |
- SDK webview applications should not use ~/.local/share/*/.QtWebKit/ for - their databases + SDK and cordova webview applications should not use + ~/.local/share/*/.QtWebKit/ for their databases |
Changed in cordova-ubuntu: | |
status: | New → Confirmed |
Changed in apparmor-easyprof-ubuntu (Ubuntu Trusty): | |
status: | Triaged → In Progress |
Changed in ubuntu-html5-theme: | |
status: | Fix Committed → Fix Released |
Changed in cordova-ubuntu: | |
status: | Confirmed → Fix Released |
Changed in cordova-ubuntu (Ubuntu Trusty): | |
status: | Confirmed → Won't Fix |
The day is coming when oneliners will rule the World again:
sudo apt-get install webbrowser-app -y;unset XDG_DATA_ HOME;webbrowser -app & sleep 1;ls -l /proc/`ps aux | grep webbrowser-app|awk '{print $2}'|head -1`/fd|grep webbrowser- app;killall -9 webbrowser- app;export XDG_DATA_ HOME=/tmp; webbrowser- app & sleep 1;ls -l /proc/`ps aux | grep webbrowser-app|awk '{print $2}'|head -1`/fd|grep webbrowser- app;killall -9 webbrowser- app;unset XDG_DATA_HOME
So setting the XDG_[.*] variables sounds a viable workaround