2020-09-12 17:19:23 +02:00
|
|
|
# vim:syntax=apparmor
|
|
|
|
# Profile for restricting lightdm guest session
|
|
|
|
# Author: Martin Pitt <martin.pitt@ubuntu.com>
|
|
|
|
|
|
|
|
# This abstraction provides the majority of the confinement for guest sessions.
|
|
|
|
# It is in its own abstraction so we can have a centralized place for
|
|
|
|
# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
|
|
|
|
# etc). Note that this profile intentionally omits chromium-browser.
|
|
|
|
|
|
|
|
# Requires apparmor 2.9
|
|
|
|
|
2020-12-10 22:33:39 +01:00
|
|
|
include <abstractions/authentication>
|
|
|
|
include <abstractions/cups-client>
|
|
|
|
include <abstractions/dbus>
|
|
|
|
include <abstractions/dbus-session>
|
|
|
|
include <abstractions/dbus-accessibility>
|
|
|
|
include <abstractions/nameservice>
|
|
|
|
include <abstractions/wutmp>
|
2020-09-12 17:19:23 +02:00
|
|
|
|
|
|
|
# bug in compiz https://launchpad.net/bugs/697678
|
|
|
|
/etc/compizconfig/config rw,
|
|
|
|
/etc/compizconfig/unity.ini rw,
|
|
|
|
|
|
|
|
/ r,
|
|
|
|
/bin/ rmix,
|
|
|
|
/bin/fusermount Px,
|
|
|
|
/bin/** rmix,
|
|
|
|
/cdrom/ rmix,
|
|
|
|
/cdrom/** rmix,
|
|
|
|
/dev/ r,
|
|
|
|
/dev/** rmw, # audio devices etc.
|
|
|
|
owner /dev/shm/** rmw,
|
|
|
|
/etc/ r,
|
|
|
|
/etc/** rmk,
|
|
|
|
/etc/X11/Xsession ix,
|
|
|
|
/etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
|
|
|
|
/etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
|
|
|
|
/lib/ r,
|
|
|
|
/lib/** rmixk,
|
|
|
|
/lib32/ r,
|
|
|
|
/lib32/** rmixk,
|
|
|
|
/lib64/ r,
|
|
|
|
/lib64/** rmixk,
|
|
|
|
owner /{,run/}media/ r,
|
|
|
|
owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like
|
|
|
|
/opt/ r,
|
|
|
|
/opt/** rmixk,
|
|
|
|
@{PROC}/ r,
|
|
|
|
@{PROC}/* rm,
|
|
|
|
@{PROC}/[0-9]*/net/ r,
|
|
|
|
@{PROC}/[0-9]*/net/dev r,
|
|
|
|
@{PROC}/asound rm,
|
|
|
|
@{PROC}/asound/** rm,
|
|
|
|
@{PROC}/ati rm,
|
|
|
|
@{PROC}/ati/** rm,
|
|
|
|
@{PROC}/sys/vm/overcommit_memory r,
|
|
|
|
owner @{PROC}/** rm,
|
|
|
|
# needed for gnome-keyring-daemon
|
|
|
|
@{PROC}/*/status r,
|
|
|
|
# needed for bamfdaemon and utilities such as ps and killall
|
|
|
|
@{PROC}/*/stat r,
|
|
|
|
/sbin/ r,
|
|
|
|
/sbin/** rmixk,
|
|
|
|
/sys/ r,
|
|
|
|
/sys/** rm,
|
|
|
|
# needed for confined trusted helpers, such as dbus-daemon
|
|
|
|
/sys/kernel/security/apparmor/.access rw,
|
|
|
|
/tmp/ rw,
|
|
|
|
owner /tmp/** rwlkmix,
|
|
|
|
/usr/ r,
|
|
|
|
/usr/** rmixk,
|
|
|
|
/var/ r,
|
|
|
|
/var/** rmixk,
|
|
|
|
/var/guest-data/** rw, # allow to store files permanently
|
|
|
|
/var/tmp/ rw,
|
|
|
|
owner /var/tmp/** rwlkm,
|
|
|
|
/{,var/}run/ r,
|
|
|
|
# necessary for writing to sockets, etc.
|
|
|
|
/{,var/}run/** rmkix,
|
|
|
|
/{,var/}run/mir_socket rw,
|
|
|
|
/{,var/}run/screen/** wl,
|
|
|
|
/{,var/}run/shm/** wl,
|
|
|
|
/{,var/}run/uuidd/request w,
|
|
|
|
# libpam-xdg-support/logind
|
|
|
|
owner /{,var/}run/user/*/** rw,
|
|
|
|
|
|
|
|
capability ipc_lock,
|
|
|
|
|
|
|
|
# allow processes in the guest session to signal and ptrace each other
|
|
|
|
signal peer=@{profile_name},
|
|
|
|
ptrace peer=@{profile_name},
|
|
|
|
# needed when logging out of the guest session
|
|
|
|
signal (receive) peer=unconfined,
|
|
|
|
|
|
|
|
unix peer=(label=@{profile_name}),
|
|
|
|
unix (receive) peer=(label=unconfined),
|
|
|
|
unix (create),
|
|
|
|
unix (getattr, getopt, setopt, shutdown),
|
|
|
|
unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**",
|
|
|
|
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
|
|
|
|
unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
|
|
|
|
unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
|
|
|
|
unix (bind, listen) type=stream addr="@guest*",
|
|
|
|
unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
|
|
|
|
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
|
|
|
unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
|
|
|
|
unix (connect, receive, send) type=stream peer=(addr="@guest*"),
|
|
|
|
|
|
|
|
# silence warnings for stuff that we really don't want to grant
|
|
|
|
deny capability dac_override,
|
|
|
|
deny capability dac_read_search,
|
|
|
|
#deny /etc/** w, # re-enable once LP#697678 is fixed
|
|
|
|
deny /usr/** w,
|
|
|
|
deny /var/crash/ w,
|