From f02ec5d273c70ce4d4a181fc145efc8ff056aa49 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 4 Sep 2022 19:25:15 +0000 Subject: [PATCH] Delete lightdm --- apparmor.d/abstractions/lightdm | 114 -------------------------------- 1 file changed, 114 deletions(-) delete mode 100644 apparmor.d/abstractions/lightdm diff --git a/apparmor.d/abstractions/lightdm b/apparmor.d/abstractions/lightdm deleted file mode 100644 index 984aea2f..00000000 --- a/apparmor.d/abstractions/lightdm +++ /dev/null @@ -1,114 +0,0 @@ -# vim:syntax=apparmor -# Profile for restricting lightdm guest session -# Author: Martin Pitt - -# This abstraction provides the majority of the confinement for guest sessions. -# It is in its own abstraction so we can have a centralized place for -# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure, -# etc). Note that this profile intentionally omits chromium-browser. - -# Requires apparmor 2.9 - - include - include - include - include - include - include - include - - # bug in compiz https://launchpad.net/bugs/697678 - /etc/compizconfig/config rw, - /etc/compizconfig/unity.ini rw, - - / r, - /bin/ rmix, - /bin/fusermount Px, - /bin/** rmix, - /cdrom/ rmix, - /cdrom/** rmix, - /dev/ r, - /dev/** rmw, # audio devices etc. - owner /dev/shm/** rmw, - /etc/ r, - /etc/** rmk, - /etc/X11/Xsession ix, - /etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper - /etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper - /lib/ r, - /lib/** rmixk, - /lib32/ r, - /lib32/** rmixk, - /lib64/ r, - /lib64/** rmixk, - owner /{,run/}media/ r, - owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like - /opt/ r, - /opt/** rmixk, - @{PROC}/ r, - @{PROC}/* mr, - @{PROC}/[0-9]*/net/ r, - @{PROC}/[0-9]*/net/dev r, - @{PROC}/asound mr, - @{PROC}/asound/** mr, - @{PROC}/ati mr, - @{PROC}/ati/** mr, - @{PROC}/sys/vm/overcommit_memory r, - owner @{PROC}/** mr, - # needed for gnome-keyring-daemon - @{PROC}/*/status r, - # needed for bamfdaemon and utilities such as ps and killall - @{PROC}/*/stat r, - /sbin/ r, - /sbin/** rmixk, - /sys/ r, - /sys/** mr, - # needed for confined trusted helpers, such as dbus-daemon - /sys/kernel/security/apparmor/.access rw, - /tmp/ rw, - owner /tmp/** rwlkmix, - /usr/ r, - /usr/** rmixk, - /var/ r, - /var/** rmixk, - /var/guest-data/** rw, # allow to store files permanently - /var/tmp/ rw, - owner /var/tmp/** rwlkm, - /{,var/}run/ r, - # necessary for writing to sockets, etc. - /{,var/}run/** rmkix, - /{,var/}run/mir_socket rw, - /{,var/}run/screen/** wl, - /{,var/}run/shm/** wl, - /{,var/}run/uuidd/request w, - # libpam-xdg-support/logind - owner /{,var/}run/user/@{uid}/** rw, - - capability ipc_lock, - - # allow processes in the guest session to signal and ptrace each other - signal peer=@{profile_name}, - ptrace peer=@{profile_name}, - # needed when logging out of the guest session - signal (receive) peer=unconfined, - - unix peer=(label=@{profile_name}), - unix (receive) peer=(label=unconfined), - unix (create), - unix (getattr, getopt, setopt, shutdown), - unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**", - unix (bind, listen) type=stream addr="@/tmp/dbus-*", - unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", - unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", - unix (bind, listen) type=stream addr="@guest*", - unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"), - unix (connect, receive, send) type=stream peer=(addr="@guest*"), - - # silence warnings for stuff that we really don't want to grant - deny capability dac_override, - deny capability dac_read_search, - #deny /etc/** w, # re-enable once LP#697678 is fixed - deny /usr/** w, - deny /var/crash/ w,