# vim:syntax=apparmor # Profile for restricting lightdm guest session # Author: Martin Pitt # This abstraction provides the majority of the confinement for guest sessions. # It is in its own abstraction so we can have a centralized place for # confinement for the various lightdm sessions (guest, freerdp, uccsconfigure, # etc). Note that this profile intentionally omits chromium-browser. # Requires apparmor 2.9 include include include include include include include # bug in compiz https://launchpad.net/bugs/697678 /etc/compizconfig/config rw, /etc/compizconfig/unity.ini rw, / r, /bin/ rmix, /bin/fusermount Px, /bin/** rmix, /cdrom/ rmix, /cdrom/** rmix, /dev/ r, /dev/** rmw, # audio devices etc. owner /dev/shm/** rmw, /etc/ r, /etc/** rmk, /etc/X11/Xsession ix, /etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper /etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper /lib/ r, /lib/** rmixk, /lib32/ r, /lib32/** rmixk, /lib64/ r, /lib64/** rmixk, owner /{,run/}media/ r, owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like /opt/ r, /opt/** rmixk, @{PROC}/ r, @{PROC}/* rm, @{PROC}/[0-9]*/net/ r, @{PROC}/[0-9]*/net/dev r, @{PROC}/asound rm, @{PROC}/asound/** rm, @{PROC}/ati rm, @{PROC}/ati/** rm, @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/** rm, # needed for gnome-keyring-daemon @{PROC}/*/status r, # needed for bamfdaemon and utilities such as ps and killall @{PROC}/*/stat r, /sbin/ r, /sbin/** rmixk, /sys/ r, /sys/** rm, # needed for confined trusted helpers, such as dbus-daemon /sys/kernel/security/apparmor/.access rw, /tmp/ rw, owner /tmp/** rwlkmix, /usr/ r, /usr/** rmixk, /var/ r, /var/** rmixk, /var/guest-data/** rw, # allow to store files permanently /var/tmp/ rw, owner /var/tmp/** rwlkm, /{,var/}run/ r, # necessary for writing to sockets, etc. /{,var/}run/** rmkix, /{,var/}run/mir_socket rw, /{,var/}run/screen/** wl, /{,var/}run/shm/** wl, /{,var/}run/uuidd/request w, # libpam-xdg-support/logind owner /{,var/}run/user/*/** rw, capability ipc_lock, # allow processes in the guest session to signal and ptrace each other signal peer=@{profile_name}, ptrace peer=@{profile_name}, # needed when logging out of the guest session signal (receive) peer=unconfined, unix peer=(label=@{profile_name}), unix (receive) peer=(label=unconfined), unix (create), unix (getattr, getopt, setopt, shutdown), unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**", unix (bind, listen) type=stream addr="@/tmp/dbus-*", unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", unix (bind, listen) type=stream addr="@guest*", unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"), unix (connect, receive, send) type=stream peer=(addr="@guest*"), # silence warnings for stuff that we really don't want to grant deny capability dac_override, deny capability dac_read_search, #deny /etc/** w, # re-enable once LP#697678 is fixed deny /usr/** w, deny /var/crash/ w,