2 # Profile for restricting lightdm guest session
3 # Author: Martin Pitt <martin.pitt@ubuntu.com>
5 # This abstraction provides the majority of the confinement for guest sessions.
6 # It is in its own abstraction so we can have a centralized place for
7 # confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
8 # etc). Note that this profile intentionally omits chromium-browser.
10 #include <abstractions/authentication>
11 #include <abstractions/cups-client>
12 #include <abstractions/dbus>
13 #include <abstractions/dbus-session>
14 #include <abstractions/dbus-accessibility>
15 #include <abstractions/nameservice>
16 #include <abstractions/wutmp>
17 /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
26 /dev/** rmw, # audio devices etc.
27 owner /dev/shm/** rmw,
38 owner /media/** rmwlixk, # we want access to USB sticks and the like
48 # needed for gnome-keyring-daemon
50 # needed for bamfdaemon and utilities such as ps and killall
56 # needed for confined trusted helpers, such as dbus-daemon
57 /sys/kernel/security/apparmor/.access rw,
59 owner /tmp/** rwlkmix,
64 /var/guest-data/** rw, # allow to store files permanently
66 owner /var/tmp/** rwlkm,
68 # necessary for writing to sockets, etc.
70 /{,var/}run/shm/** wl,
71 # libpam-xdg-support/logind
72 owner /{,var/}run/user/*/** rw,
76 # allow processes in the guest session to signal and ptrace each other
77 signal peer=@{profile_name},
78 ptrace peer=@{profile_name},
79 # needed when logging out of the guest session
80 signal (receive) peer=unconfined,
82 # silence warnings for stuff that we really don't want to grant
83 deny capability dac_override,
84 deny capability dac_read_search,
85 #deny /etc/** w, # re-enable once LP#697678 is fixed