2 # Profile for restricting lightdm guest session
3 # Author: Martin Pitt <martin.pitt@ubuntu.com>
5 # This abstraction provides the majority of the confinement for guest sessions.
6 # It is in its own abstraction so we can have a centralized place for
7 # confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
8 # etc). Note that this profile intentionally omits chromium-browser.
10 # Requires apparmor 2.9
12 #include <abstractions/authentication>
13 #include <abstractions/cups-client>
14 #include <abstractions/dbus>
15 #include <abstractions/dbus-session>
16 #include <abstractions/dbus-accessibility>
17 #include <abstractions/nameservice>
18 #include <abstractions/wutmp>
20 # bug in compiz https://launchpad.net/bugs/697678
21 /etc/compizconfig/config rw,
22 /etc/compizconfig/unity.ini rw,
31 /dev/** rmw, # audio devices etc.
32 owner /dev/shm/** rmw,
36 /etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
37 /etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
44 owner /{,run/}media/ r,
45 owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like
50 @{PROC}/[0-9]*/net/ r,
51 @{PROC}/[0-9]*/net/dev r,
56 @{PROC}/sys/vm/overcommit_memory r,
58 # needed for gnome-keyring-daemon
60 # needed for bamfdaemon and utilities such as ps and killall
66 # needed for confined trusted helpers, such as dbus-daemon
67 /sys/kernel/security/apparmor/.access rw,
69 owner /tmp/** rwlkmix,
74 /var/guest-data/** rw, # allow to store files permanently
76 owner /var/tmp/** rwlkm,
78 # necessary for writing to sockets, etc.
80 /{,var/}run/screen/** wl,
81 /{,var/}run/shm/** wl,
82 /{,var/}run/uuidd/request w,
83 # libpam-xdg-support/logind
84 owner /{,var/}run/user/*/** rw,
88 # allow processes in the guest session to signal and ptrace each other
89 signal peer=@{profile_name},
90 ptrace peer=@{profile_name},
91 # needed when logging out of the guest session
92 signal (receive) peer=unconfined,
94 unix peer=(label=@{profile_name}),
95 unix (receive) peer=(label=unconfined),
97 unix (getattr, getopt, setopt, shutdown),
98 unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**",
99 unix (bind, listen) type=stream addr="@/tmp/dbus-*",
100 unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
101 unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
102 unix (bind, listen) type=stream addr="@guest*",
103 unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
104 unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
105 unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
106 unix (connect, receive, send) type=stream peer=(addr="@guest*"),
108 # silence warnings for stuff that we really don't want to grant
109 deny capability dac_override,
110 deny capability dac_read_search,
111 #deny /etc/** w, # re-enable once LP#697678 is fixed