data/guest-session.apparmor

   1 # vim:syntax=apparmor
   2 # Profile for restricting lightdm guest session
   3 # Author: Martin Pitt <martin.pitt@ubuntu.com>
   4
   5 #include <tunables/global>
   6
   7 PKGLIBEXECDIR/lightdm-guest-session-wrapper {
   8   #include <abstractions/authentication>
   9   #include <abstractions/nameservice>
  10   #include <abstractions/wutmp>
  11   /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
  12
  13   / r,
  14   /bin/ rmix,
  15   /bin/fusermount Px,
  16   /bin/** rmix,
  17   /cdrom/ rmix,
  18   /cdrom/** rmix,
  19   /dev/ r,
  20   /dev/** rmw, # audio devices etc.
  21   owner /dev/shm/** rmw,
  22   /etc/ r,
  23   /etc/** rmk,
  24   /etc/gdm/Xsession ix,
  25   /lib/ r,
  26   /lib/** rmixk,
  27   /lib32/ r,
  28   /lib32/** rmixk,
  29   /lib64/ r,
  30   /lib64/** rmixk,
  31   owner /media/ r,
  32   owner /media/** rmwlixk,  # we want access to USB sticks and the like
  33   /opt/ r,
  34   /opt/** rmixk,
  35   @{PROC}/ r,
  36   @{PROC}/* rm,
  37   @{PROC}/asound rm,
  38   @{PROC}/asound/** rm,
  39   @{PROC}/ati rm,
  40   @{PROC}/ati/** rm,
  41   owner @{PROC}/** rm,
  42   # needed for gnome-keyring-daemon
  43   @{PROC}/*/status r,
  44   /sbin/ r,
  45   /sbin/** rmixk,
  46   /sys/ r,
  47   /sys/** rm,
  48   /tmp/ rw,
  49   owner /tmp/** rwlkmix,
  50   /usr/ r,
  51   /usr/** rmixk,
  52   /var/ r,
  53   /var/** rmixk,
  54   /var/guest-data/** rw, # allow to store files permanently
  55   /var/tmp/ rw,
  56   owner /var/tmp/** rwlkm,
  57   /{,var/}run/ r,
  58   # necessary for writing to sockets, etc.
  59   /{,var/}run/** rmkix,
  60   /{,var/}run/shm/** wl,
  61
  62   capability ipc_lock,
  63
  64   # silence warnings for stuff that we really don't want to grant
  65   deny capability dac_override,
  66   deny capability dac_read_search,
  67   #deny /etc/** w, # re-enable once LP#697678 is fixed
  68   deny /usr/** w,
  69   deny /var/crash/ w,
  70 }