2 # Profile for restricting lightdm guest session
3 # Author: Martin Pitt <martin.pitt@ubuntu.com>
5 #include <tunables/global>
7 PKGLIBEXECDIR/lightdm-guest-session-wrapper {
8 #include <abstractions/authentication>
9 #include <abstractions/nameservice>
10 #include <abstractions/wutmp>
11 /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
20 /dev/** rmw, # audio devices etc.
21 owner /dev/shm/** rmw,
32 owner /media/** rmwlixk, # we want access to USB sticks and the like
42 # needed for gnome-keyring-daemon
49 owner /tmp/** rwlkmix,
54 /var/guest-data/** rw, # allow to store files permanently
56 owner /var/tmp/** rwlkm,
58 # necessary for writing to sockets, etc.
60 /{,var/}run/shm/** wl,
64 # silence warnings for stuff that we really don't want to grant
65 deny capability dac_override,
66 deny capability dac_read_search,
67 #deny /etc/** w, # re-enable once LP#697678 is fixed