]> rtime.felk.cvut.cz Git - sojka/lightdm.git/blobdiff - data/apparmor/abstractions/lightdm
projects / sojka / lightdm.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Allow guest sessions more access to the upstart session socket
[sojka/lightdm.git] / data / apparmor / abstractions / lightdm
diff --git a/data/apparmor/abstractions/lightdm b/data/apparmor/abstractions/lightdm
index 0052569e21131ef3b1ecd6776f14cfcb173c3912..ffcd195b4648dd890a31ba2ecfa03f747c9d0413 100644 (file)
--- a/data/apparmor/abstractions/lightdm
+++ b/data/apparmor/abstractions/lightdm
@@ -7,6 +7,8 @@
 # confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
 # etc). Note that this profile intentionally omits chromium-browser.
 
+# Requires apparmor 2.9
+
   #include <abstractions/authentication>
   #include <abstractions/cups-client>
   #include <abstractions/dbus>
@@ -14,7 +16,10 @@
   #include <abstractions/dbus-accessibility>
   #include <abstractions/nameservice>
   #include <abstractions/wutmp>
-  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
+
+  # bug in compiz https://launchpad.net/bugs/697678
+  /etc/compizconfig/config rw,
+  /etc/compizconfig/unity.ini rw,
 
   / r,
   /bin/ rmix,
@@ -28,22 +33,27 @@
   /etc/ r,
   /etc/** rmk,
   /etc/gdm/Xsession ix,
+  /etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
+  /etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
   /lib/ r,
   /lib/** rmixk,
   /lib32/ r,
   /lib32/** rmixk,
   /lib64/ r,
   /lib64/** rmixk,
-  owner /media/ r,
-  owner /media/** rmwlixk,  # we want access to USB sticks and the like
+  owner /{,run/}media/ r,
+  owner /{,run/}media/** rmwlixk,  # we want access to USB sticks and the like
   /opt/ r,
   /opt/** rmixk,
   @{PROC}/ r,
   @{PROC}/* rm,
+  @{PROC}/[0-9]*/net/ r,
+  @{PROC}/[0-9]*/net/dev r,
   @{PROC}/asound rm,
   @{PROC}/asound/** rm,
   @{PROC}/ati rm,
   @{PROC}/ati/** rm,
+  @{PROC}/sys/vm/overcommit_memory r,
   owner @{PROC}/** rm,
   # needed for gnome-keyring-daemon
   @{PROC}/*/status r,
@@ -67,7 +77,9 @@
   /{,var/}run/ r,
   # necessary for writing to sockets, etc.
   /{,var/}run/** rmkix,
+  /{,var/}run/screen/** wl,
   /{,var/}run/shm/** wl,
+  /{,var/}run/uuidd/request w,
   # libpam-xdg-support/logind
   owner /{,var/}run/user/*/** rw,
 
@@ -79,6 +91,20 @@
   # needed when logging out of the guest session
   signal (receive) peer=unconfined,
 
+  unix peer=(label=@{profile_name}),
+  unix (receive) peer=(label=unconfined),
+  unix (create),
+  unix (getattr, getopt, setopt, shutdown),
+  unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**",
+  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
+  unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
+  unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
+  unix (bind, listen) type=stream addr="@guest*",
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+  unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
+  unix (connect, receive, send) type=stream peer=(addr="@guest*"),
+
   # silence warnings for stuff that we really don't want to grant
   deny capability dac_override,
   deny capability dac_read_search,