Because of chromium-browser's sandboxing, it needs some additional

accesses beyond what is allowed in the default lightdm guest session profile.
Create data/guest-session.apparmor_abstraction and put all the accesses in
there, then adjust data/guest-session.apparmor to include this abstraction as
well as add the chromium_browser child profile.

diff --git a/data/Makefile.am b/data/Makefile.am
index 9c8de221ad0302a72949db704989cac7a3457574..ee183ac6a5cfc08c2496dbb257f06004db55bc0e 100644 (file)
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -11,7 +11,9 @@ dist_pam_DATA = pam/lightdm \
                 pam/lightdm-autologin \
                 pam/lightdm-greeter
 
-EXTRA_DIST = guest-session.apparmor
+EXTRA_DIST = guest-session.apparmor \
+             guest-session.apparmor_abstraction \
+             guest-session.apparmor_chromium_abstraction
 
 apparmor_profiledir = $(sysconfdir)/apparmor.d
 
@@ -19,6 +21,11 @@ install-data-hook:
        install -d $(DESTDIR)$(apparmor_profiledir)
        sed 's!PKGLIBEXECDIR!$(pkglibexecdir)!g' < $(srcdir)/guest-session.apparmor \
                > $(DESTDIR)$(apparmor_profiledir)/lightdm-guest-session
+       install -d $(DESTDIR)$(apparmor_profiledir)/abstractions
+       install $(srcdir)/guest-session.apparmor_abstraction \
+               $(DESTDIR)$(apparmor_profiledir)/abstractions/lightdm
+       install $(srcdir)/guest-session.apparmor_chromium_abstraction \
+               $(DESTDIR)$(apparmor_profiledir)/abstractions/lightdm_chromium-browser
 
 dist_man1_MANS = lightdm.1 \
                  lightdm-set-defaults.1

diff --git a/data/guest-session.apparmor b/data/guest-session.apparmor
index bb25a8c138846de78710c7a0a3e3be2bea2f81a9..7b43f77dfdd63e60778f1adecaf7b27ad3abd1f9 100644 (file)
--- a/data/guest-session.apparmor
+++ b/data/guest-session.apparmor
@@ -1,75 +1,12 @@
 # vim:syntax=apparmor
-# Profile for restricting lightdm guest session 
-# Author: Martin Pitt <martin.pitt@ubuntu.com>
+# Profile for restricting lightdm guest session
 
 #include <tunables/global>
 
 PKGLIBEXECDIR/lightdm-guest-session-wrapper {
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice>
-  #include <abstractions/wutmp>
-  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
- 
-  / r,
-  /bin/ rmix,
-  /bin/fusermount Px,
-  /bin/** rmix,
-  /cdrom/ rmix,
-  /cdrom/** rmix,
-  /dev/ r,
-  /dev/** rmw, # audio devices etc.
-  owner /dev/shm/** rmw,
-  /etc/ r,
-  /etc/** rmk,
-  /etc/gdm/Xsession ix,
-  /lib/ r,
-  /lib/** rmixk,
-  /lib32/ r,
-  /lib32/** rmixk,
-  /lib64/ r,
-  /lib64/** rmixk,
-  owner /media/ r,
-  owner /media/** rmwlixk,  # we want access to USB sticks and the like
-  /opt/ r,
-  /opt/** rmixk,
-  @{PROC}/ r,
-  @{PROC}/* rm,
-  @{PROC}/asound rm,
-  @{PROC}/asound/** rm,
-  @{PROC}/ati rm,
-  @{PROC}/ati/** rm,
-  owner @{PROC}/** rm,
-  # needed for gnome-keyring-daemon
-  @{PROC}/*/status r,
-  /sbin/ r,
-  /sbin/** rmixk,
-  /sys/ r,
-  /sys/** rm,
-  /tmp/ rw,
-  owner /tmp/** rwlkmix,
-  /usr/ r,
-  /usr/** rmixk,
-  /var/ r,
-  /var/** rmixk,
-  /var/guest-data/** rw, # allow to store files permanently
-  /var/tmp/ rw,
-  owner /var/tmp/** rwlkm,
-  /{,var/}run/ r,
-  # necessary for writing to sockets, etc.
-  /{,var/}run/** rmkix,
-  /{,var/}run/shm/** wl,
-  # libpam-xdg-support
-  owner /{,var/}run/user/guest-*/dconf/ rw,
-  owner /{,var/}run/user/guest-*/dconf/user rw,
-  owner /{,var/}run/user/guest-*/keyring-*/ rw,
-  owner /{,var/}run/user/guest-*/keyring-*/{control,gpg,pkcs11,ssh} rw,
+  # Most applications are confined via the main abstraction
+  #include <abstractions/lightdm>
 
-  capability ipc_lock,
-
-  # silence warnings for stuff that we really don't want to grant
-  deny capability dac_override,
-  deny capability dac_read_search,
-  #deny /etc/** w, # re-enable once LP#697678 is fixed
-  deny /usr/** w,
-  deny /var/crash/ w,
+  # chromium-browser needs special confinement due to its sandboxing
+  #include <abstractions/lightdm_chromium-browser>
 }