Bring 1.11.8-0ubuntu2 changes in tree

diff --git a/debian/changelog b/debian/changelog
index c7b568e26ee9eff1ea3ebfd4ac37d5416cf5c496..f04340ebe190f5d86d7d0d92b56427621e4eed92 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lightdm (1.11.8-0ubuntu2) utopic; urgency=medium
+
+  * debian/patches/06_apparmor-unix.patch: updates for unix socket mediation
+    (LP: #1362199)
+
+ -- Jamie Strandboge <jamie@ubuntu.com>  Fri, 05 Sep 2014 17:34:03 -0500
+
 lightdm (1.11.8-0ubuntu1) utopic; urgency=medium
 
   * New upstream release:

diff --git a/debian/patches/06_apparmor-unix.patch b/debian/patches/06_apparmor-unix.patch
new file mode 100644 (file)
index 0000000..3b46144
--- /dev/null
+++ b/debian/patches/06_apparmor-unix.patch
@@ -0,0 +1,48 @@
+Author: Jamie Strandboge <jamie@canonical.com>
+Description: updates for unix socket mediation
+Forwarded: no
+
+Index: lightdm-1.11.8/data/apparmor/abstractions/lightdm
+===================================================================
+--- lightdm-1.11.8.orig/data/apparmor/abstractions/lightdm
++++ lightdm-1.11.8/data/apparmor/abstractions/lightdm
+@@ -79,6 +79,14 @@
+   # needed when logging out of the guest session
+   signal (receive) peer=unconfined,
+ 
++  unix peer=(label=@{profile_name}),
++  unix (receive) peer=(label=unconfined),
++  unix (create),
++  unix (getattr, getopt, setopt, shutdown),
++  unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
++  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
++  unix (bind) type=stream addr="@/com/ubuntu/upstart-session/*",
++
+   # silence warnings for stuff that we really don't want to grant
+   deny capability dac_override,
+   deny capability dac_read_search,
+Index: lightdm-1.11.8/data/apparmor/abstractions/lightdm_chromium-browser
+===================================================================
+--- lightdm-1.11.8.orig/data/apparmor/abstractions/lightdm_chromium-browser
++++ lightdm-1.11.8/data/apparmor/abstractions/lightdm_chromium-browser
+@@ -22,6 +22,9 @@
+   # Allow receiving and sending signals to processes in the chromium child profile
+   signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+ 
++  # Allow communications with chromium child profile via unix sockets
++  unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
++
+   profile chromium {
+     # Allow all the same accesses as other applications in the guest session
+     #include <abstractions/lightdm>
+@@ -47,6 +50,10 @@
+     # lightdm-guest-session
+     signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
+ 
++    # Allow us to receive and send on unix sockets from processes in the
++    # lightdm-guest-session
++    unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
++
+     @{PROC}/[0-9]*/ r,                 # sandbox wants these
+     @{PROC}/[0-9]*/fd/ r,              # sandbox wants these
+     @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these

diff --git a/debian/patches/series b/debian/patches/series
index 4bb2ea009e32a8fddefe3c509566424a1b71f141..3d694451160b3025d33db1de1a96254978ee3396 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 01_transition_ubuntu2d_ubuntu_desktop.patch
 04_language_handling.patch
 05_translate_debian_files.patch
+06_apparmor-unix.patch