Introduce a lightdm-guest-session-wrapper session command which MAC systems like...

diff --git a/NEWS b/NEWS
index 859d1c6cbbedd0f09e4da5234815b21fc23b56d2..394827935bfab9acd8d91e29f84ddea77cc85cd4 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,9 @@ Overview of changes in lightdm 1.1.0
     * Start authentication when scrolling through GTK greeter entries
     * Link liblightdm-qt against QtGui
     * Fix liblightdm-qt crashing when face images are installed
+    * Introduce a lightdm-guest-session-wrapper session command which MAC
+      systems like AppArmor and SELinux can use for attaching a restrictive
+      policy to guest sessions.
 
 Overview of changes in lightdm 1.0.0
 

diff --git a/src/Makefile.am b/src/Makefile.am
index ddc9d1186efacb3021e909c705d40e129190f593..e782f953b9084566cd076bd39670bc72f269cd07 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -79,6 +79,7 @@ BUILT_SOURCES = \
 lightdm_CFLAGS = \
        $(LIGHTDM_CFLAGS) \
        $(WARN_CFLAGS) \
+       -DLIBEXEC_DIR=\"$(libexecdir)\" \
        -DPKGLIBEXEC_DIR=\"$(pkglibexecdir)\" \
        -DSBIN_DIR=\"$(sbindir)\" \
        -DCONFIG_DIR=\"$(sysconfdir)/lightdm\" \
@@ -92,6 +93,14 @@ lightdm_LDADD = \
        $(LIGHTDM_LIBS) \
        -lpam
 
+libexec_PROGRAMS = lightdm-guest-session-wrapper
+
+lightdm_guest_session_wrapper_SOURCES = lightdm-guest-session-wrapper.c
+
+lightdm_guest_session_wrapper_CFLAGS = \
+       $(LIGHTDM_CFLAGS) \
+       $(WARN_CFLAGS)
+
 EXTRA_DIST = ldm-marshal.list \
        display-manager.xml
 

diff --git a/src/display.c b/src/display.c
index 1d572853b53e45be68d31e07002645b277eed136..5ebf4d6bb34b49fd199880799b4d7fa4f7270a2f 100644 (file)
--- a/src/display.c
+++ b/src/display.c
@@ -433,6 +433,15 @@ create_session (Display *display, PAMSession *authentication, const gchar *sessi
         }
     }
 
+    /* for a guest session, run command through the wrapper covered by MAC */
+    if (display->priv->autologin_guest)
+    {
+        gchar *t = command;
+        command = g_strdup_printf (LIBEXEC_DIR "/lightdm-guest-session-wrapper %s", command);
+        g_debug("Guest session, running session command through wrapper: %s", command);
+        g_free (t);
+    }
+
     g_signal_emit (display, signals[CREATE_SESSION], 0, &session);
     g_return_val_if_fail (session != NULL, NULL);
 

diff --git a/src/lightdm-guest-session-wrapper.c b/src/lightdm-guest-session-wrapper.c
new file mode 100644 (file)
index 0000000..c2a3745
--- /dev/null
+++ b/src/lightdm-guest-session-wrapper.c
@@ -0,0 +1,25 @@
+/* -*- Mode: C; indent-tabs-mode: nil; tab-width: 4 -*-
+ *
+ * Copyright (C) 2011 Canonical Ltd.
+ * Author: Martin Pitt <martin.pitt@ubuntu.com>
+ * 
+ * This program is free software: you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later
+ * version. See http://www.gnu.org/copyleft/gpl.html the full text of the
+ * license.
+ */
+
+/* This is a simple wrapper which just re-execve()'s the program given as its
+ * arguments. This allows MAC systems like AppArmor or SELinux to apply a
+ * policy on this wrapper which applies to guest sessions only. */
+
+#include <unistd.h>
+
+int
+main (int argc, char *argv[], char *envp[])
+{
+    if (argc < 2)
+       return 1;
+    execve (argv[1], argv+1, envp);
+}