* Update the AppArmor lightdm abstraction to account for AppArmor

  changes that landed in 13.10
  - Allow full access to the system, session, and accessibility buses
  - Allow trusted helpers, such as dbus-daemon, that are confined by a
    lightdm session profile, to query AppArmor policy using the .access
    file in apparmorfs
  - Include the cups-client abstraction to grant access to the cups
    socket file

diff --git a/data/apparmor/abstractions/lightdm b/data/apparmor/abstractions/lightdm
index bd60f90f109bb0509aebd2411f732818825c28c0..d94edc3e74d9d4cde1884bf66bc3754ef9ca4e4c 100644 (file)
--- a/data/apparmor/abstractions/lightdm
+++ b/data/apparmor/abstractions/lightdm
@@ -8,6 +8,10 @@
 # etc). Note that this profile intentionally omits chromium-browser.
 
   #include <abstractions/authentication>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus>
+  #include <abstractions/dbus-session>
+  #include <abstractions/dbus-accessibility>
   #include <abstractions/nameservice>
   #include <abstractions/wutmp>
   /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
@@ -47,6 +51,8 @@
   /sbin/** rmixk,
   /sys/ r,
   /sys/** rm,
+  # needed for confined trusted helpers, such as dbus-daemon
+  /sys/kernel/security/apparmor/.access rw,
   /tmp/ rw,
   owner /tmp/** rwlkmix,
   /usr/ r,