From 9020ff184e070a6a9f7c46ef28702c858bc32e4e Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Fri, 30 Sep 2011 14:14:31 +0200 Subject: [PATCH] Introduce a lightdm-guest-session-wrapper session command which MAC systems like AppArmor and SELinux can use for attaching a restrictive policy to guest sessions. --- NEWS | 3 +++ src/Makefile.am | 9 +++++++++ src/display.c | 9 +++++++++ src/lightdm-guest-session-wrapper.c | 25 +++++++++++++++++++++++++ 4 files changed, 46 insertions(+) create mode 100644 src/lightdm-guest-session-wrapper.c diff --git a/NEWS b/NEWS index 859d1c6c..39482793 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,9 @@ Overview of changes in lightdm 1.1.0 * Start authentication when scrolling through GTK greeter entries * Link liblightdm-qt against QtGui * Fix liblightdm-qt crashing when face images are installed + * Introduce a lightdm-guest-session-wrapper session command which MAC + systems like AppArmor and SELinux can use for attaching a restrictive + policy to guest sessions. Overview of changes in lightdm 1.0.0 diff --git a/src/Makefile.am b/src/Makefile.am index ddc9d118..e782f953 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -79,6 +79,7 @@ BUILT_SOURCES = \ lightdm_CFLAGS = \ $(LIGHTDM_CFLAGS) \ $(WARN_CFLAGS) \ + -DLIBEXEC_DIR=\"$(libexecdir)\" \ -DPKGLIBEXEC_DIR=\"$(pkglibexecdir)\" \ -DSBIN_DIR=\"$(sbindir)\" \ -DCONFIG_DIR=\"$(sysconfdir)/lightdm\" \ @@ -92,6 +93,14 @@ lightdm_LDADD = \ $(LIGHTDM_LIBS) \ -lpam +libexec_PROGRAMS = lightdm-guest-session-wrapper + +lightdm_guest_session_wrapper_SOURCES = lightdm-guest-session-wrapper.c + +lightdm_guest_session_wrapper_CFLAGS = \ + $(LIGHTDM_CFLAGS) \ + $(WARN_CFLAGS) + EXTRA_DIST = ldm-marshal.list \ display-manager.xml diff --git a/src/display.c b/src/display.c index 1d572853..5ebf4d6b 100644 --- a/src/display.c +++ b/src/display.c @@ -433,6 +433,15 @@ create_session (Display *display, PAMSession *authentication, const gchar *sessi } } + /* for a guest session, run command through the wrapper covered by MAC */ + if (display->priv->autologin_guest) + { + gchar *t = command; + command = g_strdup_printf (LIBEXEC_DIR "/lightdm-guest-session-wrapper %s", command); + g_debug("Guest session, running session command through wrapper: %s", command); + g_free (t); + } + g_signal_emit (display, signals[CREATE_SESSION], 0, &session); g_return_val_if_fail (session != NULL, NULL); diff --git a/src/lightdm-guest-session-wrapper.c b/src/lightdm-guest-session-wrapper.c new file mode 100644 index 00000000..c2a37455 --- /dev/null +++ b/src/lightdm-guest-session-wrapper.c @@ -0,0 +1,25 @@ +/* -*- Mode: C; indent-tabs-mode: nil; tab-width: 4 -*- + * + * Copyright (C) 2011 Canonical Ltd. + * Author: Martin Pitt + * + * This program is free software: you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation, either version 3 of the License, or (at your option) any later + * version. See http://www.gnu.org/copyleft/gpl.html the full text of the + * license. + */ + +/* This is a simple wrapper which just re-execve()'s the program given as its + * arguments. This allows MAC systems like AppArmor or SELinux to apply a + * policy on this wrapper which applies to guest sessions only. */ + +#include + +int +main (int argc, char *argv[], char *envp[]) +{ + if (argc < 2) + return 1; + execve (argv[1], argv+1, envp); +} -- 2.39.2