File: //etc/apparmor.d/abstractions/lightdm
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
# Author: Martin Pitt <martin.pitt@ubuntu.com>
# This abstraction provides the majority of the confinement for guest sessions.
# It is in its own abstraction so we can have a centralized place for
# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
# etc). Note that this profile intentionally omits chromium-browser.
# Requires apparmor 2.9
#include <abstractions/authentication>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
# bug in compiz https://launchpad.net/bugs/697678
/etc/compizconfig/config rw,
/etc/compizconfig/unity.ini rw,
/ r,
/bin/ rmix,
/{,usr/}bin/fusermount Px,
/bin/** rmix,
/cdrom/ rmix,
/cdrom/** rmix,
/dev/ r,
/dev/** rmw, # audio devices etc.
owner /dev/shm/** rmw,
/etc/ r,
/etc/** rmk,
/etc/gdm/Xsession ix,
/etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
/etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
/lib/ r,
/lib/** rmixk,
/lib32/ r,
/lib32/** rmixk,
/lib64/ r,
/lib64/** rmixk,
owner /{,run/}media/ r,
owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like
/opt/ r,
/opt/** rmixk,
@{PROC}/ r,
@{PROC}/* rm,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/asound rm,
@{PROC}/asound/** rm,
@{PROC}/ati rm,
@{PROC}/ati/** rm,
@{PROC}/sys/vm/overcommit_memory r,
owner @{PROC}/** rm,
# needed for gnome-keyring-daemon
@{PROC}/*/status r,
# needed for bamfdaemon and utilities such as ps and killall
@{PROC}/*/stat r,
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
/sys/** rm,
# needed for confined trusted helpers, such as dbus-daemon
/sys/kernel/security/apparmor/.access rw,
/tmp/ rw,
owner /tmp/** rwlkmix,
/usr/ r,
/usr/** rmixk,
/var/ r,
/var/** rmixk,
/var/guest-data/** rw, # allow to store files permanently
/var/tmp/ rw,
owner /var/tmp/** rwlkm,
/{,var/}run/ r,
# necessary for writing to sockets, etc.
/{,var/}run/** rmkix,
/{,var/}run/mir_socket rw,
/{,var/}run/screen/** wl,
/{,var/}run/shm/** wl,
/{,var/}run/uuidd/request w,
# libpam-xdg-support/logind
owner /{,var/}run/user/*/** rw,
capability ipc_lock,
# allow processes in the guest session to signal and ptrace each other
signal peer=@{profile_name},
ptrace peer=@{profile_name},
# needed when logging out of the guest session
signal (receive) peer=unconfined,
unix peer=(label=@{profile_name}),
unix (receive) peer=(label=unconfined),
unix (create),
unix (getattr, getopt, setopt, shutdown),
unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**",
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
unix (bind, listen) type=stream addr="@guest*",
unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
unix (connect, receive, send) type=stream peer=(addr="@guest*"),
# silence warnings for stuff that we really don't want to grant
deny capability dac_override,
deny capability dac_read_search,
#deny /etc/** w, # re-enable once LP#697678 is fixed
deny /usr/** w,
deny /var/crash/ w,