Because of chromium-browser's sandboxing, it needs some additional

accesses beyond what is allowed in the default lightdm guest session profile.
Create data/guest-session.apparmor_abstraction and put all the accesses in
there, then adjust data/guest-session.apparmor to include this abstraction as
well as add the chromium_browser child profile.

2 files changed, 13 insertions, 69 deletions

diff --git a/data/Makefile.am b/data/Makefile.am
index 9c8de221..ee183ac6 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -11,7 +11,9 @@ dist_pam_DATA = pam/lightdm \
                 pam/lightdm-autologin \
                 pam/lightdm-greeter
 
-EXTRA_DIST = guest-session.apparmor
+EXTRA_DIST = guest-session.apparmor \
+             guest-session.apparmor_abstraction \
+             guest-session.apparmor_chromium_abstraction
 
 apparmor_profiledir = $(sysconfdir)/apparmor.d
 
@@ -19,6 +21,11 @@ install-data-hook:
 	install -d $(DESTDIR)$(apparmor_profiledir)
 	sed 's!PKGLIBEXECDIR!$(pkglibexecdir)!g' < $(srcdir)/guest-session.apparmor \
 		> $(DESTDIR)$(apparmor_profiledir)/lightdm-guest-session
+	install -d $(DESTDIR)$(apparmor_profiledir)/abstractions
+	install $(srcdir)/guest-session.apparmor_abstraction \
+		$(DESTDIR)$(apparmor_profiledir)/abstractions/lightdm
+	install $(srcdir)/guest-session.apparmor_chromium_abstraction \
+		$(DESTDIR)$(apparmor_profiledir)/abstractions/lightdm_chromium-browser
 
 dist_man1_MANS = lightdm.1 \
                  lightdm-set-defaults.1
diff --git a/data/guest-session.apparmor b/data/guest-session.apparmor
index bb25a8c1..7b43f77d 100644
--- a/data/guest-session.apparmor
+++ b/data/guest-session.apparmor
@@ -1,75 +1,12 @@
 # vim:syntax=apparmor
-# Profile for restricting lightdm guest session 
-# Author: Martin Pitt <martin.pitt@ubuntu.com>
+# Profile for restricting lightdm guest session
 
 #include <tunables/global>
 
 PKGLIBEXECDIR/lightdm-guest-session-wrapper {
-  #include <abstractions/authentication>
-  #include <abstractions/nameservice>
-  #include <abstractions/wutmp>
-  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
- 
-  / r,
-  /bin/ rmix,
-  /bin/fusermount Px,
-  /bin/** rmix,
-  /cdrom/ rmix,
-  /cdrom/** rmix,
-  /dev/ r,
-  /dev/** rmw, # audio devices etc.
-  owner /dev/shm/** rmw,
-  /etc/ r,
-  /etc/** rmk,
-  /etc/gdm/Xsession ix,
-  /lib/ r,
-  /lib/** rmixk,
-  /lib32/ r,
-  /lib32/** rmixk,
-  /lib64/ r,
-  /lib64/** rmixk,
-  owner /media/ r,
-  owner /media/** rmwlixk,  # we want access to USB sticks and the like
-  /opt/ r,
-  /opt/** rmixk,
-  @{PROC}/ r,
-  @{PROC}/* rm,
-  @{PROC}/asound rm,
-  @{PROC}/asound/** rm,
-  @{PROC}/ati rm,
-  @{PROC}/ati/** rm,
-  owner @{PROC}/** rm,
-  # needed for gnome-keyring-daemon
-  @{PROC}/*/status r,
-  /sbin/ r,
-  /sbin/** rmixk,
-  /sys/ r,
-  /sys/** rm,
-  /tmp/ rw,
-  owner /tmp/** rwlkmix,
-  /usr/ r,
-  /usr/** rmixk,
-  /var/ r,
-  /var/** rmixk,
-  /var/guest-data/** rw, # allow to store files permanently
-  /var/tmp/ rw,
-  owner /var/tmp/** rwlkm,
-  /{,var/}run/ r,
-  # necessary for writing to sockets, etc.
-  /{,var/}run/** rmkix,
-  /{,var/}run/shm/** wl,
-  # libpam-xdg-support
-  owner /{,var/}run/user/guest-*/dconf/ rw,
-  owner /{,var/}run/user/guest-*/dconf/user rw,
-  owner /{,var/}run/user/guest-*/keyring-*/ rw,
-  owner /{,var/}run/user/guest-*/keyring-*/{control,gpg,pkcs11,ssh} rw,
+  # Most applications are confined via the main abstraction
+  #include <abstractions/lightdm>
 
-  capability ipc_lock,
-
-  # silence warnings for stuff that we really don't want to grant
-  deny capability dac_override,
-  deny capability dac_read_search,
-  #deny /etc/** w, # re-enable once LP#697678 is fixed
-  deny /usr/** w,
-  deny /var/crash/ w,
+  # chromium-browser needs special confinement due to its sandboxing
+  #include <abstractions/lightdm_chromium-browser>
 }