Add missing apparmor files

author: Robert Ancell <robert.ancell@canonical.com> 2013-02-18 18:23:36 +0000
committer: Robert Ancell <robert.ancell@canonical.com> 2013-02-18 18:23:36 +0000
commit: 8b078143c6983f632e6aa1fa250c187a5dcf8d1d (patch)
tree: 72f25a86474daeceea7cb6201cfb93881c92ee0a /data
parent: 57670503a4b7654245390dfa48017f92be7a7f75 (diff)
download: lightdm-git-8b078143c6983f632e6aa1fa250c187a5dcf8d1d.tar.gz
2 files changed, 109 insertions, 0 deletions
diff --git a/data/guest-session.apparmor_abstraction b/data/guest-session.apparmor_abstraction
new file mode 100644
index 00000000..4afe9451
--- /dev/null
+++ b/data/guest-session.apparmor_abstraction
@@ -0,0 +1,76 @@
+# vim:syntax=apparmor
+# Profile for restricting lightdm guest session
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+
+# This abstraction provides the majority of the confinement for guest sessions.
+# It is in its own abstraction so we can have a centralized place for
+# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
+# etc). Note that this profile intentionally omits chromium-browser.
+
+  #include <abstractions/authentication>
+  #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
+  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
+
+  / r,
+  /bin/ rmix,
+  /bin/fusermount Px,
+  /bin/** rmix,
+  /cdrom/ rmix,
+  /cdrom/** rmix,
+  /dev/ r,
+  /dev/** rmw, # audio devices etc.
+  owner /dev/shm/** rmw,
+  /etc/ r,
+  /etc/** rmk,
+  /etc/gdm/Xsession ix,
+  /lib/ r,
+  /lib/** rmixk,
+  /lib32/ r,
+  /lib32/** rmixk,
+  /lib64/ r,
+  /lib64/** rmixk,
+  owner /media/ r,
+  owner /media/** rmwlixk,  # we want access to USB sticks and the like
+  /opt/ r,
+  /opt/** rmixk,
+  @{PROC}/ r,
+  @{PROC}/* rm,
+  @{PROC}/asound rm,
+  @{PROC}/asound/** rm,
+  @{PROC}/ati rm,
+  @{PROC}/ati/** rm,
+  owner @{PROC}/** rm,
+  # needed for gnome-keyring-daemon
+  @{PROC}/*/status r,
+  /sbin/ r,
+  /sbin/** rmixk,
+  /sys/ r,
+  /sys/** rm,
+  /tmp/ rw,
+  owner /tmp/** rwlkmix,
+  /usr/ r,
+  /usr/** rmixk,
+  /var/ r,
+  /var/** rmixk,
+  /var/guest-data/** rw, # allow to store files permanently
+  /var/tmp/ rw,
+  owner /var/tmp/** rwlkm,
+  /{,var/}run/ r,
+  # necessary for writing to sockets, etc.
+  /{,var/}run/** rmkix,
+  /{,var/}run/shm/** wl,
+  # libpam-xdg-support
+  owner /{,var/}run/user/guest-*/dconf/ rw,
+  owner /{,var/}run/user/guest-*/dconf/user rw,
+  owner /{,var/}run/user/guest-*/keyring-*/ rw,
+  owner /{,var/}run/user/guest-*/keyring-*/{control,gpg,pkcs11,ssh} rw,
+
+  capability ipc_lock,
+
+  # silence warnings for stuff that we really don't want to grant
+  deny capability dac_override,
+  deny capability dac_read_search,
+  #deny /etc/** w, # re-enable once LP#697678 is fixed
+  deny /usr/** w,
+  deny /var/crash/ w,
diff --git a/data/guest-session.apparmor_chromium_abstraction b/data/guest-session.apparmor_chromium_abstraction
new file mode 100644
index 00000000..cb4878f8
--- /dev/null
+++ b/data/guest-session.apparmor_chromium_abstraction
@@ -0,0 +1,33 @@
+# vim:syntax=apparmor
+# Profile abstraction for restricting chromium-browser in the lightdm guest session
+# Author: Jamie Strandboge <jamie@canonical.com>
+
+# The abstraction provides the additional accesses required to launch
+# chromium-browser from within an lightdm session. Because AppArmor cannot yet
+# merge profiles and because we want to utilize the access rules provided in
+# abstractions/lightdm, this abstraction must be separate from
+# abstractions/lightdm.
+
+  /usr/lib/chromium-browser/chromium-browser Cx -> chromium_browser,
+  profile chromium_browser {
+    # Allow all the same accesses as other applications in the guest session
+    #include <abstractions/lightdm>
+
+    # but also allow a few things because of chromium-browser's sandboxing that
+    # are not appropriate to other guest session applications.
+    owner @{PROC}/[0-9]*/oom_{,score_}adj w,
+    @{PROC}/sys/kernel/shmmax r,
+    capability sys_admin,  # for sandbox to change namespaces
+    capability sys_chroot, # fod sandbox to chroot to a safe directory
+    capability setgid,     # for sandbox to drop privileges
+    capability setuid,     # for sandbox to drop privileges
+    capability sys_ptrace, # chromium needs this to keep track of itself
+
+    @{PROC}/[0-9]*/ r,                 # sandbox wants these
+    @{PROC}/[0-9]*/fd/ r,              # sandbox wants these
+    @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
+
+    /selinux/ r,
+
+    /usr/lib/chromium-browser/chromium-browser-sandbox ix,
+  }
author	Robert Ancell <robert.ancell@canonical.com>	2013-02-18 18:23:36 +0000
committer	Robert Ancell <robert.ancell@canonical.com>	2013-02-18 18:23:36 +0000
commit	8b078143c6983f632e6aa1fa250c187a5dcf8d1d (patch)
tree	72f25a86474daeceea7cb6201cfb93881c92ee0a /data
parent	57670503a4b7654245390dfa48017f92be7a7f75 (diff)
download	lightdm-git-8b078143c6983f632e6aa1fa250c187a5dcf8d1d.tar.gz