diff options
| author | Robert Ancell <robert.ancell@canonical.com> | 2014-10-01 08:33:50 +1300 |
|---|---|---|
| committer | Robert Ancell <robert.ancell@canonical.com> | 2014-10-01 08:33:50 +1300 |
| commit | 7ad9f9d8f3c389a0994d98b5cbf0dbf78b662791 (patch) | |
| tree | be910d10b69addd438b3188fcf322de380041b47 /data | |
| parent | d2addaaf9037c9adda1c3de7fed386d465a49949 (diff) | |
| download | lightdm-git-7ad9f9d8f3c389a0994d98b5cbf0dbf78b662791.tar.gz | |
Apply debian/patches/06_apparmor-unix.patch, make note that this requires Apparmor 2.9
Diffstat (limited to 'data')
| -rw-r--r-- | data/apparmor/abstractions/lightdm | 16 | ||||
| -rw-r--r-- | data/apparmor/abstractions/lightdm_chromium-browser | 9 |
2 files changed, 25 insertions, 0 deletions
diff --git a/data/apparmor/abstractions/lightdm b/data/apparmor/abstractions/lightdm index 42341e0a..17e32e22 100644 --- a/data/apparmor/abstractions/lightdm +++ b/data/apparmor/abstractions/lightdm @@ -7,6 +7,8 @@ # confinement for the various lightdm sessions (guest, freerdp, uccsconfigure, # etc). Note that this profile intentionally omits chromium-browser. +# Requires apparmor 2.9 + #include <abstractions/authentication> #include <abstractions/cups-client> #include <abstractions/dbus> @@ -84,6 +86,20 @@ # needed when logging out of the guest session signal (receive) peer=unconfined, + unix peer=(label=@{profile_name}), + unix (receive) peer=(label=unconfined), + unix (create), + unix (getattr, getopt, setopt, shutdown), + unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", + unix (bind, listen) type=stream addr="@/tmp/dbus-*", + unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", + unix (bind, listen) type=stream addr="@guest*", + unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"), + unix (connect, receive, send) type=stream peer=(addr="@guest*"), + # silence warnings for stuff that we really don't want to grant deny capability dac_override, deny capability dac_read_search, diff --git a/data/apparmor/abstractions/lightdm_chromium-browser b/data/apparmor/abstractions/lightdm_chromium-browser index 9f3671bd..99089693 100644 --- a/data/apparmor/abstractions/lightdm_chromium-browser +++ b/data/apparmor/abstractions/lightdm_chromium-browser @@ -8,6 +8,8 @@ # provided in abstractions/lightdm, this abstraction must be separate from # abstractions/lightdm. +# Requires apparmor 2.9 + /usr/lib/chromium-browser/chromium-browser Cx -> chromium, /usr/bin/webapp-container Cx -> chromium, /usr/bin/webbrowser-app Cx -> chromium, @@ -23,6 +25,9 @@ # Allow receiving and sending signals to processes in the chromium child profile signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium, + # Allow communications with chromium child profile via unix sockets + unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium), + profile chromium { # Allow all the same accesses as other applications in the guest session #include <abstractions/lightdm> @@ -48,6 +53,10 @@ # lightdm-guest-session signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session, + # Allow us to receive and send on unix sockets from processes in the + # lightdm-guest-session + unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session), + @{PROC}/[0-9]*/ r, # sandbox wants these @{PROC}/[0-9]*/fd/ r, # sandbox wants these @{PROC}/[0-9]*/statm r, # sandbox wants these |