summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorMartin Pitt <martin.pitt@ubuntu.com>2011-10-20 15:09:50 +0200
committerMartin Pitt <martin.pitt@ubuntu.com>2011-10-20 15:09:50 +0200
commitbdcb88ff98a23df0199973ba3f7959655ff5ff5f (patch)
treec21eb5812829af043a3ae4db2a840ae2f7c76730 /data
parentc95c2b66946e2f5d41eaeb3036f3f1713eacc98e (diff)
downloadlightdm-bdcb88ff98a23df0199973ba3f7959655ff5ff5f.tar.gz
Various guest session AppArmor profile fixes
Fix broken gnome-keyring and dbus/gwibber, and quiesce annoying kernel audit messages for privileges that we definitively do not want to grant.
Diffstat (limited to 'data')
-rw-r--r--data/guest-session.apparmor17
1 files changed, 16 insertions, 1 deletions
diff --git a/data/guest-session.apparmor b/data/guest-session.apparmor
index 91e27879..a6ecd5f7 100644
--- a/data/guest-session.apparmor
+++ b/data/guest-session.apparmor
@@ -25,6 +25,8 @@ LIBEXECDIR/lightdm-guest-session-wrapper {
/lib/** rmixk,
/lib32/ r,
/lib32/** rmixk,
+ /lib64/ r,
+ /lib64/** rmixk,
/media/ r,
/media/** rmwlixk, # we want access to USB sticks and the like
/opt/ r,
@@ -36,6 +38,8 @@ LIBEXECDIR/lightdm-guest-session-wrapper {
@{PROC}/ati rm,
@{PROC}/ati/** rm,
owner @{PROC}/** rm,
+ # needed for gnome-keyring-daemon
+ @{PROC}/*/status r,
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
@@ -50,5 +54,16 @@ LIBEXECDIR/lightdm-guest-session-wrapper {
/var/tmp/ rw,
owner /var/tmp/** rwlkm,
/{,var/}run/ r,
- /{,var/}run/** rmwkix, # necessary for writing to sockets, etc.
+ # necessary for writing to sockets, etc.
+ /{,var/}run/** rmkix,
+ /{,var/}run/shm/** wl,
+
+ capability ipc_lock,
+
+ # silence warnings for stuff that we really don't want to grant
+ deny capability dac_override,
+ deny capability dac_read_search,
+ deny /etc/** w,
+ deny /usr/** w,
+ deny /var/crash/ w,
}
View Lorry Controller Status