diff options
| -rw-r--r-- | debian/changelog | 12 | ||||
| -rw-r--r-- | debian/patches/06_guest_signal_and_ptrace_aa_rules.patch | 18 | ||||
| -rw-r--r-- | debian/patches/07_guest_proc_pid_stat_aa_rule.patch | 16 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
4 files changed, 48 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index fa956deb..12bd8467 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +lightdm (1.9.14-0ubuntu2) trusty; urgency=medium + + * debian/patches/06_guest_signal_and_ptrace_aa_rules.patch: Grant + permission for guest session processes to signal and ptrace each + other (LP: #1298611) + * debian/patches/07_guest_proc_pid_stat_aa_rule.patch: Grant permission for + guest session processes to read /proc/<PID>/stat. This prevents AppArmor + denial messages caused by bamfdaemon and common utilities such as ps and + killall. (LP: #1301625) + + -- Tyler Hicks <tyhicks@canonical.com> Thu, 03 Apr 2014 02:48:51 -0500 + lightdm (1.9.14-0ubuntu1) trusty; urgency=medium * New upstream release: diff --git a/debian/patches/06_guest_signal_and_ptrace_aa_rules.patch b/debian/patches/06_guest_signal_and_ptrace_aa_rules.patch new file mode 100644 index 00000000..e992c51f --- /dev/null +++ b/debian/patches/06_guest_signal_and_ptrace_aa_rules.patch @@ -0,0 +1,18 @@ +Description: Allow guest session processes to signal and ptrace each other +Author: Tyler Hicks <tyhicks@canonical.com> + +Index: lightdm-1.9.13/data/apparmor/abstractions/lightdm +=================================================================== +--- lightdm-1.9.13.orig/data/apparmor/abstractions/lightdm 2013-10-30 17:34:00.000000000 -0500 ++++ lightdm-1.9.13/data/apparmor/abstractions/lightdm 2014-04-02 13:47:09.651587353 -0500 +@@ -71,6 +71,10 @@ + + capability ipc_lock, + ++ # allow processes in the guest session to signal and ptrace each other ++ signal peer=@{profile_name}, ++ ptrace peer=@{profile_name}, ++ + # silence warnings for stuff that we really don't want to grant + deny capability dac_override, + deny capability dac_read_search, diff --git a/debian/patches/07_guest_proc_pid_stat_aa_rule.patch b/debian/patches/07_guest_proc_pid_stat_aa_rule.patch new file mode 100644 index 00000000..b3b3c1fb --- /dev/null +++ b/debian/patches/07_guest_proc_pid_stat_aa_rule.patch @@ -0,0 +1,16 @@ +Description: Allow guest session processes to read /proc/<PID>/stat +Author: Tyler Hicks <tyhicks@canonical.com> + +Index: lightdm-1.9.13/data/apparmor/abstractions/lightdm +=================================================================== +--- lightdm-1.9.13.orig/data/apparmor/abstractions/lightdm 2014-04-02 16:43:27.946041262 -0500 ++++ lightdm-1.9.13/data/apparmor/abstractions/lightdm 2014-04-02 16:44:54.350039489 -0500 +@@ -47,6 +47,8 @@ + owner @{PROC}/** rm, + # needed for gnome-keyring-daemon + @{PROC}/*/status r, ++ # needed for bamfdaemon and utilities such as ps and killall ++ @{PROC}/*/stat r, + /sbin/ r, + /sbin/** rmixk, + /sys/ r, diff --git a/debian/patches/series b/debian/patches/series index 4d371dde..cb3a047b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,5 @@ 01_transition_ubuntu2d_ubuntu_desktop.patch 04_language_handling.patch 05_translate_guest_session_dialog.patch +06_guest_signal_and_ptrace_aa_rules.patch +07_guest_proc_pid_stat_aa_rule.patch |