1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
# Author: Martin Pitt <martin.pitt@ubuntu.com>
#include <tunables/global>
LIBEXECDIR/lightdm-guest-session-wrapper {
#include <abstractions/authentication>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
/etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
/ r,
/bin/ rmix,
/bin/** rmix,
/cdrom/ rmix,
/cdrom/** rmix,
/dev/ r,
/dev/** rmw, # audio devices etc.
owner /dev/shm/** rmw,
/etc/ r,
/etc/** rmk,
/etc/gdm/Xsession ix,
/lib/ r,
/lib/** rmixk,
/lib32/ r,
/lib32/** rmixk,
/media/ r,
/media/** rmwlixk, # we want access to USB sticks and the like
/opt/ r,
/opt/** rmixk,
@{PROC}/ r,
@{PROC}/* rm,
@{PROC}/asound rm,
@{PROC}/asound/** rm,
@{PROC}/ati rm,
@{PROC}/ati/** rm,
owner @{PROC}/** rm,
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
/sys/** rm,
/tmp/ rw,
owner /tmp/** rwlkmix,
/usr/ r,
/usr/** rmixk,
/var/ r,
/var/** rmixk,
/var/guest-data/** rw, # allow to store files permanently
/var/tmp/ rw,
owner /var/tmp/** rwlkm,
/{,var/}run/ r,
/{,var/}run/** rmwkix, # necessary for writing to sockets, etc.
}
|
