LIghtDM Session to Configure UCCS

Merge lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile into lp:lightdm-remote-session-uccsconfigure

  1. apparmor-profile
  2. Merge into trunk
Proposed by Ted Gould
Status: Merged
Approved by: Albert Astals Cid
Approved revision: 26
Merged at revision: 17
Proposed branch: lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile
Merge into: lp:lightdm-remote-session-uccsconfigure
Diff against target: 192 lines (+138/-4)
5 files modified
Makefile.am (+28/-1)
configure.ac (+5/-1)
lightdm-remote-session-uccsconfigure.in (+71/-0)
uccsconfigure-session-wrapper.c (+32/-0)
uccsconfigure.desktop.in (+2/-2)
To merge this branch: bzr merge lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile
Reviewer Review Type Date Requested Status
Albert Astals Cid (community) Approve
jenkins (community) continuous-integration Approve
Review via email: mp+124497@code.launchpad.net

Commit message

Adding an apparmor profile for the session

Description of the change

This adds an apparmor profile for the session. Currently this is just a copy of the guest session profile, but we hope to lock it down further in the future.

To post a comment you must log in.
Revision history for this message
jenkins (martin-mrazik+qa) wrote :

PASSED: Continuous integration, rev:19
http://jenkins.qa.ubuntu.com/job/lightdm-remote-session-uccsconfigure-ci/5/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-remote-session-uccsconfigure-ci/./label=quantal/5/console

review: Approve (continuous-integration)
lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile updated
20. By Ted Gould

Adding a C compiler

21. By Ted Gould

Add a small binary to be the wrapper

22. By Ted Gould

Make apparmor work on the wrapper

23. By Ted Gould

Fleshing out the wrapper

24. By Ted Gould

Copyright header

25. By Ted Gould

0.3+apparmor

26. By Ted Gould

Making the desktop file find the wrapper

Revision history for this message
jenkins (martin-mrazik+qa) wrote :

PASSED: Continuous integration, rev:26
http://jenkins.qa.ubuntu.com/job/lightdm-remote-session-uccsconfigure-ci/6/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-remote-session-uccsconfigure-ci/./label=quantal/6/console

review: Approve (continuous-integration)
Revision history for this message
Albert Astals Cid (aacid) wrote :

Makes sense

review: Approve
Revision history for this message
Albert Astals Cid (aacid) wrote :

Makes sense

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'Makefile.am'
2--- Makefile.am 2012-08-27 16:17:12 +0000
3+++ Makefile.am 2012-09-14 20:00:25 +0000
4@@ -10,7 +10,7 @@
5 uccsconfigure.desktop
6
7 %.desktop: %.desktop.in
8- @sed -e "s|\@pkgdatadir\@|$(pkgdatadir)|" $< > $@
9+ @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
10
11 EXTRA_DIST += uccsconfigure.desktop.in
12 CLEANFILES += uccsconfigure.desktop
13@@ -41,6 +41,33 @@
14 CLEANFILES += uccsconfigure-session
15
16 ###############################
17+# The session wrapper
18+###############################
19+
20+pkglibexec_PROGRAMS = \
21+ uccsconfigure-session-wrapper
22+
23+uccsconfigure_session_wrapper_SOURCES = \
24+ uccsconfigure-session-wrapper.c
25+uccsconfigure_session_wrapper_CFLAGS = \
26+ -DPKGDATADIR="\"$(pkgdatadir)\"" \
27+ -Wall -Werror
28+
29+###############################
30+# Apparmor for session wrapper
31+###############################
32+
33+apparmordir = $(sysconfdir)/apparmor.d/
34+apparmor_DATA = \
35+ lightdm-remote-session-uccsconfigure
36+
37+lightdm-remote-session-uccsconfigure: lightdm-remote-session-uccsconfigure.in
38+ @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
39+
40+EXTRA_DIST += lightdm-remote-session-uccsconfigure.in
41+CLEANFILES += lightdm-remote-session-uccsconfigure
42+
43+###############################
44 # Autostart Firefox
45 ###############################
46
47
48=== modified file 'configure.ac'
49--- configure.ac 2012-08-22 14:10:56 +0000
50+++ configure.ac 2012-09-14 20:00:25 +0000
51@@ -1,8 +1,12 @@
52-AC_INIT([lightdm-remote-session-uccsconfigure], [0.3])
53+AC_INIT([lightdm-remote-session-uccsconfigure], [0.3+apparmor])
54
55 AM_INIT_AUTOMAKE([1.11 -Wno-portability])
56 AM_SILENT_RULES([yes])
57
58+AC_PROG_CC
59+AC_PROG_INSTALL
60+AM_PROG_CC_C_O
61+
62 ###########################
63 # Local Install
64 ###########################
65
66=== added file 'lightdm-remote-session-uccsconfigure.in'
67--- lightdm-remote-session-uccsconfigure.in 1970-01-01 00:00:00 +0000
68+++ lightdm-remote-session-uccsconfigure.in 2012-09-14 20:00:25 +0000
69@@ -0,0 +1,71 @@
70+# vim:syntax=apparmor
71+# Profile for restricting lightdm remote session for UCCS Configuration
72+# Based on the Guest Account Apparmor script from:
73+# Author: Martin Pitt <martin.pitt@ubuntu.com>
74+
75+#include <tunables/global>
76+
77+@pkglibexecdir@/uccsconfigure-session-wrapper {
78+ #include <abstractions/authentication>
79+ #include <abstractions/nameservice>
80+ #include <abstractions/wutmp>
81+ /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
82+
83+ / r,
84+ /bin/ rmix,
85+ /bin/fusermount Px,
86+ /bin/** rmix,
87+ /cdrom/ rmix,
88+ /cdrom/** rmix,
89+ /dev/ r,
90+ /dev/** rmw, # audio devices etc.
91+ owner /dev/shm/** rmw,
92+ /etc/ r,
93+ /etc/** rmk,
94+ /etc/gdm/Xsession ix,
95+ /lib/ r,
96+ /lib/** rmixk,
97+ /lib32/ r,
98+ /lib32/** rmixk,
99+ /lib64/ r,
100+ /lib64/** rmixk,
101+ owner /media/ r,
102+ owner /media/** rmwlixk, # we want access to USB sticks and the like
103+ /opt/ r,
104+ /opt/** rmixk,
105+ @{PROC}/ r,
106+ @{PROC}/* rm,
107+ @{PROC}/asound rm,
108+ @{PROC}/asound/** rm,
109+ @{PROC}/ati rm,
110+ @{PROC}/ati/** rm,
111+ owner @{PROC}/** rm,
112+ # needed for gnome-keyring-daemon
113+ @{PROC}/*/status r,
114+ /sbin/ r,
115+ /sbin/** rmixk,
116+ /sys/ r,
117+ /sys/** rm,
118+ /tmp/ rw,
119+ owner /tmp/** rwlkmix,
120+ /usr/ r,
121+ /usr/** rmixk,
122+ /var/ r,
123+ /var/** rmixk,
124+ /var/guest-data/** rw, # allow to store files permanently
125+ /var/tmp/ rw,
126+ owner /var/tmp/** rwlkm,
127+ /{,var/}run/ r,
128+ # necessary for writing to sockets, etc.
129+ /{,var/}run/** rmkix,
130+ /{,var/}run/shm/** wl,
131+
132+ capability ipc_lock,
133+
134+ # silence warnings for stuff that we really don't want to grant
135+ deny capability dac_override,
136+ deny capability dac_read_search,
137+ #deny /etc/** w, # re-enable once LP#697678 is fixed
138+ deny /usr/** w,
139+ deny /var/crash/ w,
140+}
141
142=== added file 'uccsconfigure-session-wrapper.c'
143--- uccsconfigure-session-wrapper.c 1970-01-01 00:00:00 +0000
144+++ uccsconfigure-session-wrapper.c 2012-09-14 20:00:25 +0000
145@@ -0,0 +1,32 @@
146+/*
147+ * Copyright © 2012 Canonical Ltd.
148+ *
149+ * This program is free software: you can redistribute it and/or modify it
150+ * under the terms of the GNU General Public License version 3, as
151+ * published by the Free Software Foundation.
152+ *
153+ * This program is distributed in the hope that it will be useful, but
154+ * WITHOUT ANY WARRANTY; without even the implied warranties of
155+ * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
156+ * PURPOSE. See the GNU General Public License for more details.
157+ *
158+ * You should have received a copy of the GNU General Public License along
159+ * with this program. If not, see <http://www.gnu.org/licenses/>.
160+ *
161+ * Author: Ted Gould <ted@canonical.com>
162+ */
163+
164+#include <stdlib.h>
165+#include <unistd.h>
166+
167+int
168+main (int argc, char * argv[])
169+{
170+ char * args[2];
171+ args[0] = PKGDATADIR "/uccsconfigure-session";
172+ args[1] = NULL;
173+
174+ execvp(args[0], args);
175+
176+ return 0;
177+}
178
179=== modified file 'uccsconfigure.desktop.in'
180--- uccsconfigure.desktop.in 2012-08-22 14:09:46 +0000
181+++ uccsconfigure.desktop.in 2012-09-14 20:00:25 +0000
182@@ -1,8 +1,8 @@
183 [Desktop Entry]
184 Name=UCCS Configure
185 Comment=Setup a UCCS Account
186-Exec=@pkgdatadir@/uccsconfigure-session
187-TryExec=@pkgdatadir@/uccsconfigure-session
188+Exec=@pkglibexecdir@/uccsconfigure-session-wrapper
189+TryExec=@pkglibexecdir@/uccsconfigure-session-wrapper
190 Icon=
191 Type=Application
192 X-LightDM-PAM-Service=lightdm-remote-uccsconfigure

Subscribers

People subscribed via source and target branches