LIghtDM Session to Configure UCCS

Merge lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile into lp:lightdm-remote-session-uccsconfigure

  1. apparmor-profile
  2. Merge into trunk
Proposed by Ted Gould
Status: Merged
Approved by: Albert Astals Cid
Approved revision: 26
Merged at revision: 17
Proposed branch: lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile
Merge into: lp:lightdm-remote-session-uccsconfigure
Diff against target: 192 lines (+138/-4)
5 files modified
Makefile.am (+28/-1)
configure.ac (+5/-1)
lightdm-remote-session-uccsconfigure.in (+71/-0)
uccsconfigure-session-wrapper.c (+32/-0)
uccsconfigure.desktop.in (+2/-2)
To merge this branch: bzr merge lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile
Reviewer Review Type Date Requested Status
Albert Astals Cid (community) Approve
jenkins (community) continuous-integration Approve
Review via email: mp+124497@code.launchpad.net

Commit message

Adding an apparmor profile for the session

Description of the change

This adds an apparmor profile for the session. Currently this is just a copy of the guest session profile, but we hope to lock it down further in the future.

To post a comment you must log in.
Revision history for this message
jenkins (martin-mrazik+qa) wrote :

PASSED: Continuous integration, rev:19
http://jenkins.qa.ubuntu.com/job/lightdm-remote-session-uccsconfigure-ci/5/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-remote-session-uccsconfigure-ci/./label=quantal/5/console

review: Approve (continuous-integration)
lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile updated
20. By Ted Gould

Adding a C compiler

21. By Ted Gould

Add a small binary to be the wrapper

22. By Ted Gould

Make apparmor work on the wrapper

23. By Ted Gould

Fleshing out the wrapper

24. By Ted Gould

Copyright header

25. By Ted Gould

0.3+apparmor

26. By Ted Gould

Making the desktop file find the wrapper

Revision history for this message
jenkins (martin-mrazik+qa) wrote :

PASSED: Continuous integration, rev:26
http://jenkins.qa.ubuntu.com/job/lightdm-remote-session-uccsconfigure-ci/6/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-remote-session-uccsconfigure-ci/./label=quantal/6/console

review: Approve (continuous-integration)
Revision history for this message
Albert Astals Cid (aacid) wrote :

Makes sense

review: Approve
Revision history for this message
Albert Astals Cid (aacid) wrote :

Makes sense

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'Makefile.am'
--- Makefile.am 2012-08-27 16:17:12 +0000
+++ Makefile.am 2012-09-14 20:00:25 +0000
@@ -10,7 +10,7 @@
10 uccsconfigure.desktop10 uccsconfigure.desktop
1111
12%.desktop: %.desktop.in12%.desktop: %.desktop.in
13 @sed -e "s|\@pkgdatadir\@|$(pkgdatadir)|" $< > $@13 @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
1414
15EXTRA_DIST += uccsconfigure.desktop.in15EXTRA_DIST += uccsconfigure.desktop.in
16CLEANFILES += uccsconfigure.desktop16CLEANFILES += uccsconfigure.desktop
@@ -41,6 +41,33 @@
41CLEANFILES += uccsconfigure-session41CLEANFILES += uccsconfigure-session
4242
43###############################43###############################
44# The session wrapper
45###############################
46
47pkglibexec_PROGRAMS = \
48 uccsconfigure-session-wrapper
49
50uccsconfigure_session_wrapper_SOURCES = \
51 uccsconfigure-session-wrapper.c
52uccsconfigure_session_wrapper_CFLAGS = \
53 -DPKGDATADIR="\"$(pkgdatadir)\"" \
54 -Wall -Werror
55
56###############################
57# Apparmor for session wrapper
58###############################
59
60apparmordir = $(sysconfdir)/apparmor.d/
61apparmor_DATA = \
62 lightdm-remote-session-uccsconfigure
63
64lightdm-remote-session-uccsconfigure: lightdm-remote-session-uccsconfigure.in
65 @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
66
67EXTRA_DIST += lightdm-remote-session-uccsconfigure.in
68CLEANFILES += lightdm-remote-session-uccsconfigure
69
70###############################
44# Autostart Firefox71# Autostart Firefox
45###############################72###############################
4673
4774
=== modified file 'configure.ac'
--- configure.ac 2012-08-22 14:10:56 +0000
+++ configure.ac 2012-09-14 20:00:25 +0000
@@ -1,8 +1,12 @@
1AC_INIT([lightdm-remote-session-uccsconfigure], [0.3])1AC_INIT([lightdm-remote-session-uccsconfigure], [0.3+apparmor])
22
3AM_INIT_AUTOMAKE([1.11 -Wno-portability])3AM_INIT_AUTOMAKE([1.11 -Wno-portability])
4AM_SILENT_RULES([yes])4AM_SILENT_RULES([yes])
55
6AC_PROG_CC
7AC_PROG_INSTALL
8AM_PROG_CC_C_O
9
6###########################10###########################
7# Local Install11# Local Install
8###########################12###########################
913
=== added file 'lightdm-remote-session-uccsconfigure.in'
--- lightdm-remote-session-uccsconfigure.in 1970-01-01 00:00:00 +0000
+++ lightdm-remote-session-uccsconfigure.in 2012-09-14 20:00:25 +0000
@@ -0,0 +1,71 @@
1# vim:syntax=apparmor
2# Profile for restricting lightdm remote session for UCCS Configuration
3# Based on the Guest Account Apparmor script from:
4# Author: Martin Pitt <martin.pitt@ubuntu.com>
5
6#include <tunables/global>
7
8@pkglibexecdir@/uccsconfigure-session-wrapper {
9 #include <abstractions/authentication>
10 #include <abstractions/nameservice>
11 #include <abstractions/wutmp>
12 /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
13
14 / r,
15 /bin/ rmix,
16 /bin/fusermount Px,
17 /bin/** rmix,
18 /cdrom/ rmix,
19 /cdrom/** rmix,
20 /dev/ r,
21 /dev/** rmw, # audio devices etc.
22 owner /dev/shm/** rmw,
23 /etc/ r,
24 /etc/** rmk,
25 /etc/gdm/Xsession ix,
26 /lib/ r,
27 /lib/** rmixk,
28 /lib32/ r,
29 /lib32/** rmixk,
30 /lib64/ r,
31 /lib64/** rmixk,
32 owner /media/ r,
33 owner /media/** rmwlixk, # we want access to USB sticks and the like
34 /opt/ r,
35 /opt/** rmixk,
36 @{PROC}/ r,
37 @{PROC}/* rm,
38 @{PROC}/asound rm,
39 @{PROC}/asound/** rm,
40 @{PROC}/ati rm,
41 @{PROC}/ati/** rm,
42 owner @{PROC}/** rm,
43 # needed for gnome-keyring-daemon
44 @{PROC}/*/status r,
45 /sbin/ r,
46 /sbin/** rmixk,
47 /sys/ r,
48 /sys/** rm,
49 /tmp/ rw,
50 owner /tmp/** rwlkmix,
51 /usr/ r,
52 /usr/** rmixk,
53 /var/ r,
54 /var/** rmixk,
55 /var/guest-data/** rw, # allow to store files permanently
56 /var/tmp/ rw,
57 owner /var/tmp/** rwlkm,
58 /{,var/}run/ r,
59 # necessary for writing to sockets, etc.
60 /{,var/}run/** rmkix,
61 /{,var/}run/shm/** wl,
62
63 capability ipc_lock,
64
65 # silence warnings for stuff that we really don't want to grant
66 deny capability dac_override,
67 deny capability dac_read_search,
68 #deny /etc/** w, # re-enable once LP#697678 is fixed
69 deny /usr/** w,
70 deny /var/crash/ w,
71}
072
=== added file 'uccsconfigure-session-wrapper.c'
--- uccsconfigure-session-wrapper.c 1970-01-01 00:00:00 +0000
+++ uccsconfigure-session-wrapper.c 2012-09-14 20:00:25 +0000
@@ -0,0 +1,32 @@
1/*
2 * Copyright © 2012 Canonical Ltd.
3 *
4 * This program is free software: you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License version 3, as
6 * published by the Free Software Foundation.
7 *
8 * This program is distributed in the hope that it will be useful, but
9 * WITHOUT ANY WARRANTY; without even the implied warranties of
10 * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
11 * PURPOSE. See the GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License along
14 * with this program. If not, see <http://www.gnu.org/licenses/>.
15 *
16 * Author: Ted Gould <ted@canonical.com>
17 */
18
19#include <stdlib.h>
20#include <unistd.h>
21
22int
23main (int argc, char * argv[])
24{
25 char * args[2];
26 args[0] = PKGDATADIR "/uccsconfigure-session";
27 args[1] = NULL;
28
29 execvp(args[0], args);
30
31 return 0;
32}
033
=== modified file 'uccsconfigure.desktop.in'
--- uccsconfigure.desktop.in 2012-08-22 14:09:46 +0000
+++ uccsconfigure.desktop.in 2012-09-14 20:00:25 +0000
@@ -1,8 +1,8 @@
1[Desktop Entry]1[Desktop Entry]
2Name=UCCS Configure2Name=UCCS Configure
3Comment=Setup a UCCS Account3Comment=Setup a UCCS Account
4Exec=@pkgdatadir@/uccsconfigure-session4Exec=@pkglibexecdir@/uccsconfigure-session-wrapper
5TryExec=@pkgdatadir@/uccsconfigure-session5TryExec=@pkglibexecdir@/uccsconfigure-session-wrapper
6Icon=6Icon=
7Type=Application7Type=Application
8X-LightDM-PAM-Service=lightdm-remote-uccsconfigure8X-LightDM-PAM-Service=lightdm-remote-uccsconfigure

Subscribers

People subscribed via source and target branches