The way AppArmour profiles are applied in lightdm is based on the
session process name. So in the case of the guest session lightdm runs
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper which then runs
the actual session process (e.g. gnome-session). The binary name
"/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" is matched in
the AppArmor profile /etc/apparmor.d/lightdm-guest-session.
For remote sessions lightdm doesn't run it through the guest wrapper so
no AppArmor profile is applied by default. We could run it through the
same wrapper but remote sessions probably want an even more restrictive
profile (there should be no access to the local filesystem at all).
So in short, I think the packages lightdm-remote-session-freerdp and
lightdm-remote-session-uccsconfigure packages should provide AppArmor
profiles for /usr/lib/x86_64-linux-gnu/lightdm-remote-session-freerdp
/freerdp-session and /usr/share/lightdm-remote-session-uccsconfigure
/uccsconfigure-session.
This is about the limit of my knowledge of AppArmor - for more
information ask Martin Pitt as he implemented this feature.
** Also affects: lightdm-remote-session-freerdp (Ubuntu)
Importance: Undecided
Status: New
** Also affects: lightdm-remote-session-uccsconfigure (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1049849
Title:
"Remote Login" account not confined by guest AppArmor profile
Status in “lightdm” package in Ubuntu:
Confirmed
Status in “lightdm-remote-session-freerdp” package in Ubuntu:
New
Status in “lightdm-remote-session-uccsconfigure” package in Ubuntu:
New
Bug description:
The "Guest" session in lightdm is launched confined by a very
restrictive AppArmor profile for security reasons.
The new "Remote Login" session that has been added to Quantal is
supposed to be using the same type of guest account restrictions, but
isn't restricted by the guest AppArmor profile. This has a security
impact on the default desktop.
ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: lightdm 1.3.3-0ubuntu4
ProcVersionSignature: Ubuntu 3.5.0-14.16-generic 3.5.3
Uname: Linux 3.5.0-14-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.5.1-0ubuntu7
Architecture: amd64
Date: Wed Sep 12 10:09:10 2012
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Alpha amd64 (20120724.2)
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1049849/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
