diff options
| author | Ted Gould <ted@gould.cx> | 2012-09-17 22:18:41 +0000 |
|---|---|---|
| committer | Tarmac <Unknown> | 2012-09-17 22:18:41 +0000 |
| commit | 50fc3e1d4000f7e41e7614a0aa956df64a51dee9 (patch) | |
| tree | 5ef8a24ba341115233f5f1148b6a7897700adb32 | |
| parent | 276b4b85ed116522bd2657098c2f40ca836ca6bc (diff) | |
| parent | be67082d7c0646eb5a69dc8720952ea6099e93a1 (diff) | |
| download | lightdm-remote-session-freerdp2-50fc3e1d4000f7e41e7614a0aa956df64a51dee9.tar.gz lightdm-remote-session-freerdp2-50fc3e1d4000f7e41e7614a0aa956df64a51dee9.tar.bz2 lightdm-remote-session-freerdp2-50fc3e1d4000f7e41e7614a0aa956df64a51dee9.zip | |
Add an apparmor profile. Fixes: https://bugs.launchpad.net/bugs/1049849. Approved by jenkins.
| -rw-r--r-- | Makefile.am | 25 | ||||
| -rw-r--r-- | freerdp-session-wrapper.c | 32 | ||||
| -rw-r--r-- | freerdp.desktop.in | 4 | ||||
| -rw-r--r-- | lightdm-remote-session-freerdp.in | 71 |
4 files changed, 126 insertions, 6 deletions
diff --git a/Makefile.am b/Makefile.am index bf4b300..44c2938 100644 --- a/Makefile.am +++ b/Makefile.am @@ -10,7 +10,7 @@ lightdm_session_DATA = \ %.desktop: %.desktop.in @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@ -session_startdir = $(pkglibexecdir) +session_startdir = $(pkgdatadir) session_start_SCRIPTS = \ freerdp-session @@ -18,8 +18,17 @@ freerdp-session: freerdp-session.in @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@ @chmod +x $@ +apparmordir = $(sysconfdir)/apparmor.d/ +apparmor_DATA = \ + lightdm-remote-session-freerdp + +lightdm-remote-session-freerdp: lightdm-remote-session-freerdp.in + @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@ + pkglibexec_PROGRAMS = \ - socket-sucker + socket-sucker \ + freerdp-session-wrapper + socket_sucker_SOURCES = \ socket-sucker.c socket_sucker_CFLAGS = \ @@ -28,14 +37,22 @@ socket_sucker_CFLAGS = \ socket_sucker_LDFLAGS = \ -pie +freerdp_session_wrapper_SOURCES = \ + freerdp-session-wrapper.c +freerdp_session_wrapper_CFLAGS = \ + -DPKGDATADIR="\"$(pkgdatadir)\"" \ + -Wall -Werror + EXTRA_DIST = \ $(pam_session_DATA) \ freerdp.desktop.in \ - freerdp-session.in + freerdp-session.in \ + lightdm-remote-session-freerdp.in CLEANFILES = \ freerdp.desktop \ - freerdp-session + freerdp-session \ + lightdm-remote-session-freerdp DISTCHECK_CONFIGURE_FLAGS = --enable-localinstall diff --git a/freerdp-session-wrapper.c b/freerdp-session-wrapper.c new file mode 100644 index 0000000..8c31fab --- /dev/null +++ b/freerdp-session-wrapper.c @@ -0,0 +1,32 @@ +/* + * Copyright © 2012 Canonical Ltd. + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 3, as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranties of + * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see <http://www.gnu.org/licenses/>. + * + * Author: Ted Gould <ted@canonical.com> + */ + +#include <stdlib.h> +#include <unistd.h> + +int +main (int argc, char * argv[]) +{ + char * args[2]; + args[0] = PKGDATADIR "/freerdp-session"; + args[1] = NULL; + + execvp(args[0], args); + + return 0; +} diff --git a/freerdp.desktop.in b/freerdp.desktop.in index 6ff4975..6eb26d4 100644 --- a/freerdp.desktop.in +++ b/freerdp.desktop.in @@ -1,8 +1,8 @@ [Desktop Entry] Name=FreeRDP Comment=Full Screen RDP session -Exec=@pkglibexecdir@/freerdp-session -TryExec=@pkglibexecdir@/freerdp-session +Exec=@pkglibexecdir@/freerdp-session-wrapper +TryExec=@pkglibexecdir@/freerdp-session-wrapper Icon= Type=Application X-LightDM-PAM-Service=lightdm-remote-freerdp diff --git a/lightdm-remote-session-freerdp.in b/lightdm-remote-session-freerdp.in new file mode 100644 index 0000000..38772f2 --- /dev/null +++ b/lightdm-remote-session-freerdp.in @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +# Profile for restricting lightdm remote session for FreeRDP +# Based on the Guest Account Apparmor script from: +# Author: Martin Pitt <martin.pitt@ubuntu.com> + +#include <tunables/global> + +@pkglibexecdir@/freerdp-session-wrapper { + #include <abstractions/authentication> + #include <abstractions/nameservice> + #include <abstractions/wutmp> + /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678 + + / r, + /bin/ rmix, + /bin/fusermount Px, + /bin/** rmix, + /cdrom/ rmix, + /cdrom/** rmix, + /dev/ r, + /dev/** rmw, # audio devices etc. + owner /dev/shm/** rmw, + /etc/ r, + /etc/** rmk, + /etc/gdm/Xsession ix, + /lib/ r, + /lib/** rmixk, + /lib32/ r, + /lib32/** rmixk, + /lib64/ r, + /lib64/** rmixk, + owner /media/ r, + owner /media/** rmwlixk, # we want access to USB sticks and the like + /opt/ r, + /opt/** rmixk, + @{PROC}/ r, + @{PROC}/* rm, + @{PROC}/asound rm, + @{PROC}/asound/** rm, + @{PROC}/ati rm, + @{PROC}/ati/** rm, + owner @{PROC}/** rm, + # needed for gnome-keyring-daemon + @{PROC}/*/status r, + /sbin/ r, + /sbin/** rmixk, + /sys/ r, + /sys/** rm, + /tmp/ rw, + owner /tmp/** rwlkmix, + /usr/ r, + /usr/** rmixk, + /var/ r, + /var/** rmixk, + /var/guest-data/** rw, # allow to store files permanently + /var/tmp/ rw, + owner /var/tmp/** rwlkm, + /{,var/}run/ r, + # necessary for writing to sockets, etc. + /{,var/}run/** rmkix, + /{,var/}run/shm/** wl, + + capability ipc_lock, + + # silence warnings for stuff that we really don't want to grant + deny capability dac_override, + deny capability dac_read_search, + #deny /etc/** w, # re-enable once LP#697678 is fixed + deny /usr/** w, + deny /var/crash/ w, +} |