From 4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35 Mon Sep 17 00:00:00 2001 From: Mike Gabriel Date: Thu, 16 Jan 2025 08:16:35 +0100 Subject: Drop FreeRDP version semantics for the project, prepare for FreeRDPv3. --- Makefile.am | 36 ++++++------ README.md | 8 +-- configure.ac | 2 +- debian/changelog | 7 +++ debian/compat | 1 - debian/control | 24 ++++---- debian/copyright | 20 +++---- debian/lightdm-remote-session-freerdp.default | 1 + debian/lightdm-remote-session-freerdp2.default | 1 - debian/rules | 8 ++- freerdp-session-wrapper.c | 33 +++++++++++ freerdp-session.in | 75 ++++++++++++++++++++++++ freerdp.desktop.in | 8 +++ freerdp2-session-wrapper.c | 32 ---------- freerdp2-session.in | 75 ------------------------ freerdp2.desktop.in | 8 --- lightdm-remote-freerdp | 7 +++ lightdm-remote-freerdp2 | 7 --- lightdm-remote-session-freerdp.default | 4 ++ lightdm-remote-session-freerdp.in | 81 ++++++++++++++++++++++++++ lightdm-remote-session-freerdp2.default | 4 -- lightdm-remote-session-freerdp2.in | 81 -------------------------- 22 files changed, 265 insertions(+), 258 deletions(-) delete mode 100644 debian/compat create mode 120000 debian/lightdm-remote-session-freerdp.default delete mode 120000 debian/lightdm-remote-session-freerdp2.default create mode 100644 freerdp-session-wrapper.c create mode 100755 freerdp-session.in create mode 100644 freerdp.desktop.in delete mode 100644 freerdp2-session-wrapper.c delete mode 100755 freerdp2-session.in delete mode 100644 freerdp2.desktop.in create mode 100644 lightdm-remote-freerdp delete mode 100644 lightdm-remote-freerdp2 create mode 100644 lightdm-remote-session-freerdp.default create mode 100644 lightdm-remote-session-freerdp.in delete mode 100644 lightdm-remote-session-freerdp2.default delete mode 100644 lightdm-remote-session-freerdp2.in diff --git a/Makefile.am b/Makefile.am index e5eadaa..3fc1058 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,52 +1,52 @@ pam_sessiondir = $(sysconfdir)/pam.d/ pam_session_DATA = \ - lightdm-remote-freerdp2 + lightdm-remote-freerdp lightdm_sessiondir = $(datadir)/lightdm/remote-sessions lightdm_session_DATA = \ - freerdp2.desktop + freerdp.desktop %.desktop: %.desktop.in @sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@ session_startdir = $(pkgdatadir) session_start_SCRIPTS = \ - freerdp2-session + freerdp-session -freerdp2-session: freerdp2-session.in +freerdp-session: freerdp-session.in @sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@ @chmod +x $@ apparmordir = $(sysconfdir)/apparmor.d/ apparmor_DATA = \ - lightdm-remote-session-freerdp2 + lightdm-remote-session-freerdp -lightdm-remote-session-freerdp2: lightdm-remote-session-freerdp2.in +lightdm-remote-session-freerdp: lightdm-remote-session-freerdp.in @sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@ libexec_PROGRAMS = \ - freerdp2-session-wrapper + freerdp-session-wrapper -freerdp2_session_wrapper_SOURCES = \ - freerdp2-session-wrapper.c -freerdp2_session_wrapper_CFLAGS = \ +freerdp_session_wrapper_SOURCES = \ + freerdp-session-wrapper.c +freerdp_session_wrapper_CFLAGS = \ -DPKGDATADIR="\"$(pkgdatadir)\"" \ -Wall -Werror -freerdp2_known_hosts2dir = $(sysconfdir)/arctica-greeter/guest-session/skel/.config/freerdp/ -freerdp2_known_hosts2_DATA = \ +freerdp_known_hosts2dir = $(sysconfdir)/arctica-greeter/guest-session/skel/.config/freerdp/ +freerdp_known_hosts2_DATA = \ known_hosts2 EXTRA_DIST = \ $(pam_session_DATA) \ - freerdp2.desktop.in \ - freerdp2-session.in \ - lightdm-remote-session-freerdp2.in + freerdp.desktop.in \ + freerdp-session.in \ + lightdm-remote-session-freerdp.in CLEANFILES = \ - freerdp2.desktop \ - freerdp2-session \ - lightdm-remote-session-freerdp2 + freerdp.desktop \ + freerdp-session \ + lightdm-remote-session-freerdp DISTCHECK_CONFIGURE_FLAGS = --enable-localinstall diff --git a/README.md b/README.md index 6ea4f2d..abc1ebb 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # LightDM (Arctica Greeter) Remote Logon: FreeRDP(2) # Configuration for LightDM / Arctica Greeter to launch remote FreeRDP -sessions using FreeRDPv2. +sessions using FreeRDPv2/FreeRDPv3. This code project was originally started by Canonical Ltd. and has been adapted by various authors with the purpose of making Remote Logon @@ -22,10 +22,10 @@ For this Remote Logon Add-on to work, you have to populate with your RDP servers' host keys. Otherwise, logins will fail. -Alternatively, add the /cert-ignore option to the set of FREERDP2_OPTIONS -in /etc/default/lightdm-remote-session-freerdp2. +Alternatively, add the /cert-ignore option to the set of FREERDP_OPTIONS +in /etc/default/lightdm-remote-session-freerdp. ## Limitations / Known Issues * Sound not working, yet - * Usernames containig blanks are not supported. \ No newline at end of file + * Usernames containig blanks are not supported. diff --git a/configure.ac b/configure.ac index ec28bf4..6ab8c87 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([lightdm-remote-session-freerdp2], [2.0.0]) +AC_INIT([lightdm-remote-session-freerdp], [3.0.0]) AM_INIT_AUTOMAKE([1.11 -Wno-portability]) AM_SILENT_RULES([yes]) diff --git a/debian/changelog b/debian/changelog index 0415600..4279554 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lightdm-remote-session-freerdp (3.0.0-0) UNRELEASED; urgency=low + + * Upstream-provided Debian package for lightdm-remote-session-freerdp. + See upstream ChangeLog for recent changes. + + -- Mike Gabriel Thu, 16 Jan 2024 08:11:29 +0100 + lightdm-remote-session-freerdp2 (2.0.0-0) unstable; urgency=low * Upstream-provided Debian package for lightdm-remote-session-freerdp2. diff --git a/debian/compat b/debian/compat deleted file mode 100644 index ec63514..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -9 diff --git a/debian/control b/debian/control index d20bbf9..5774b55 100644 --- a/debian/control +++ b/debian/control @@ -1,32 +1,30 @@ -Source: lightdm-remote-session-freerdp2 +Source: lightdm-remote-session-freerdp Section: misc Priority: optional Maintainer: Artica Project Uploaders: Mike Gabriel Build-Depends: - debhelper (>= 9), + debhelper-compat (= 12), dh-apparmor, - cdbs, - dh-autoreconf, -Standards-Version: 4.1.1 -Homepage: http://github.com/ArcticaProject/lightdm-remote-session-freerdp2 -Vcs-Git: https://github.com/ArcticaProject/lightdm-remote-session-freerdp2/ -Vcs-Browser: https://github.com/ArcticaProject/lightdm-remote-session-freerdp2/ +Standards-Version: 4.7.0 +Homepage: http://github.com/ArcticaProject/lightdm-remote-session-freerdp +Vcs-Git: https://github.com/ArcticaProject/lightdm-remote-session-freerdp/ +Vcs-Browser: https://github.com/ArcticaProject/lightdm-remote-session-freerdp/ -Package: lightdm-remote-session-freerdp2 +Package: lightdm-remote-session-freerdp Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, socat, zenity, - freerdp2-x11 (>= 2~), - libpam-freerdp2, + freerdp3-x11 (>= 2~) | freerdp2-x11 (>= 2~), + libpam-freerdp, lightdm (>= 1.3.3-0~), socat, Suggests: apparmor, Description: Log into RDP sessions via LightDM - The configuration files needed and scripts required to login - to a full screen RDP session using LightDM and FreeRDPv2. + The configuration files needed and scripts required to login to a full + screen RDP session using LightDM and FreeRDPv2/FreeRDPv3. diff --git a/debian/copyright b/debian/copyright index 5af86cf..6f7154b 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: lightdm-remote-session-freerdp2 +Upstream-Name: lightdm-remote-session-freerdp Upstream-Contact: Mike Gabriel -Source: https://github.com/ArcticaProject/lightdm-remote-session-freerdp2 +Source: https://github.com/ArcticaProject/lightdm-remote-session-freerdp Files: AUTHORS ChangeLog @@ -10,26 +10,26 @@ Files: AUTHORS README.md autogen.sh configure.ac - lightdm-remote-session-freerdp2.in - lightdm-remote-freerdp2 - freerdp2.desktop.in + lightdm-remote-session-freerdp.in + lightdm-remote-freerdp + freerdp.desktop.in Copyright: 2012, Canonical Ltd. - 2017, Mike Gabriel + 2018-2024, Mike Gabriel License: GPL-3 Comment: Using license and copyright holders as found in code files. -Files: freerdp2-session-wrapper.c - freerdp2-session.in +Files: freerdp-session-wrapper.c + freerdp-session.in socket-sucker.c Copyright: 2012, Canonical Ltd. - 2017, Mike Gabriel + 2018-2024, Mike Gabriel License: GPL-3 Files: debian/* Copyright: 2012, Canonical Ltd. - 2017, Mike Gabriel + 2017-2024, Mike Gabriel License: GPL-3 License: GPL-3 diff --git a/debian/lightdm-remote-session-freerdp.default b/debian/lightdm-remote-session-freerdp.default new file mode 120000 index 0000000..90ef79f --- /dev/null +++ b/debian/lightdm-remote-session-freerdp.default @@ -0,0 +1 @@ +../lightdm-remote-session-freerdp.default \ No newline at end of file diff --git a/debian/lightdm-remote-session-freerdp2.default b/debian/lightdm-remote-session-freerdp2.default deleted file mode 120000 index 6e11e26..0000000 --- a/debian/lightdm-remote-session-freerdp2.default +++ /dev/null @@ -1 +0,0 @@ -../lightdm-remote-session-freerdp2.default \ No newline at end of file diff --git a/debian/rules b/debian/rules index 4edf62f..657234c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,5 +1,7 @@ #!/usr/bin/make -f -include /usr/share/cdbs/1/rules/debhelper.mk -include /usr/share/cdbs/1/rules/autoreconf.mk -include /usr/share/cdbs/1/class/autotools.mk +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +%: + dh $@ diff --git a/freerdp-session-wrapper.c b/freerdp-session-wrapper.c new file mode 100644 index 0000000..ccb3026 --- /dev/null +++ b/freerdp-session-wrapper.c @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2012 Canonical Ltd. + * Copyirhgt (C) 2018-2024 Mike Gabriel + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 3, as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranties of + * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + * + * Author: Ted Gould + */ + +#include +#include + +int +main (int __attribute__((unused)) argc, char __attribute__((unused)) *argv[]) +{ + char * args[2]; + args[0] = PKGDATADIR "/freerdp-session"; + args[1] = NULL; + + execvp(args[0], args); + + return 0; +} diff --git a/freerdp-session.in b/freerdp-session.in new file mode 100755 index 0000000..a438ffa --- /dev/null +++ b/freerdp-session.in @@ -0,0 +1,75 @@ +#!/bin/bash + +# +# Copyright (C) 2018-2024 Mike Gabriel +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 3, as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranties of +# MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# Author: Mike Gabriel +# Author lightdm-remote-session-freerdp (where we forked from): Ted Gould +# + +NULL= +FREERDP_OPTIONS="" + +if [ -f /etc/default/lightdm-remote-session-freerdp ]; then + . /etc/default/lightdm-remote-session-freerdp +fi + +socket="$HOME/.freerdp-socket"; +if [ -e "$socket" ]; then + AUTH_INFO="$(socat unix-connect:"$socket" -)" + AUTH_INFO_USER=$(echo "$AUTH_INFO" | awk '{ print $1 }') + AUTH_INFO_PASSWORD=$(echo "$AUTH_INFO" | awk '{ print $2 }') + AUTH_INFO_DOMAIN=$(echo "$AUTH_INFO" | awk '{ print $3 }') + AUTH_INFO_HOST=$(echo "$AUTH_INFO" | awk '{ print $4 }') + + # FIXME: it seems, pulseaudio is not started at this point for the guest user + # However, launching it here with pulseaudio -D feels wrong in the age of systemd + + # give the RDP server a little bit of time to recover from libpam-freerdp's freerdp-auth-check test connect. + sleep 1 + + FREERDP_OPTIONS="/f \ + /v:"${AUTH_INFO_HOST}" \ + /u:"${AUTH_INFO_USER}" \ + /d:"${AUTH_INFO_DOMAIN}" \ + /from-stdin \ + -toggle-fullscreen \ + ${FREERDP_OPTIONS} \ + ${NULL}" + + logger -t $(basname $0) "xfreerdp called with options: ${FREERDP_OPTIONS}." + + + # FIXME: get audio working... add /sound:sys:pulse to xfreerdp cmdline args... + echo "$AUTH_INFO_PASSWORD" | /usr/bin/xfreerdp ${FREERDP_OPTIONS} 2>&1 \ + | logger -t lightdm-remote-session-freerdp -- \ + ${NULL} & + + unset AUTH_INFO_PASSWORD + + # wait for another second to give the xfreerdp process to settle in process list + sleep 1 + + USERID=$(id -u) + wait $(pgrep -u ${USERID} xfreerdp) + + # FIXME: possibly stop pulseaudio here with -k again (we have seen permissioned denied warnings, when doing this. Better approaches?) + +else + zenity --warning --text="Unable to locate FreeRDP socket" +fi; + +rm -f "$socket" diff --git a/freerdp.desktop.in b/freerdp.desktop.in new file mode 100644 index 0000000..27b1b5a --- /dev/null +++ b/freerdp.desktop.in @@ -0,0 +1,8 @@ +[Desktop Entry] +Name=FreeRDP +Comment=Full Screen RDP session +Exec=@libexecdir@/freerdp-session-wrapper +TryExec=@libexecdir@/freerdp-session-wrapper +Icon= +Type=Application +X-LightDM-PAM-Service=lightdm-remote-freerdp diff --git a/freerdp2-session-wrapper.c b/freerdp2-session-wrapper.c deleted file mode 100644 index 7b5c320..0000000 --- a/freerdp2-session-wrapper.c +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright © 2012 Canonical Ltd. - * - * This program is free software: you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 3, as - * published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranties of - * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR - * PURPOSE. See the GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program. If not, see . - * - * Author: Ted Gould - */ - -#include -#include - -int -main (int __attribute__((unused)) argc, char __attribute__((unused)) *argv[]) -{ - char * args[2]; - args[0] = PKGDATADIR "/freerdp2-session"; - args[1] = NULL; - - execvp(args[0], args); - - return 0; -} diff --git a/freerdp2-session.in b/freerdp2-session.in deleted file mode 100755 index 571330f..0000000 --- a/freerdp2-session.in +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# -# Copyright © 2018 Mike Gabriel -# Copyright © 2012 Canonical Ltd. -# -# This program is free software: you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 3, as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranties of -# MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program. If not, see . -# -# Author: Mike Gabriel -# Author lightdm-remote-session-freerdp (where we forked from): Ted Gould -# - -NULL= -FREERDP2_OPTIONS="" - -if [ -f /etc/default/lightdm-remote-session-freerdp2 ]; then - . /etc/default/lightdm-remote-session-freerdp2 -fi - -socket="$HOME/.freerdp2-socket"; -if [ -e "$socket" ]; then - AUTH_INFO="$(socat unix-connect:"$socket" -)" - AUTH_INFO_USER=$(echo "$AUTH_INFO" | awk '{ print $1 }') - AUTH_INFO_PASSWORD=$(echo "$AUTH_INFO" | awk '{ print $2 }') - AUTH_INFO_DOMAIN=$(echo "$AUTH_INFO" | awk '{ print $3 }') - AUTH_INFO_HOST=$(echo "$AUTH_INFO" | awk '{ print $4 }') - - # FIXME: it seems, pulseaudio is not started at this point for the guest user - # However, launching it here with pulseaudio -D feels wrong in the age of systemd - - # give the RDP server a little bit of time to recover from libpam-freerdp2's freerdp2-auth-check test connect. - sleep 1 - - FREERDP2_OPTIONS="/f \ - /v:"${AUTH_INFO_HOST}" \ - /u:"${AUTH_INFO_USER}" \ - /d:"${AUTH_INFO_DOMAIN}" \ - /from-stdin \ - -toggle-fullscreen \ - ${FREERDP2_OPTIONS} \ - ${NULL}" - - logger -t $(basname $0) "xfreerdp called with options: ${FREERDP_OPTIONS}." - - - # FIXME: get audio working... add /sound:sys:pulse to xfreerdp cmdline args... - echo "$AUTH_INFO_PASSWORD" | /usr/bin/xfreerdp ${FREERDP_OPTIONS} 2>&1 \ - | logger -t lightdm-remote-session-freerdp2 -- \ - ${NULL} & - - unset AUTH_INFO_PASSWORD - - # wait for another second to give the xfreerdp process to settle in process list - sleep 1 - - USERID=$(id -u) - wait $(pgrep -u ${USERID} xfreerdp) - - # FIXME: possibly stop pulseaudio here with -k again (we have seen permissioned denied warnings, when doing this. Better approaches?) - -else - zenity --warning --text="Unable to locate FreeRDP socket" -fi; - -rm -f "$socket" diff --git a/freerdp2.desktop.in b/freerdp2.desktop.in deleted file mode 100644 index 28c8076..0000000 --- a/freerdp2.desktop.in +++ /dev/null @@ -1,8 +0,0 @@ -[Desktop Entry] -Name=FreeRDP -Comment=Full Screen RDP session -Exec=@libexecdir@/freerdp2-session-wrapper -TryExec=@libexecdir@/freerdp2-session-wrapper -Icon= -Type=Application -X-LightDM-PAM-Service=lightdm-remote-freerdp2 diff --git a/lightdm-remote-freerdp b/lightdm-remote-freerdp new file mode 100644 index 0000000..d79bc2e --- /dev/null +++ b/lightdm-remote-freerdp @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +auth required pam_freerdp.so +session required pam_limits.so +session required pam_freerdp.so diff --git a/lightdm-remote-freerdp2 b/lightdm-remote-freerdp2 deleted file mode 100644 index fb0d36f..0000000 --- a/lightdm-remote-freerdp2 +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth requisite pam_nologin.so -auth required pam_env.so readenv=1 -auth required pam_env.so readenv=1 envfile=/etc/default/locale -auth required pam_freerdp2.so -session required pam_limits.so -session required pam_freerdp2.so diff --git a/lightdm-remote-session-freerdp.default b/lightdm-remote-session-freerdp.default new file mode 100644 index 0000000..5de709c --- /dev/null +++ b/lightdm-remote-session-freerdp.default @@ -0,0 +1,4 @@ +### lightdm-remote-session-freerdp: Tweak the default behaviour. + +# Ignore host keys and allow connections to any RDP server (uncomment to have it set) +#FREERDP_OPTIONS+=" /cert-ignore" diff --git a/lightdm-remote-session-freerdp.in b/lightdm-remote-session-freerdp.in new file mode 100644 index 0000000..b597f94 --- /dev/null +++ b/lightdm-remote-session-freerdp.in @@ -0,0 +1,81 @@ +# vim:syntax=apparmor +# Profile for restricting lightdm remote session for FreeRDP +# Based on the Guest Account Apparmor script from: +# Author: Martin Pitt + +#include + +@libexecdir@/freerdp-session-wrapper { + #include + #include + #include + /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678 + + / r, + /bin/ rmix, + /{,usr/}bin/fusermount Px, + /bin/** rmix, + /cdrom/ rmix, + /cdrom/** rmix, + /dev/ r, + /dev/** rmw, # audio devices etc. + owner /dev/shm/** rmw, + /etc/ r, + /etc/** rmk, + /etc/gdm/Xsession ix, + /lib/ r, + /lib/** rmixk, + /lib32/ r, + /lib32/** rmixk, + /lib64/ r, + /lib64/** rmixk, + owner /media/ r, + owner /media/** rmwlixk, # we want access to USB sticks and the like + /opt/ r, + /opt/** rmixk, + @{PROC}/ r, + @{PROC}/* rm, + @{PROC}/asound rm, + @{PROC}/asound/** rm, + @{PROC}/ati rm, + @{PROC}/ati/** rm, + owner @{PROC}/** rm, + # needed for gnome-keyring-daemon + @{PROC}/*/status r, + /sbin/ r, + /sbin/** rmixk, + /sys/ r, + /sys/** rm, + /tmp/ rw, + owner /tmp/** rwlkmix, + /usr/ r, + /usr/** rmixk, + /var/ r, + /var/** rmixk, + /var/guest-data/** rw, # allow to store files permanently + /var/tmp/ rw, + owner /var/tmp/** rwlkm, + /{,var/}run/ r, + # necessary for writing to sockets, etc. + /{,var/}run/** rmkix, + /{,var/}run/shm/** wl, + /run/systemd/journal/dev-log w, + /tmp/**/.x2go-socket r, + /tmp/.X11-unix/X[0-9]* wr, + /run/uuidd/request w, + /proc/sys/kernel/ngroups_max r, + + network, + + dbus(send) bus=session, + dbus(send, receive) bus=accessibility, + + capability ipc_lock, + + # silence warnings for stuff that we really don't want to grant + deny capability dac_override, + deny capability dac_read_search, + #deny /etc/** w, # re-enable once LP#697678 is fixed + deny /usr/** w, + deny /var/crash/ w, +} diff --git a/lightdm-remote-session-freerdp2.default b/lightdm-remote-session-freerdp2.default deleted file mode 100644 index 32dfcd5..0000000 --- a/lightdm-remote-session-freerdp2.default +++ /dev/null @@ -1,4 +0,0 @@ -### lightdm-remote-session-freerdp2: Tweak the default behaviour. - -# Ignore host keys and allow connections to any RDP server (uncomment to have it set) -#FREERDP2_OPTIONS+=" /cert-ignore" diff --git a/lightdm-remote-session-freerdp2.in b/lightdm-remote-session-freerdp2.in deleted file mode 100644 index 9121afe..0000000 --- a/lightdm-remote-session-freerdp2.in +++ /dev/null @@ -1,81 +0,0 @@ -# vim:syntax=apparmor -# Profile for restricting lightdm remote session for FreeRDP -# Based on the Guest Account Apparmor script from: -# Author: Martin Pitt - -#include - -@libexecdir@/freerdp2-session-wrapper { - #include - #include - #include - /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678 - - / r, - /bin/ rmix, - /{,usr/}bin/fusermount Px, - /bin/** rmix, - /cdrom/ rmix, - /cdrom/** rmix, - /dev/ r, - /dev/** rmw, # audio devices etc. - owner /dev/shm/** rmw, - /etc/ r, - /etc/** rmk, - /etc/gdm/Xsession ix, - /lib/ r, - /lib/** rmixk, - /lib32/ r, - /lib32/** rmixk, - /lib64/ r, - /lib64/** rmixk, - owner /media/ r, - owner /media/** rmwlixk, # we want access to USB sticks and the like - /opt/ r, - /opt/** rmixk, - @{PROC}/ r, - @{PROC}/* rm, - @{PROC}/asound rm, - @{PROC}/asound/** rm, - @{PROC}/ati rm, - @{PROC}/ati/** rm, - owner @{PROC}/** rm, - # needed for gnome-keyring-daemon - @{PROC}/*/status r, - /sbin/ r, - /sbin/** rmixk, - /sys/ r, - /sys/** rm, - /tmp/ rw, - owner /tmp/** rwlkmix, - /usr/ r, - /usr/** rmixk, - /var/ r, - /var/** rmixk, - /var/guest-data/** rw, # allow to store files permanently - /var/tmp/ rw, - owner /var/tmp/** rwlkm, - /{,var/}run/ r, - # necessary for writing to sockets, etc. - /{,var/}run/** rmkix, - /{,var/}run/shm/** wl, - /run/systemd/journal/dev-log w, - /tmp/**/.x2go-socket r, - /tmp/.X11-unix/X[0-9]* wr, - /run/uuidd/request w, - /proc/sys/kernel/ngroups_max r, - - network, - - dbus(send) bus=session, - dbus(send, receive) bus=accessibility, - - capability ipc_lock, - - # silence warnings for stuff that we really don't want to grant - deny capability dac_override, - deny capability dac_read_search, - #deny /etc/** w, # re-enable once LP#697678 is fixed - deny /usr/** w, - deny /var/crash/ w, -} -- cgit v1.2.3