-- 
cgit v1.2.3

From 27eb25f42c3f3d0780e03881f8899e0df61d7a84 Mon Sep 17 00:00:00 2001
From: Ted Gould <ted@gould.cx>
Date: Fri, 14 Sep 2012 15:45:53 -0500
Subject: Adding in the apparmor profile

---
 Makefile.am                       | 13 +++++--
 lightdm-remote-session-freerdp.in | 71 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+), 2 deletions(-)
 create mode 100644 lightdm-remote-session-freerdp.in

diff --git a/Makefile.am b/Makefile.am
index bf4b300..1af5934 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -18,6 +18,13 @@ freerdp-session: freerdp-session.in
 	@sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
 	@chmod +x $@
 
+apparmordir = $(sysconfdir)/apparmor.d/
+apparmor_DATA = \
+	lightdm-remote-session-freerdp
+
+lightdm-remote-session-freerdp: lightdm-remote-session-freerdp.in
+	@sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
+
 pkglibexec_PROGRAMS = \
 	socket-sucker
 socket_sucker_SOURCES = \
@@ -31,11 +38,13 @@ socket_sucker_LDFLAGS = \
 EXTRA_DIST = \
 	$(pam_session_DATA) \
 	freerdp.desktop.in \
-	freerdp-session.in
+	freerdp-session.in \
+	lightdm-remote-session-freerdp.in
 
 CLEANFILES = \
 	freerdp.desktop \
-	freerdp-session
+	freerdp-session \
+	lightdm-remote-session-freerdp
 
 DISTCHECK_CONFIGURE_FLAGS = --enable-localinstall
 
diff --git a/lightdm-remote-session-freerdp.in b/lightdm-remote-session-freerdp.in
new file mode 100644
index 0000000..38772f2
--- /dev/null
+++ b/lightdm-remote-session-freerdp.in
@@ -0,0 +1,71 @@
+# vim:syntax=apparmor
+# Profile for restricting lightdm remote session for FreeRDP
+# Based on the Guest Account Apparmor script from:
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+
+#include <tunables/global>
+
+@pkglibexecdir@/freerdp-session-wrapper {
+  #include <abstractions/authentication>
+  #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
+  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
+ 
+  / r,
+  /bin/ rmix,
+  /bin/fusermount Px,
+  /bin/** rmix,
+  /cdrom/ rmix,
+  /cdrom/** rmix,
+  /dev/ r,
+  /dev/** rmw, # audio devices etc.
+  owner /dev/shm/** rmw,
+  /etc/ r,
+  /etc/** rmk,
+  /etc/gdm/Xsession ix,
+  /lib/ r,
+  /lib/** rmixk,
+  /lib32/ r,
+  /lib32/** rmixk,
+  /lib64/ r,
+  /lib64/** rmixk,
+  owner /media/ r,
+  owner /media/** rmwlixk,  # we want access to USB sticks and the like
+  /opt/ r,
+  /opt/** rmixk,
+  @{PROC}/ r,
+  @{PROC}/* rm,
+  @{PROC}/asound rm,
+  @{PROC}/asound/** rm,
+  @{PROC}/ati rm,
+  @{PROC}/ati/** rm,
+  owner @{PROC}/** rm,
+  # needed for gnome-keyring-daemon
+  @{PROC}/*/status r,
+  /sbin/ r,
+  /sbin/** rmixk,
+  /sys/ r,
+  /sys/** rm,
+  /tmp/ rw,
+  owner /tmp/** rwlkmix,
+  /usr/ r,
+  /usr/** rmixk,
+  /var/ r,
+  /var/** rmixk,
+  /var/guest-data/** rw, # allow to store files permanently
+  /var/tmp/ rw,
+  owner /var/tmp/** rwlkm,
+  /{,var/}run/ r,
+  # necessary for writing to sockets, etc.
+  /{,var/}run/** rmkix,
+  /{,var/}run/shm/** wl,
+
+  capability ipc_lock,
+
+  # silence warnings for stuff that we really don't want to grant
+  deny capability dac_override,
+  deny capability dac_read_search,
+  #deny /etc/** w, # re-enable once LP#697678 is fixed
+  deny /usr/** w,
+  deny /var/crash/ w,
+}
-- 
cgit v1.2.3


From 0a2d6eaca5d8b3db9a1b6e1b9b964453cbe2e394 Mon Sep 17 00:00:00 2001
From: Ted Gould <ted@gould.cx>
Date: Fri, 14 Sep 2012 15:48:44 -0500
Subject: Adding in the session wrapper

---
 Makefile.am               | 10 +++++++++-
 freerdp-session-wrapper.c | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 freerdp-session-wrapper.c

diff --git a/Makefile.am b/Makefile.am
index 1af5934..76b9eec 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -26,7 +26,9 @@ lightdm-remote-session-freerdp: lightdm-remote-session-freerdp.in
 	@sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
 
 pkglibexec_PROGRAMS = \
-	socket-sucker
+	socket-sucker \
+	freerdp-session-wrapper
+
 socket_sucker_SOURCES = \
 	socket-sucker.c
 socket_sucker_CFLAGS = \
@@ -35,6 +37,12 @@ socket_sucker_CFLAGS = \
 socket_sucker_LDFLAGS = \
 	-pie
 
+freerdp_session_wrapper_SOURCES = \
+	freerdp-session-wrapper.c
+freerdp_session_wrapper_CFLAGS = \
+	-DPKGDATADIR="\"$(pkgdatadir)\"" \
+	-Wall -Werror
+
 EXTRA_DIST = \
 	$(pam_session_DATA) \
 	freerdp.desktop.in \
diff --git a/freerdp-session-wrapper.c b/freerdp-session-wrapper.c
new file mode 100644
index 0000000..8c31fab
--- /dev/null
+++ b/freerdp-session-wrapper.c
@@ -0,0 +1,32 @@
+/*
+ * Copyright © 2012 Canonical Ltd.
+ *
+ * This program is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 3, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranties of
+ * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Ted Gould <ted@canonical.com>
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+
+int
+main (int argc, char * argv[])
+{
+	char * args[2];
+	args[0] = PKGDATADIR "/freerdp-session";
+	args[1] = NULL;
+
+	execvp(args[0], args);
+
+	return 0;
+}
-- 
cgit v1.2.3


From be67082d7c0646eb5a69dc8720952ea6099e93a1 Mon Sep 17 00:00:00 2001
From: Ted Gould <ted@gould.cx>
Date: Fri, 14 Sep 2012 15:50:16 -0500
Subject: Fixing up the desktop file and directories to get everything cleaned
 up

---
 Makefile.am        | 2 +-
 freerdp.desktop.in | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 76b9eec..44c2938 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -10,7 +10,7 @@ lightdm_session_DATA = \
 %.desktop: %.desktop.in
 	@sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
 
-session_startdir = $(pkglibexecdir)
+session_startdir = $(pkgdatadir)
 session_start_SCRIPTS = \
 	freerdp-session
 
diff --git a/freerdp.desktop.in b/freerdp.desktop.in
index 6ff4975..6eb26d4 100644
--- a/freerdp.desktop.in
+++ b/freerdp.desktop.in
@@ -1,8 +1,8 @@
 [Desktop Entry]
 Name=FreeRDP
 Comment=Full Screen RDP session
-Exec=@pkglibexecdir@/freerdp-session
-TryExec=@pkglibexecdir@/freerdp-session
+Exec=@pkglibexecdir@/freerdp-session-wrapper
+TryExec=@pkglibexecdir@/freerdp-session-wrapper
 Icon=
 Type=Application
 X-LightDM-PAM-Service=lightdm-remote-freerdp
-- 
cgit v1.2.3