Adding an apparmor profile for the session. Fixes: https://bugs.launchpad.net/bugs/1049849. Approved by Albert Astals Cid, jenkins.

5 files changed, 138 insertions, 4 deletions

diff --git a/Makefile.am b/Makefile.am
index a40362d..b411d8e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -10,7 +10,7 @@ lightdm_session_DATA = \
 	uccsconfigure.desktop
 
 %.desktop: %.desktop.in
-	@sed -e "s|\@pkgdatadir\@|$(pkgdatadir)|" $< > $@
+	@sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
 
 EXTRA_DIST += uccsconfigure.desktop.in
 CLEANFILES += uccsconfigure.desktop
@@ -41,6 +41,33 @@ EXTRA_DIST += uccsconfigure-session.in
 CLEANFILES += uccsconfigure-session
 
 ###############################
+# The session wrapper
+###############################
+
+pkglibexec_PROGRAMS = \
+	uccsconfigure-session-wrapper
+
+uccsconfigure_session_wrapper_SOURCES = \
+	uccsconfigure-session-wrapper.c
+uccsconfigure_session_wrapper_CFLAGS = \
+	-DPKGDATADIR="\"$(pkgdatadir)\"" \
+	-Wall -Werror
+
+###############################
+# Apparmor for session wrapper
+###############################
+
+apparmordir = $(sysconfdir)/apparmor.d/
+apparmor_DATA = \
+	lightdm-remote-session-uccsconfigure
+
+lightdm-remote-session-uccsconfigure: lightdm-remote-session-uccsconfigure.in
+	@sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
+
+EXTRA_DIST += lightdm-remote-session-uccsconfigure.in
+CLEANFILES += lightdm-remote-session-uccsconfigure
+
+###############################
 # Autostart Firefox
 ###############################
 
diff --git a/configure.ac b/configure.ac
index efa017a..844a31a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,8 +1,12 @@
-AC_INIT([lightdm-remote-session-uccsconfigure], [0.3])
+AC_INIT([lightdm-remote-session-uccsconfigure], [0.3+apparmor])
 
 AM_INIT_AUTOMAKE([1.11 -Wno-portability])
 AM_SILENT_RULES([yes])
 
+AC_PROG_CC
+AC_PROG_INSTALL
+AM_PROG_CC_C_O
+
 ###########################
 # Local Install
 ###########################
diff --git a/lightdm-remote-session-uccsconfigure.in b/lightdm-remote-session-uccsconfigure.in
new file mode 100644
index 0000000..507d5ca
--- /dev/null
+++ b/lightdm-remote-session-uccsconfigure.in
@@ -0,0 +1,71 @@
+# vim:syntax=apparmor
+# Profile for restricting lightdm remote session for UCCS Configuration
+# Based on the Guest Account Apparmor script from:
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+
+#include <tunables/global>
+
+@pkglibexecdir@/uccsconfigure-session-wrapper {
+  #include <abstractions/authentication>
+  #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
+  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
+ 
+  / r,
+  /bin/ rmix,
+  /bin/fusermount Px,
+  /bin/** rmix,
+  /cdrom/ rmix,
+  /cdrom/** rmix,
+  /dev/ r,
+  /dev/** rmw, # audio devices etc.
+  owner /dev/shm/** rmw,
+  /etc/ r,
+  /etc/** rmk,
+  /etc/gdm/Xsession ix,
+  /lib/ r,
+  /lib/** rmixk,
+  /lib32/ r,
+  /lib32/** rmixk,
+  /lib64/ r,
+  /lib64/** rmixk,
+  owner /media/ r,
+  owner /media/** rmwlixk,  # we want access to USB sticks and the like
+  /opt/ r,
+  /opt/** rmixk,
+  @{PROC}/ r,
+  @{PROC}/* rm,
+  @{PROC}/asound rm,
+  @{PROC}/asound/** rm,
+  @{PROC}/ati rm,
+  @{PROC}/ati/** rm,
+  owner @{PROC}/** rm,
+  # needed for gnome-keyring-daemon
+  @{PROC}/*/status r,
+  /sbin/ r,
+  /sbin/** rmixk,
+  /sys/ r,
+  /sys/** rm,
+  /tmp/ rw,
+  owner /tmp/** rwlkmix,
+  /usr/ r,
+  /usr/** rmixk,
+  /var/ r,
+  /var/** rmixk,
+  /var/guest-data/** rw, # allow to store files permanently
+  /var/tmp/ rw,
+  owner /var/tmp/** rwlkm,
+  /{,var/}run/ r,
+  # necessary for writing to sockets, etc.
+  /{,var/}run/** rmkix,
+  /{,var/}run/shm/** wl,
+
+  capability ipc_lock,
+
+  # silence warnings for stuff that we really don't want to grant
+  deny capability dac_override,
+  deny capability dac_read_search,
+  #deny /etc/** w, # re-enable once LP#697678 is fixed
+  deny /usr/** w,
+  deny /var/crash/ w,
+}
diff --git a/uccsconfigure-session-wrapper.c b/uccsconfigure-session-wrapper.c
new file mode 100644
index 0000000..dbe8023
--- /dev/null
+++ b/uccsconfigure-session-wrapper.c
@@ -0,0 +1,32 @@
+/*
+ * Copyright © 2012 Canonical Ltd.
+ *
+ * This program is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 3, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranties of
+ * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Author: Ted Gould <ted@canonical.com>
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+
+int
+main (int argc, char * argv[])
+{
+	char * args[2];
+	args[0] = PKGDATADIR "/uccsconfigure-session";
+	args[1] = NULL;
+
+	execvp(args[0], args);
+
+	return 0;
+}
diff --git a/uccsconfigure.desktop.in b/uccsconfigure.desktop.in
index a31bb5e..01551c4 100644
--- a/uccsconfigure.desktop.in
+++ b/uccsconfigure.desktop.in
@@ -1,8 +1,8 @@
 [Desktop Entry]
 Name=UCCS Configure
 Comment=Setup a UCCS Account
-Exec=@pkgdatadir@/uccsconfigure-session
-TryExec=@pkgdatadir@/uccsconfigure-session
+Exec=@pkglibexecdir@/uccsconfigure-session-wrapper
+TryExec=@pkglibexecdir@/uccsconfigure-session-wrapper
 Icon=
 Type=Application
 X-LightDM-PAM-Service=lightdm-remote-uccsconfigure