From c3f0094d4c3eb499116287eab91488848e2164e1 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 13:43:10 -0500 Subject: Adding a apparmor profile for the session --- lightdm-remote-session-uccsconfigure.in | 71 +++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 lightdm-remote-session-uccsconfigure.in diff --git a/lightdm-remote-session-uccsconfigure.in b/lightdm-remote-session-uccsconfigure.in new file mode 100644 index 0000000..9c396fe --- /dev/null +++ b/lightdm-remote-session-uccsconfigure.in @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +# Profile for restricting lightdm remote session for UCCS Configuration +# Based on the Guest Account Apparmor script from: +# Author: Martin Pitt + +#include + +@pkgdatadir@/uccsconfigure-session { + #include + #include + #include + /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678 + + / r, + /bin/ rmix, + /bin/fusermount Px, + /bin/** rmix, + /cdrom/ rmix, + /cdrom/** rmix, + /dev/ r, + /dev/** rmw, # audio devices etc. + owner /dev/shm/** rmw, + /etc/ r, + /etc/** rmk, + /etc/gdm/Xsession ix, + /lib/ r, + /lib/** rmixk, + /lib32/ r, + /lib32/** rmixk, + /lib64/ r, + /lib64/** rmixk, + owner /media/ r, + owner /media/** rmwlixk, # we want access to USB sticks and the like + /opt/ r, + /opt/** rmixk, + @{PROC}/ r, + @{PROC}/* rm, + @{PROC}/asound rm, + @{PROC}/asound/** rm, + @{PROC}/ati rm, + @{PROC}/ati/** rm, + owner @{PROC}/** rm, + # needed for gnome-keyring-daemon + @{PROC}/*/status r, + /sbin/ r, + /sbin/** rmixk, + /sys/ r, + /sys/** rm, + /tmp/ rw, + owner /tmp/** rwlkmix, + /usr/ r, + /usr/** rmixk, + /var/ r, + /var/** rmixk, + /var/guest-data/** rw, # allow to store files permanently + /var/tmp/ rw, + owner /var/tmp/** rwlkm, + /{,var/}run/ r, + # necessary for writing to sockets, etc. + /{,var/}run/** rmkix, + /{,var/}run/shm/** wl, + + capability ipc_lock, + + # silence warnings for stuff that we really don't want to grant + deny capability dac_override, + deny capability dac_read_search, + #deny /etc/** w, # re-enable once LP#697678 is fixed + deny /usr/** w, + deny /var/crash/ w, +} -- cgit v1.2.3 From 62e2b03cb580538f8e1ed5da14f49640a39fda89 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 13:49:42 -0500 Subject: Add build system for the apparmor profile --- Makefile.am | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Makefile.am b/Makefile.am index a40362d..e8cec00 100644 --- a/Makefile.am +++ b/Makefile.am @@ -40,6 +40,20 @@ uccsconfigure-session: uccsconfigure-session.in EXTRA_DIST += uccsconfigure-session.in CLEANFILES += uccsconfigure-session +############################### +# Apparmor for session script +############################### + +apparmordir = $(sysconfdir)/apparmor.d/ +apparmor_DATA = \ + lightdm-remote-session-uccsconfigure + +lightdm-remote-session-uccsconfigure: lightdm-remote-session-uccsconfigure.in + @sed -e "s|\@pkgdatadir\@|$(pkgdatadir)|" $< > $@ + +EXTRA_DIST += lightdm-remote-session-uccsconfigure.in +CLEANFILES += lightdm-remote-session-uccsconfigure + ############################### # Autostart Firefox ############################### -- cgit v1.2.3 -- cgit v1.2.3 From 7721cce2f593a5aa5a5b94e14eef8d890c7c36ad Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 14:13:59 -0500 Subject: Adding a C compiler --- configure.ac | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/configure.ac b/configure.ac index efa017a..8695e75 100644 --- a/configure.ac +++ b/configure.ac @@ -3,6 +3,10 @@ AC_INIT([lightdm-remote-session-uccsconfigure], [0.3]) AM_INIT_AUTOMAKE([1.11 -Wno-portability]) AM_SILENT_RULES([yes]) +AC_PROG_CC +AC_PROG_INSTALL +AM_PROG_CC_C_O + ########################### # Local Install ########################### -- cgit v1.2.3 From 3e7f9c00c55b795def0c70fd2de5fc37aa2495ca Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 14:20:03 -0500 Subject: Add a small binary to be the wrapper --- Makefile.am | 13 +++++++++++++ uccsconfigure-session-wrapper.c | 7 +++++++ 2 files changed, 20 insertions(+) create mode 100644 uccsconfigure-session-wrapper.c diff --git a/Makefile.am b/Makefile.am index e8cec00..1325ca5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -40,6 +40,19 @@ uccsconfigure-session: uccsconfigure-session.in EXTRA_DIST += uccsconfigure-session.in CLEANFILES += uccsconfigure-session +############################### +# The session wrapper +############################### + +pkglibexec_PROGRAMS = \ + uccsconfigure-session-wrapper + +uccsconfigure_session_wrapper_SOURCES = \ + uccsconfigure-session-wrapper.c +uccsconfigure_session_wrapper_CFLAGS = \ + -DPKGDATADIR="\"$(pkgdatadir)\"" \ + -Wall -Werror + ############################### # Apparmor for session script ############################### diff --git a/uccsconfigure-session-wrapper.c b/uccsconfigure-session-wrapper.c new file mode 100644 index 0000000..8a4ade3 --- /dev/null +++ b/uccsconfigure-session-wrapper.c @@ -0,0 +1,7 @@ + +int +main (int argc, char * argv[]) +{ + + return 0; +} -- cgit v1.2.3 From 1a5fc013c97261991805c1a0b4344d0344926db9 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 14:21:35 -0500 Subject: Make apparmor work on the wrapper --- Makefile.am | 4 ++-- lightdm-remote-session-uccsconfigure.in | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 1325ca5..18c49bc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -54,7 +54,7 @@ uccsconfigure_session_wrapper_CFLAGS = \ -Wall -Werror ############################### -# Apparmor for session script +# Apparmor for session wrapper ############################### apparmordir = $(sysconfdir)/apparmor.d/ @@ -62,7 +62,7 @@ apparmor_DATA = \ lightdm-remote-session-uccsconfigure lightdm-remote-session-uccsconfigure: lightdm-remote-session-uccsconfigure.in - @sed -e "s|\@pkgdatadir\@|$(pkgdatadir)|" $< > $@ + @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@ EXTRA_DIST += lightdm-remote-session-uccsconfigure.in CLEANFILES += lightdm-remote-session-uccsconfigure diff --git a/lightdm-remote-session-uccsconfigure.in b/lightdm-remote-session-uccsconfigure.in index 9c396fe..507d5ca 100644 --- a/lightdm-remote-session-uccsconfigure.in +++ b/lightdm-remote-session-uccsconfigure.in @@ -5,7 +5,7 @@ #include -@pkgdatadir@/uccsconfigure-session { +@pkglibexecdir@/uccsconfigure-session-wrapper { #include #include #include -- cgit v1.2.3 From c9967bd1db22e665744e9752acacd659911c3276 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 14:28:15 -0500 Subject: Fleshing out the wrapper --- uccsconfigure-session-wrapper.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/uccsconfigure-session-wrapper.c b/uccsconfigure-session-wrapper.c index 8a4ade3..f1cdf10 100644 --- a/uccsconfigure-session-wrapper.c +++ b/uccsconfigure-session-wrapper.c @@ -1,7 +1,14 @@ +#include +#include int main (int argc, char * argv[]) { + char * args[2]; + args[0] = PKGDATADIR "/uccsconfigure-session"; + args[1] = NULL; + + execvp(args[0], args); return 0; } -- cgit v1.2.3 From ce3c9ddf69f4d651527a1895562a5633bafd581f Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 14:30:10 -0500 Subject: Copyright header --- uccsconfigure-session-wrapper.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/uccsconfigure-session-wrapper.c b/uccsconfigure-session-wrapper.c index f1cdf10..dbe8023 100644 --- a/uccsconfigure-session-wrapper.c +++ b/uccsconfigure-session-wrapper.c @@ -1,3 +1,21 @@ +/* + * Copyright © 2012 Canonical Ltd. + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 3, as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranties of + * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program. If not, see . + * + * Author: Ted Gould + */ + #include #include -- cgit v1.2.3 From 016086e663d351d1f6b65cb1b7104cf16746cf69 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 14:40:03 -0500 Subject: 0.3+apparmor --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 8695e75..844a31a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([lightdm-remote-session-uccsconfigure], [0.3]) +AC_INIT([lightdm-remote-session-uccsconfigure], [0.3+apparmor]) AM_INIT_AUTOMAKE([1.11 -Wno-portability]) AM_SILENT_RULES([yes]) -- cgit v1.2.3 From 2a395d9c0920638916b45bbbdebb06f48e6ecd5c Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Fri, 14 Sep 2012 14:47:19 -0500 Subject: Making the desktop file find the wrapper --- Makefile.am | 2 +- uccsconfigure.desktop.in | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 18c49bc..b411d8e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -10,7 +10,7 @@ lightdm_session_DATA = \ uccsconfigure.desktop %.desktop: %.desktop.in - @sed -e "s|\@pkgdatadir\@|$(pkgdatadir)|" $< > $@ + @sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@ EXTRA_DIST += uccsconfigure.desktop.in CLEANFILES += uccsconfigure.desktop diff --git a/uccsconfigure.desktop.in b/uccsconfigure.desktop.in index a31bb5e..01551c4 100644 --- a/uccsconfigure.desktop.in +++ b/uccsconfigure.desktop.in @@ -1,8 +1,8 @@ [Desktop Entry] Name=UCCS Configure Comment=Setup a UCCS Account -Exec=@pkgdatadir@/uccsconfigure-session -TryExec=@pkgdatadir@/uccsconfigure-session +Exec=@pkglibexecdir@/uccsconfigure-session-wrapper +TryExec=@pkglibexecdir@/uccsconfigure-session-wrapper Icon= Type=Application X-LightDM-PAM-Service=lightdm-remote-uccsconfigure -- cgit v1.2.3