diff options
| author | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2013-04-26 00:59:49 +0200 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2013-04-26 00:59:49 +0200 |
| commit | 6564651bcd196f7f0fa263db83d0775974bf4a1c (patch) | |
| tree | 6e329acf64c71c0a576cda02def2c77189ed7982 /lightdm-remote-session-x2go.in | |
| parent | ace27c4a149b0b7d115c2ce1fee358386fb03eaf (diff) | |
| parent | 3590ecd60a4ce1f99f5d4c07d787dc134904894a (diff) | |
| download | lightdm-remote-session-x2go-6564651bcd196f7f0fa263db83d0775974bf4a1c.tar.gz lightdm-remote-session-x2go-6564651bcd196f7f0fa263db83d0775974bf4a1c.tar.bz2 lightdm-remote-session-x2go-6564651bcd196f7f0fa263db83d0775974bf4a1c.zip | |
Merge branch 'x2gosessiontype'
Conflicts (resolved by Mike Gabriel):
debian/changelog
Diffstat (limited to 'lightdm-remote-session-x2go.in')
| -rw-r--r-- | lightdm-remote-session-x2go.in | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/lightdm-remote-session-x2go.in b/lightdm-remote-session-x2go.in new file mode 100644 index 0000000..6a105ca --- /dev/null +++ b/lightdm-remote-session-x2go.in @@ -0,0 +1,72 @@ +# vim:syntax=apparmor +# Profile for restricting lightdm remote session for X2Go +# Based on the Guest Account Apparmor script from: +# Author: Martin Pitt <martin.pitt@ubuntu.com> +# Mike Gabriel <mike.gabriel@das-netzwerkteam.de> + +#include <tunables/global> + +@libexecdir@/x2go-session-wrapper { + #include <abstractions/authentication> + #include <abstractions/nameservice> + #include <abstractions/wutmp> + /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678 + + / r, + /bin/ rmix, + /bin/fusermount Px, + /bin/** rmix, + /cdrom/ rmix, + /cdrom/** rmix, + /dev/ r, + /dev/** rmw, # audio devices etc. + owner /dev/shm/** rmw, + /etc/ r, + /etc/** rmk, + /etc/gdm/Xsession ix, + /lib/ r, + /lib/** rmixk, + /lib32/ r, + /lib32/** rmixk, + /lib64/ r, + /lib64/** rmixk, + owner /media/ r, + owner /media/** rmwlixk, # we want access to USB sticks and the like + /opt/ r, + /opt/** rmixk, + @{PROC}/ r, + @{PROC}/* rm, + @{PROC}/asound rm, + @{PROC}/asound/** rm, + @{PROC}/ati rm, + @{PROC}/ati/** rm, + owner @{PROC}/** rm, + # needed for gnome-keyring-daemon + @{PROC}/*/status r, + /sbin/ r, + /sbin/** rmixk, + /sys/ r, + /sys/** rm, + /tmp/ rw, + owner /tmp/** rwlkmix, + /usr/ r, + /usr/** rmixk, + /var/ r, + /var/** rmixk, + /var/guest-data/** rw, # allow to store files permanently + /var/tmp/ rw, + owner /var/tmp/** rwlkm, + /{,var/}run/ r, + # necessary for writing to sockets, etc. + /{,var/}run/** rmkix, + /{,var/}run/shm/** wl, + + capability ipc_lock, + + # silence warnings for stuff that we really don't want to grant + deny capability dac_override, + deny capability dac_read_search, + #deny /etc/** w, # re-enable once LP#697678 is fixed + deny /usr/** w, + deny /var/crash/ w, +} |