On Mon, Jul 22, 2013 at 06:52:12PM +0200, Daniel Curtis wrote:
> Hi
>
> I would like to ask what happened with the *lightdm-guest-session *
> profile from */etc/apparmor.d/* directory? If I remember correctly,
> this profile contains a lot of policies, rules etc. Now it looks like
> this:
>
> # vim:syntax=apparmor
> # Profile for restricting lightdm guest session
>
> #include <tunables/global>
>
> /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper {
> # Most applications are confined via the main abstraction
> #include <abstractions/lightdm>If you look in /etc/apparmor.d/abstractions/lightdm I think you'll understand _what_ happened... > # chromium-browser needs special confinement due to its sandboxing > #include <abstractions/lightdm_chromium-browser> > } > > Of course this profile exist on a list of profiles in *enforced* mode > vide '*apparmor_status*' command: > > /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper > /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser > > By the way: I'm not using a Chromium browser. I've tried to reinstall > *apparmor*, *apparmor-profiles* packages, but nothing changed. Could > somebody explain it to me? Is it normal? Why this profile has > changed? ... And if you look in https://bugs.launchpad.net/ubuntu/+source/gdm-guest-session/+bug/577919 I think you'll understand _why_ it happened. :) In short: guest users weren't able to use chromium-browser because it requires a _lot_ of privileges to set up its sandbox. Some of the attempts in that bug report to allow the guest sessions to start chromium-browser granted more than enough privileges to the guest user account that could be used to completely own the machine IF there were suitable exploitable problems found elsewhere. (The lightdm guest account shouldn't be able to own the machine even without AppArmor, but the AppArmor policies peopole were proposing for the guest account to allow chromium-browser to run were very nearly useless as AppArmor policies go...) So we fixed it by providing a new policy that is used for chromium-browser when run by guest users. It can set up its sandboxing, AppArmor protects all processes started by the guest session, and only the chromium-browser sandbox process has access to the privileges to own the machine. Now you can hit the "guest session" button and let your guests use chromium-browser, and it's all good. :) Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
