Package: lightdm
Version: 1.10.3-3
Severity: normal
Tags: security patch
Hello,
The current AA profile in Jessie doesn't reference the correct exec, and some
rules are missing.
Attached an updated profile and the correcponding patch.
I don't know if this would fit for Jessie, as:
- guest-sessions are not enabled by default,
- but, they should be secure by default
Regards
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lightdm depends on:
ii adduser 3.113+nmu3
ii dbus 1.8.12-3
ii debconf [debconf-2.0] 1.5.55
ii libc6 2.19-13
ii libgcrypt20 1.6.2-4+b1
ii libglib2.0-0 2.42.1-1
ii libpam-systemd 215-11
ii libpam0g 1.1.8-3.1
ii libxcb1 1.10-3+b1
ii libxdmcp6 1:1.1.1-1+b1
ii lightdm-gtk-greeter [lightdm-greeter] 1.8.5-2
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+7
Versions of packages lightdm suggests:
ii accountsservice 0.6.37-3+b1
ii upower 0.99.1-3.1
-- debconf information:
lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
# Author: Martin Pitt <martin.p...@ubuntu.com>
#include <tunables/global>
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session {
#include <abstractions/authentication>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
/etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
/ r,
/bin/ rmix,
/bin/fusermount Px,
/bin/** rmix,
/cdrom/ rmix,
/cdrom/** rmix,
/dev/ r,
/dev/** rmw, # audio devices etc.
owner /dev/shm/** rmw,
/etc/ r,
/etc/** rmk,
/etc/gdm/Xsession ix,
/etc/X11/Xsession ix,
/lib/ r,
/lib/** rmixk,
/lib32/ r,
/lib32/** rmixk,
/lib64/ r,
/lib64/** rmixk,
owner /media/ r,
owner /media/** rmwlixk, # we want access to USB sticks and the like
/opt/ r,
/opt/** rmixk,
@{PROC}/ r,
@{PROC}/* rm,
@{PROC}/asound rm,
@{PROC}/asound/** rm,
@{PROC}/ati rm,
@{PROC}/ati/** rm,
owner @{PROC}/** rm,
# needed for gnome-keyring-daemon
@{PROC}/*/status r,
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
/sys/** rm,
/tmp/ rw,
owner /tmp/** rwlkmix,
/usr/ r,
/usr/** rmixk,
/var/ r,
/var/** rmixk,
/var/guest-data/** rw, # allow to store files permanently
/var/tmp/ rw,
owner /var/tmp/** rwlkm,
/{,var/}run/ r,
# necessary for writing to sockets, etc.
/{,var/}run/** rmkix,
/{,var/}run/shm/** wl,
/{,var/}run/uuid/request w,
# libpam-xdg-support/logind
owner /{,var/}run/user/*/** rw,
capability ipc_lock,
# silence warnings for stuff that we really don't want to grant
deny capability dac_override,
deny capability dac_read_search,
#deny /etc/** w, # re-enable once LP#697678 is fixed
deny /usr/** w,
deny /var/crash/ w,
}
--- apparmor/lightdm-guest-session.dpkg-dist 2015-03-10 08:13:32.463146490 +0100
+++ apparmor/lightdm-guest-session 2015-03-10 08:14:26.789023315 +0100
@@ -4,7 +4,7 @@
#include <tunables/global>
-/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session-wrapper {
+/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session {
#include <abstractions/authentication>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
@@ -22,6 +22,7 @@
/etc/ r,
/etc/** rmk,
/etc/gdm/Xsession ix,
+ /etc/X11/Xsession ix,
/lib/ r,
/lib/** rmixk,
/lib32/ r,
@@ -58,6 +59,9 @@
# necessary for writing to sockets, etc.
/{,var/}run/** rmkix,
/{,var/}run/shm/** wl,
+ /{,var/}run/uuid/request w,
+ # libpam-xdg-support/logind
+ owner /{,var/}run/user/*/** rw,
capability ipc_lock,
