The way AppArmour profiles are applied in lightdm is based on the
session process name. So in the case of the guest session lightdm runs
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper which then runs
the actual session process (e.g. gnome-session). The binary name
"/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" is matched in
the AppArmor profile /etc/apparmor.d/lightdm-guest-session.
For remote sessions lightdm doesn't run it through the guest wrapper so
no AppArmor profile is applied by default. We could run it through the
same wrapper but remote sessions probably want an even more restrictive
profile (there should be no access to the local filesystem at all).
So in short, I think the packages lightdm-remote-session-freerdp and
lightdm-remote-session-uccsconfigure packages should provide AppArmor
profiles for /usr/lib/x86_64-linux-gnu/lightdm-remote-session-freerdp
/freerdp-session and /usr/share/lightdm-remote-session-uccsconfigure
/uccsconfigure-session.
This is about the limit of my knowledge of AppArmor - for more
information ask Martin Pitt as he implemented this feature.
** Also affects: lightdm-remote-session-freerdp (Ubuntu)
Importance: Undecided
Status: New
** Also affects: lightdm-remote-session-uccsconfigure (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1049849
Title:
"Remote Login" account not confined by guest AppArmor profile
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1049849/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
