Package: lightdm Version: 1.10.3-3 Severity: normal Tags: security patch Hello,
The current AA profile in Jessie doesn't reference the correct exec, and some rules are missing. Attached an updated profile and the correcponding patch. I don't know if this would fit for Jessie, as: - guest-sessions are not enabled by default, - but, they should be secure by default Regards -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lightdm depends on: ii adduser 3.113+nmu3 ii dbus 1.8.12-3 ii debconf [debconf-2.0] 1.5.55 ii libc6 2.19-13 ii libgcrypt20 1.6.2-4+b1 ii libglib2.0-0 2.42.1-1 ii libpam-systemd 215-11 ii libpam0g 1.1.8-3.1 ii libxcb1 1.10-3+b1 ii libxdmcp6 1:1.1.1-1+b1 ii lightdm-gtk-greeter [lightdm-greeter] 1.8.5-2 Versions of packages lightdm recommends: ii xserver-xorg 1:7.7+7 Versions of packages lightdm suggests: ii accountsservice 0.6.37-3+b1 ii upower 0.99.1-3.1 -- debconf information: lightdm/daemon_name: /usr/sbin/lightdm * shared/default-x-display-manager: lightdm
# vim:syntax=apparmor # Profile for restricting lightdm guest session # Author: Martin Pitt <martin.p...@ubuntu.com> #include <tunables/global> /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session { #include <abstractions/authentication> #include <abstractions/nameservice> #include <abstractions/wutmp> /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678 / r, /bin/ rmix, /bin/fusermount Px, /bin/** rmix, /cdrom/ rmix, /cdrom/** rmix, /dev/ r, /dev/** rmw, # audio devices etc. owner /dev/shm/** rmw, /etc/ r, /etc/** rmk, /etc/gdm/Xsession ix, /etc/X11/Xsession ix, /lib/ r, /lib/** rmixk, /lib32/ r, /lib32/** rmixk, /lib64/ r, /lib64/** rmixk, owner /media/ r, owner /media/** rmwlixk, # we want access to USB sticks and the like /opt/ r, /opt/** rmixk, @{PROC}/ r, @{PROC}/* rm, @{PROC}/asound rm, @{PROC}/asound/** rm, @{PROC}/ati rm, @{PROC}/ati/** rm, owner @{PROC}/** rm, # needed for gnome-keyring-daemon @{PROC}/*/status r, /sbin/ r, /sbin/** rmixk, /sys/ r, /sys/** rm, /tmp/ rw, owner /tmp/** rwlkmix, /usr/ r, /usr/** rmixk, /var/ r, /var/** rmixk, /var/guest-data/** rw, # allow to store files permanently /var/tmp/ rw, owner /var/tmp/** rwlkm, /{,var/}run/ r, # necessary for writing to sockets, etc. /{,var/}run/** rmkix, /{,var/}run/shm/** wl, /{,var/}run/uuid/request w, # libpam-xdg-support/logind owner /{,var/}run/user/*/** rw, capability ipc_lock, # silence warnings for stuff that we really don't want to grant deny capability dac_override, deny capability dac_read_search, #deny /etc/** w, # re-enable once LP#697678 is fixed deny /usr/** w, deny /var/crash/ w, }
--- apparmor/lightdm-guest-session.dpkg-dist 2015-03-10 08:13:32.463146490 +0100 +++ apparmor/lightdm-guest-session 2015-03-10 08:14:26.789023315 +0100 @@ -4,7 +4,7 @@ #include <tunables/global> -/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session-wrapper { +/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session { #include <abstractions/authentication> #include <abstractions/nameservice> #include <abstractions/wutmp> @@ -22,6 +22,7 @@ /etc/ r, /etc/** rmk, /etc/gdm/Xsession ix, + /etc/X11/Xsession ix, /lib/ r, /lib/** rmixk, /lib32/ r, @@ -58,6 +59,9 @@ # necessary for writing to sockets, etc. /{,var/}run/** rmkix, /{,var/}run/shm/** wl, + /{,var/}run/uuid/request w, + # libpam-xdg-support/logind + owner /{,var/}run/user/*/** rw, capability ipc_lock,