[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
** Changed in: lightdm Assignee: Robert Ancell (robert-ancell) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
** Tags added: id-5a57962350afc7d4aa391919 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
@tyhicks I just opened LP #1742912 for tracking the confinement fix. ** Changed in: lightdm (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
@rbalint can you please open a new bug to track re-enabling the guest session with proper confinement rather than piggy back on this bug? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in lightdm package in Ubuntu: Triaged Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
Reopening, since the guest session is disabled by default but it is still not confined. ** Changed in: lightdm (Ubuntu) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in lightdm package in Ubuntu: Triaged Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
@Magezi: Please note that this is a bug report, not a support forum. This Ask Ubuntu question may help: https://askubuntu.com/q/915415 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
Hey guys I am a newbie to linux and I am coming from windows...I just want to have that button on my login screen or somewhere on the notification zone ...everything you have explained is hard for me to understand can you please elaborate it in steps ..so that I enable guest-session on my computer? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
** No longer affects: apparmor (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
This bug was fixed in the package lightdm - 1.22.0-0ubuntu4 --- lightdm (1.22.0-0ubuntu4) artful; urgency=medium * SECURITY UPDATE: Guest session not confined (LP: #1663157) - debian/50-disable-guest.conf: - debian/lightdm.install: - Disable guest sessions by default, this can be overridden by custom configuration (e.g. /etc/lightdm/lightdm.conf) - CVE-2017-8900 -- Robert AncellMon, 19 Jun 2017 16:32:24 +1200 ** Changed in: lightdm (Ubuntu Artful) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Fix Released Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
** Changed in: lightdm (Ubuntu Artful) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: In Progress Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: In Progress Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
Balint, could you follow through on this bug? Martin has provided some good general guidance already about what's required to re-enable secure guest sessions in artful. ** Changed in: lightdm (Ubuntu Artful) Milestone: None => ubuntu-17.05 ** Changed in: lightdm (Ubuntu Artful) Assignee: Robert Ancell (robert-ancell) => Balint Reczey (rbalint) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: Triaged Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Triaged Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: Triaged Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Triaged Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
** Changed in: lightdm (Ubuntu Artful) Assignee: (unassigned) => Robert Ancell (robert-ancell) ** Changed in: lightdm Assignee: (unassigned) => Robert Ancell (robert-ancell) ** Changed in: lightdm (Ubuntu Yakkety) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: lightdm (Ubuntu Zesty) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: Triaged Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Triaged Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
If you have a use case which requires the guest session, you can manually re-enable it by writing the following contents to /etc/lightdm/lightdm.conf: # Manually enable guest sessions despite them not being confined # IMPORTANT: Makes the system vulnerable to CVE-2017-8900 # https://bugs.launchpad.net/bugs/1663157 [Seat:*] allow-guest=true -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: Triaged Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Triaged Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
** Branch linked: lp:lightdm/1.20 ** Branch linked: lp:lightdm/1.22 ** Branch linked: lp:lightdm -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: Triaged Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Triaged Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1663157] Re: Guest session processes are not confined in 16.10 and newer releases
I'm making this bug public now that we have security updates published which disable the guest session. My hope is that we can re-enable it after the changes suggested by pitti can be investigated/implemented. ** No longer affects: apparmor (Ubuntu Artful) ** No longer affects: apparmor (Ubuntu Zesty) ** No longer affects: apparmor (Ubuntu Yakkety) ** Changed in: apparmor (Ubuntu) Status: New => Invalid ** Description changed: Processes launched under a lightdm guest session are not confined by the - /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10 - and Ubuntu Zesty. The processes are actually unconfined. + /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, + Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are + unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: - $ cat /proc/self/attr/current + $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: - /usr/lib/lightdm/lightdm-guest-session (enforce) + /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: - unconfined + unconfined ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1663157 Title: Guest session processes are not confined in 16.10 and newer releases Status in Light Display Manager: New Status in apparmor package in Ubuntu: Invalid Status in lightdm package in Ubuntu: Triaged Status in lightdm source package in Yakkety: Fix Released Status in lightdm source package in Zesty: Fix Released Status in lightdm source package in Artful: Triaged Bug description: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp