[apparmor] lightdm profile from a apparmor.d/abstractions directory.

[Jamie Strandboge]

On 08/04/2013 04:41 PM, Daniel Curtis wrote:
> Hi
> 
> I just want to ask if can I use e.g. *lightdm** profile from
> </etc/apparmor.d/abstractions/> directory? Can I put it in a
> enforce mode? I'm aksing, because I've noticed that "default"
> *lightdm-guest-session* profile on Xubuntu 12.04 is... pretty
> empty in comparison to that one from a <abstraction> directory.
> 
> Default *lightdm-guest-session *contain only a few lines:
> 
> # vim:syntax=apparmor
> # Profile for restricting lightdm guest session
> 
> #include <tunables/global>
> /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper {
>   # Most applications are confined via the main abstraction
>   #include <abstractions/lightdm>
>   # chromium-browser needs special confinement due to its sandboxing
>   #include <abstractions/lightdm_chromium-browser>
> }
> 
> when a lightdm profile, from <abstractions> directory is full of
> policies. What should I do? Can I do that I want to do? Replace
> profiles?
> 

You don't need to do anything. The files in /etc/apparmor.d/abstractions can be
thought of as libraries of policy. You can see that
lightdm-guest-session-wrapper has these lines:
  #include <abstractions/lightdm>
  #include <abstractions/lightdm_chromium-browser>

This means that all the policy that is in the lightdm and
lightdm_chromium-browser abstractions are included in the policy for
lightdm-guest-session-wrapper. You can prove this to yourself by doing:

$ apparmor_parser -p /etc/apparmor.d/lightdm-guest-session



-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130805/522f0ff0/attachment.pgp>