[apparmor] lightdm-guest-session profile: some issues.

[Seth Arnold]

On Mon, Jul 22, 2013 at 06:52:12PM +0200, Daniel Curtis wrote:
> Hi
> 
> I would like to ask what happened with the *lightdm-guest-session *
> profile from */etc/apparmor.d/* directory? If I remember correctly,
> this profile contains a lot of policies, rules etc. Now it looks like
> this:
> 
> # vim:syntax=apparmor
> # Profile for restricting lightdm guest session
> 
> #include <tunables/global>
> 
> /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper {
> # Most applications are confined via the main abstraction
> #include <abstractions/lightdm>

If you look in /etc/apparmor.d/abstractions/lightdm I think you'll
understand _what_ happened...

> # chromium-browser needs special confinement due to its sandboxing
> #include <abstractions/lightdm_chromium-browser>
> }
> 
> Of course this profile exist on a list of profiles in *enforced* mode
> vide '*apparmor_status*' command:
> 
> /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
> /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
> 
> By the way: I'm not using a Chromium browser. I've tried to reinstall
> *apparmor*, *apparmor-profiles* packages, but nothing changed. Could
> somebody explain it to me? Is it normal? Why this profile has
> changed?

... And if you look in
https://bugs.launchpad.net/ubuntu/+source/gdm-guest-session/+bug/577919
I think you'll understand _why_ it happened.

:)

In short: guest users weren't able to use chromium-browser because it
requires a _lot_ of privileges to set up its sandbox. Some of the attempts
in that bug report to allow the guest sessions to start chromium-browser
granted more than enough privileges to the guest user account that could
be used to completely own the machine IF there were suitable exploitable
problems found elsewhere. (The lightdm guest account shouldn't be able
to own the machine even without AppArmor, but the AppArmor policies
peopole were proposing for the guest account to allow chromium-browser
to run were very nearly useless as AppArmor policies go...)

So we fixed it by providing a new policy that is used for chromium-browser
when run by guest users. It can set up its sandboxing, AppArmor protects
all processes started by the guest session, and only the chromium-browser
sandbox process has access to the privileges to own the machine.

Now you can hit the "guest session" button and let your guests use
chromium-browser, and it's all good. :)

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130722/067e40c2/attachment-0001.pgp>