[ubuntu-hardened] AppArmor profile for lightdm-guest-session.

Marc Deslauriers marc.deslauriers at canonical.com
Tue Jul 16 14:12:03 UTC 2013

On 13-07-16 10:04 AM, Daniel Curtis wrote:
> Hi
> Could somebody explain to me why lightdm-guest-session
> changed? Some time ago, I checked this profile and there were
> more entries. Now it's look like this:
> # vim:syntax=apparmor
> # Profile for restricting lightdm guest session
> #include <tunables/global>
> /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper {
>   # Most applications are confined via the main abstraction
>   #include <abstractions/lightdm>
>   # chromium-browser needs special confinement due to its
> sandboxing #include <abstractions/lightdm_chromium-browser>
> }

The original contents of that file got moved to the abstractions/lightdm file
that is included there so it can be reused. Take a look at that file's contents,
it's pretty much identical as it was before.

> apparmor_status command shows that there is two profiles in
> enforced mode, which are related to a lightdm:
> /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
> /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser

That looks normal to me. What were you expecting to be different?

> Why it happened? I may be wrong, but I remember, that this
> profile was full of policy, restrictions etc. One more thing: I'm
> not using a Chromium browser. Could somebody help me with this
> issue? Explain it to me and paste a correct profile? What should I
> do?

There is no issue. The contents simply got moved to an abstraction.

What exactly do you need help with?


More information about the ubuntu-hardened mailing list