[X2Go-Commits] lightdm-remote-session-x2go.git - x2gosessiontype (branch) updated: cf7f4899e673b75de49c0cebf46d58f970217145

X2Go dev team git-admin at x2go.org
Wed Apr 24 17:54:43 CEST 2013


The branch, x2gosessiontype has been updated
       via  cf7f4899e673b75de49c0cebf46d58f970217145 (commit)
      from  a65c4df307ace9ea82e4dcedcf542854f4e187c1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 Makefile.am                       |   13 +++++--
 lightdm-remote-session-freerdp.in |   71 +++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+), 2 deletions(-)
 create mode 100644 lightdm-remote-session-freerdp.in

The diff of changes is:
diff --git a/Makefile.am b/Makefile.am
index bf4b300..1af5934 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -18,6 +18,13 @@ freerdp-session: freerdp-session.in
 	@sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
 	@chmod +x $@
 
+apparmordir = $(sysconfdir)/apparmor.d/
+apparmor_DATA = \
+	lightdm-remote-session-freerdp
+
+lightdm-remote-session-freerdp: lightdm-remote-session-freerdp.in
+	@sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@
+
 pkglibexec_PROGRAMS = \
 	socket-sucker
 socket_sucker_SOURCES = \
@@ -31,11 +38,13 @@ socket_sucker_LDFLAGS = \
 EXTRA_DIST = \
 	$(pam_session_DATA) \
 	freerdp.desktop.in \
-	freerdp-session.in
+	freerdp-session.in \
+	lightdm-remote-session-freerdp.in
 
 CLEANFILES = \
 	freerdp.desktop \
-	freerdp-session
+	freerdp-session \
+	lightdm-remote-session-freerdp
 
 DISTCHECK_CONFIGURE_FLAGS = --enable-localinstall
 
diff --git a/lightdm-remote-session-freerdp.in b/lightdm-remote-session-freerdp.in
new file mode 100644
index 0000000..38772f2
--- /dev/null
+++ b/lightdm-remote-session-freerdp.in
@@ -0,0 +1,71 @@
+# vim:syntax=apparmor
+# Profile for restricting lightdm remote session for FreeRDP
+# Based on the Guest Account Apparmor script from:
+# Author: Martin Pitt <martin.pitt at ubuntu.com>
+
+#include <tunables/global>
+
+ at pkglibexecdir@/freerdp-session-wrapper {
+  #include <abstractions/authentication>
+  #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
+  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
+ 
+  / r,
+  /bin/ rmix,
+  /bin/fusermount Px,
+  /bin/** rmix,
+  /cdrom/ rmix,
+  /cdrom/** rmix,
+  /dev/ r,
+  /dev/** rmw, # audio devices etc.
+  owner /dev/shm/** rmw,
+  /etc/ r,
+  /etc/** rmk,
+  /etc/gdm/Xsession ix,
+  /lib/ r,
+  /lib/** rmixk,
+  /lib32/ r,
+  /lib32/** rmixk,
+  /lib64/ r,
+  /lib64/** rmixk,
+  owner /media/ r,
+  owner /media/** rmwlixk,  # we want access to USB sticks and the like
+  /opt/ r,
+  /opt/** rmixk,
+  @{PROC}/ r,
+  @{PROC}/* rm,
+  @{PROC}/asound rm,
+  @{PROC}/asound/** rm,
+  @{PROC}/ati rm,
+  @{PROC}/ati/** rm,
+  owner @{PROC}/** rm,
+  # needed for gnome-keyring-daemon
+  @{PROC}/*/status r,
+  /sbin/ r,
+  /sbin/** rmixk,
+  /sys/ r,
+  /sys/** rm,
+  /tmp/ rw,
+  owner /tmp/** rwlkmix,
+  /usr/ r,
+  /usr/** rmixk,
+  /var/ r,
+  /var/** rmixk,
+  /var/guest-data/** rw, # allow to store files permanently
+  /var/tmp/ rw,
+  owner /var/tmp/** rwlkm,
+  /{,var/}run/ r,
+  # necessary for writing to sockets, etc.
+  /{,var/}run/** rmkix,
+  /{,var/}run/shm/** wl,
+
+  capability ipc_lock,
+
+  # silence warnings for stuff that we really don't want to grant
+  deny capability dac_override,
+  deny capability dac_read_search,
+  #deny /etc/** w, # re-enable once LP#697678 is fixed
+  deny /usr/** w,
+  deny /var/crash/ w,
+}


hooks/post-receive
-- 
lightdm-remote-session-x2go.git (X2Go-based remote login session support for LightDM)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "lightdm-remote-session-x2go.git" (X2Go-based remote login session support for LightDM).




More information about the x2go-commits mailing list