Drop FreeRDP version semantics for the project, prepare for FreeRDPv3.HEAD master

author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> 2025-01-16 08:16:35 +0100
committer: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> 2025-01-16 08:16:35 +0100
commit: 4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35 (patch)
tree: 56208a2c489a6d90320a18ec0fbb0bcc0aab6be7 /lightdm-remote-session-freerdp.in
parent: cb6e9285f6612d68fde84d8236bcf101eea6248d (diff)
download: lightdm-remote-session-freerdp2-4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35.tar.gz
lightdm-remote-session-freerdp2-4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35.tar.bz2
lightdm-remote-session-freerdp2-4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35.zip
1 files changed, 81 insertions, 0 deletions
diff --git a/lightdm-remote-session-freerdp.in b/lightdm-remote-session-freerdp.in
new file mode 100644
index 0000000..b597f94
--- /dev/null
+++ b/lightdm-remote-session-freerdp.in
@@ -0,0 +1,81 @@
+# vim:syntax=apparmor
+# Profile for restricting lightdm remote session for FreeRDP
+# Based on the Guest Account Apparmor script from:
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+
+#include <tunables/global>
+
+@libexecdir@/freerdp-session-wrapper {
+  #include <abstractions/authentication>
+  #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
+  /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
+
+  / r,
+  /bin/ rmix,
+  /{,usr/}bin/fusermount Px,
+  /bin/** rmix,
+  /cdrom/ rmix,
+  /cdrom/** rmix,
+  /dev/ r,
+  /dev/** rmw, # audio devices etc.
+  owner /dev/shm/** rmw,
+  /etc/ r,
+  /etc/** rmk,
+  /etc/gdm/Xsession ix,
+  /lib/ r,
+  /lib/** rmixk,
+  /lib32/ r,
+  /lib32/** rmixk,
+  /lib64/ r,
+  /lib64/** rmixk,
+  owner /media/ r,
+  owner /media/** rmwlixk,  # we want access to USB sticks and the like
+  /opt/ r,
+  /opt/** rmixk,
+  @{PROC}/ r,
+  @{PROC}/* rm,
+  @{PROC}/asound rm,
+  @{PROC}/asound/** rm,
+  @{PROC}/ati rm,
+  @{PROC}/ati/** rm,
+  owner @{PROC}/** rm,
+  # needed for gnome-keyring-daemon
+  @{PROC}/*/status r,
+  /sbin/ r,
+  /sbin/** rmixk,
+  /sys/ r,
+  /sys/** rm,
+  /tmp/ rw,
+  owner /tmp/** rwlkmix,
+  /usr/ r,
+  /usr/** rmixk,
+  /var/ r,
+  /var/** rmixk,
+  /var/guest-data/** rw, # allow to store files permanently
+  /var/tmp/ rw,
+  owner /var/tmp/** rwlkm,
+  /{,var/}run/ r,
+  # necessary for writing to sockets, etc.
+  /{,var/}run/** rmkix,
+  /{,var/}run/shm/** wl,
+  /run/systemd/journal/dev-log w,
+  /tmp/**/.x2go-socket r,
+  /tmp/.X11-unix/X[0-9]* wr,
+  /run/uuidd/request w,
+  /proc/sys/kernel/ngroups_max r,
+
+  network,
+
+  dbus(send) bus=session,
+  dbus(send, receive) bus=accessibility,
+
+  capability ipc_lock,
+
+  # silence warnings for stuff that we really don't want to grant
+  deny capability dac_override,
+  deny capability dac_read_search,
+  #deny /etc/** w, # re-enable once LP#697678 is fixed
+  deny /usr/** w,
+  deny /var/crash/ w,
+}
author	Mike Gabriel <mike.gabriel@das-netzwerkteam.de>	2025-01-16 08:16:35 +0100
committer	Mike Gabriel <mike.gabriel@das-netzwerkteam.de>	2025-01-16 08:16:35 +0100
commit	4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35 (patch)
tree	56208a2c489a6d90320a18ec0fbb0bcc0aab6be7 /lightdm-remote-session-freerdp.in
parent	cb6e9285f6612d68fde84d8236bcf101eea6248d (diff)
download	lightdm-remote-session-freerdp2-4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35.tar.gz lightdm-remote-session-freerdp2-4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35.tar.bz2 lightdm-remote-session-freerdp2-4bec90c9ecbc83cc4f3f9ce9cf02510aafb52a35.zip