Comment 3 for bug 1049849

The way AppArmour profiles are applied in lightdm is based on the session process name. So in the case of the guest session lightdm runs /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper which then runs the actual session process (e.g. gnome-session). The binary name "/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" is matched in the AppArmor profile /etc/apparmor.d/lightdm-guest-session.

For remote sessions lightdm doesn't run it through the guest wrapper so no AppArmor profile is applied by default. We could run it through the same wrapper but remote sessions probably want an even more restrictive profile (there should be no access to the local filesystem at all).

So in short, I think the packages lightdm-remote-session-freerdp and lightdm-remote-session-uccsconfigure packages should provide AppArmor profiles for /usr/lib/x86_64-linux-gnu/lightdm-remote-session-freerdp/freerdp-session and /usr/share/lightdm-remote-session-uccsconfigure/uccsconfigure-session.

This is about the limit of my knowledge of AppArmor - for more information ask Martin Pitt as he implemented this feature.