lightdm-guest-session restricts access to /run/pcscd/pcscd.comm

On Ubuntu 14.04 the Apparmor profile for guest account restricts access to /run/pcscd/pcscd.comm

PCSC-Lite provides /run/pcscd/pcscd.comm UNIX domain socket that libpcsclite clients use to talk to the server that manages smartcards.

Background information: Estonia has issued over million smartcards to it's citizens which allow authenticating online and digitally signing documents.

Usecases that are broken with current situation:
1. Giving laptop to a friend/buddy/mother/sister to make a bank transfer online with guest account
2. Using Estonian ID-card software to sign and encrypt documents using guest account
3. Deploying Ubuntu 14.04 on internet kiosks which should have ability to access e-government services

Security implications:
Enabling access to the UNIX domain socket should not have much implications since to actually use the card it would need to be unlocked using PIN code and that is handled in higher level of the software stack (OpenSC). As guest account requires physical presence it doesn't make any difference if malicious person already knows the PIN. He could just aswell plug the card into his own machine to take advantage of the situation.

As a temporary fix I appended "/run/pcscd/pcscd.comm rw," to /etc/apparmor.d/lightdm-guest-session
However I believe modifying upstream policy could blow up in my face at some point in time and as discussed on #ubuntu-hardened currently it is not possible to customize guest session policy via /etc/apparmor.d/local:

18:57 < lauri> As I said I don't want to overwrite upstream file. I need to complement it, is it possible?
18:58 < mdeslaur> lauri: unfortunately not as-is, as the lightdm profile doesn't include the local directory