Comment 9 for bug 1663157

I spent some time looking into pam_apparmor and understanding how could be used. It seems like it would be extremely risky to introduce in a security update and I'm not sure if it even supports everything that would be needed. IIUC, it requires us to confine all login applications that use PAM and it isn't clear if we can selectively confine only the guest users and leave all other users unconfined. At this point, I'm not comfortable/confident in pam_apparmor as a solution in stable release.

I also did a bit of experimenting with adding "AppArmorProfile=/usr/lib/lightdm/lightdm-guest-session" to the bottom of /lib/systemd/system/user@.service and logging in via a guest session in LightDM. After some scary lightdm-guest-session profile updates, I was able to log in to the guest session. The scary permissions are required because `systemd --user` is being confined by the lightdm-guest-session profile so rules are needed to allow all of the session setup stuff that it does. That's not promising because then all of those permissions will be granted to the guest session itself. I don't see a way to get `systemd --user` to transition to another profile when launching processes inside of the session but I could be missing something.

Modifying the user@.service file also isn't ideal because I don't see a way to only apply the AppArmor profile to guest user sessions while leaving regular user sessions unconfined.

I don't see a good solution to this problem.