Please confine guest sessions again

Bug #1742912 reported by Balint Reczey on 2018-01-12
This bug affects 16 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)

Bug Description

This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement.

Original bug report text:

Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined.

The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command:

 $ cat /proc/self/attr/current

Expected output, as seen in Ubuntu 16.04 LTS, is:

 /usr/lib/lightdm/lightdm-guest-session (enforce)

Running the command inside of an Ubuntu 16.10 and newer guest session results in:


Doug McMahon (mc3man) on 2018-01-28
Changed in lightdm (Ubuntu):
status: New → Confirmed

Please note that the simple test ( cat /proc/self/attr/current ) can be misleading.

I tried that in Ubuntu 18.04 ( switched to lightdm ) and got "(enforce)" but some applications like the file manager could browse other user's home directories. Most applications including firefox and libreoffice are restricted. In Xubuntu the file manager is restricted as well as every other application I tried.

Is it possible to just eliminate certain applications or prevent launching applications in specific ways to guarantee a restricted guest sessions?

I figured out why the simple test didn't work - when I first installed Ubuntu 18.04, gnome-terminal wouldn't accept any keyboard input, I assumed it was just a pre-alpha bug and installed terminator. Installing terminator switched itself to the default including launching with ctrl-alt-t , and terminator does get apparmor restricted. When I paste in "cat /proc/self/attr/current" into a gnome-terminal it shows unconfined.

tags: added: id-5a57962350afc7d4aa391919
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers