Thanks for making the 'owner' changes. This should greatly help achieve
the intended goal to "enforce the inaccessibility of any other user's
data".
Regarding attack scenarios: the one I mentioned wrt poppler and evince
is a good example. If there is a flaw in poppler that allows code
execution, the a non-guest user's evince is confined via the evince
apparmor profile, for the guest user it is not because the guest session
profile does not allow transition to the evince profile. We should just
allow 'Pix' for evince though, since the evince profile doesn't
(currently) have owner match on files in @{HOME} and using Pix would
then allow read of user's data. Though we could for tcpdump, which does
have 'owner' in the profile. We can fix that in evince of course, but
then there will be other cases like firefox, or eventually gnome-
thumbnail-font, the various totem-previewers, telepathy backends, etc
(all probably in oneiric). So it is a complicated problem wrt
maintenance and the differing goals of gdm session profile and the other
profiles on the system.
I think it is ok to close this bug since you made the 'owner' changes.
As for Pix and the other profiles on the system, I think this requires
more thought and discussion.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/673034
Title:
gdm-guest-session AppArmor profile improvements
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
