[apparmor] Update X abstraction for new gdm Xauthority file
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Aug 11 15:49:11 BST 2010
On Wed, 2010-08-11 at 09:44 -0500, Jamie Strandboge wrote:
> As reported in LP: #601583, newer gdm sets the XAUTHORITY file
> in /var/run. Eg, in Ubuntu 10.10:
> $ set | grep XAUTHORITY
> XAUTHORITY=/var/run/gdm/auth-for-test-GsdBew/database
>
> Indeed, there is no ~/.Xauthority file anymore:
> $ ls ~/.Xauthority
> ls: cannot access /home/test/.Xauthority: No such file or directory
>
> The permissions for /var/run/gdm* are:
> $ sudo ls -ld /var/run/gdm
> drwx--x--x 4 root gdm 100 2010-08-11 08:11 /var/run/gdm
>
> $ sudo ls -l /var/run/gdm
> total 0
> drwx--x--x 2 gdm gdm 60 2010-08-11 08:11 auth-for-gdm-HXjZLh
> drwx--x--x 2 test test 60 2010-08-11 08:11 auth-for-test-GsdBew
> -rw-r--r-- 1 root root 0 2010-08-11 07:33 firstserver.stamp
>
> $ sudo ls -l /var/run/gdm/auth-for-test-GsdBew
> total 4
> -rw------- 1 test test 49 2010-08-11 08:11 database
>
> As such, I propose the following change to the X abstraction:
>
> === modified file 'profiles/apparmor.d/abstractions/X'
> --- profiles/apparmor.d/abstractions/X 2009-11-04 20:25:42 +0000
> +++ profiles/apparmor.d/abstractions/X 2010-08-11 14:43:09 +0000
> @@ -17,7 +17,8 @@
> @{HOME}/.ICEauthority r,
>
> # .Xauthority files required for X connections, per user
> - @{HOME}/.Xauthority r,
> + @{HOME}/.Xauthority r,
> + owner /var/run/gdm/*/database r,
>
> # the unix socket to use to connect to the display
> /tmp/.X11-unix/* w,
>
>
ACK
Marc.
More information about the AppArmor
mailing list