[apparmor] Update X abstraction for new gdm Xauthority file
John Johansen
john.johansen at canonical.com
Wed Aug 11 15:52:33 BST 2010
On 08/11/2010 10:44 AM, Jamie Strandboge wrote:
> As reported in LP: #601583, newer gdm sets the XAUTHORITY file
> in /var/run. Eg, in Ubuntu 10.10:
> $ set | grep XAUTHORITY
> XAUTHORITY=/var/run/gdm/auth-for-test-GsdBew/database
>
> Indeed, there is no ~/.Xauthority file anymore:
> $ ls ~/.Xauthority
> ls: cannot access /home/test/.Xauthority: No such file or directory
>
err what am I missing here?
> - @{HOME}/.Xauthority r,
so a rule for this already exists, isn't it just the access to the
> + owner /var/run/gdm/*/database r,
that is missing? how is this causing the .Xauthority failure?
> The permissions for /var/run/gdm* are:
> $ sudo ls -ld /var/run/gdm
> drwx--x--x 4 root gdm 100 2010-08-11 08:11 /var/run/gdm
>
> $ sudo ls -l /var/run/gdm
> total 0
> drwx--x--x 2 gdm gdm 60 2010-08-11 08:11 auth-for-gdm-HXjZLh
> drwx--x--x 2 test test 60 2010-08-11 08:11 auth-for-test-GsdBew
> -rw-r--r-- 1 root root 0 2010-08-11 07:33 firstserver.stamp
>
> $ sudo ls -l /var/run/gdm/auth-for-test-GsdBew
> total 4
> -rw------- 1 test test 49 2010-08-11 08:11 database
>
> As such, I propose the following change to the X abstraction:
>
> === modified file 'profiles/apparmor.d/abstractions/X'
> --- profiles/apparmor.d/abstractions/X 2009-11-04 20:25:42 +0000
> +++ profiles/apparmor.d/abstractions/X 2010-08-11 14:43:09 +0000
> @@ -17,7 +17,8 @@
> @{HOME}/.ICEauthority r,
>
> # .Xauthority files required for X connections, per user
> - @{HOME}/.Xauthority r,
> + @{HOME}/.Xauthority r,
> + owner /var/run/gdm/*/database r,
>
> # the unix socket to use to connect to the display
> /tmp/.X11-unix/* w,
>
>
>
More information about the AppArmor
mailing list