How to access mounted file systems as a guest user?

In Ubuntu 11.04 I could mount a file system in /media/foo and run chown guest:guest /media/foo/bar -R and have full access in the guest account. After the upgrade to 12.04 I changed my routine to reflect the new guest usernames (chown guest[id]:guest[id] /media/foo/bar -R) but I still can't access it as a guest user, as I don't have access privileges to /media as guest:

ls: cannot open directory /media: Permission denied

(Very interestingly this does work if I su into the guest account as root). I understand this is meant as a security measure but I don't see how it is done. ls -l / reports

drwxr-xr-x  11 root root  4096 Sep  9 22:28 media

Thus my two questions: How does this restriction work and how can I access a mounted file system as a guest user, ideally without allowing access to all of the other mounted file systems?


Access to /media is restricted by the AppArmor profile /etc/apparmor.d/lightdm-guest-session. There are two exceptions (lines 31 and 32):

 owner /media/ r,
 owner /media/** rmwlixk,  # we want access to USB sticks and the like

That allows access if /media/foo is owned by guest[id], which is the first alternative to solve my problem. The downside is that the guest account can create arbitrary directories and files in the root of /media/foo. I decided to explicitly poke a hole for /media/foo/bar and added the lines:

 owner /media/foo/bar rw,

A description of the syntax can be found here: http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.apparmor.profiles.html

To the best of my knowledge this only allows the guest session to access /media/foo/bar and only if guest[id] is the owner of bar. Note that guest[id] still cannot access /media/foo itself. Thus ls /media/foo will fail, but ls /media/foo/bar works.

Lastly reload the profile for the changes to take effect:

 sudo apparmor_parser -r /etc/apparmor.d/lightdm-guest-session