Package: apparmor / 2.13.4-3

upstream-commit-1f319c3-systemd-userdbd-compat.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
From: nl6720 <nl6720@gmail.com>
Date: Thu, 19 Mar 2020 12:05:44 +0200
Subject: abstractions/nameservice: allow accessing /run/systemd/userdb/

On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .

(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
Signed-off-by: nl6720 <nl6720@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Patch slightly edited to avoid depending on the @{run} tunable,
that's not available in any upstream release yet.
---
 profiles/apparmor.d/abstractions/nameservice | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index ef2c5b2..cf34167 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -29,6 +29,11 @@
   /var/lib/extrausers/group  r,
   /var/lib/extrausers/passwd r,
 
+  # NSS records from systemd-userdbd.service
+  /{,var/}run/systemd/userdb/ r,
+  /{,var/}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{PROC}/sys/kernel/random/boot_id r,
+
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,