[packages/apparmor-profiles.git] / apparmor-2.13.4-fix_systemd_userdb.patch

From 16f9f6885aff84123c0b52197f435e40d656c0e4 Mon Sep 17 00:00:00 2001
From: nl6720 <nl6720@gmail.com>
Date: Thu, 19 Mar 2020 12:05:44 +0200
Subject: [PATCH] abstractions/nameservice: allow accessing
 /run/systemd/userdb/

On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .

Signed-off-by: nl6720 <nl6720@gmail.com>
---
 profiles/apparmor.d/abstractions/nameservice | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index 760e449e..2f3b1d15 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -29,6 +29,11 @@
   /var/lib/extrausers/group  r,
   /var/lib/extrausers/passwd r,
 
+  # NSS records from systemd-userdbd.service
+  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{PROC}/sys/kernel/random/boot_id r,
+
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,
-- 
2.26.2
Commit	Line	Data
4db3900d AM	1	From 16f9f6885aff84123c0b52197f435e40d656c0e4 Mon Sep 17 00:00:00 2001
	2	From: nl6720 <nl6720@gmail.com>
	3	Date: Thu, 19 Mar 2020 12:05:44 +0200
	4	Subject: [PATCH] abstractions/nameservice: allow accessing
	5	/run/systemd/userdb/
	6
	7	On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .
	8
	9	Signed-off-by: nl6720 <nl6720@gmail.com>
	10	---
	11	profiles/apparmor.d/abstractions/nameservice \| 5 +++++
	12	1 file changed, 5 insertions(+)
	13
	14	diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
	15	index 760e449e..2f3b1d15 100644
	16	--- a/profiles/apparmor.d/abstractions/nameservice
	17	+++ b/profiles/apparmor.d/abstractions/nameservice
	18	@@ -29,6 +29,11 @@
	19	/var/lib/extrausers/group r,
	20	/var/lib/extrausers/passwd r,
	21
	22	+ # NSS records from systemd-userdbd.service
	23	+ @{run}/systemd/userdb/ r,
	24	+ @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
	25	+ @{PROC}/sys/kernel/random/boot_id r,
	26	+
	27	# When using sssd, the passwd and group files are stored in an alternate path
	28	# and the nss plugin also needs to talk to a pipe
	29	/var/lib/sss/mc/group r,
	30	--
	31	2.26.2
	32