Merge abstractions/nameservice: include nameservice-strict

... and drop all rules it contains from abstractions/nameservice. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1373 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-22 18:17:09 +00:00 · 2024-10-29 15:26:43 +00:00 · 2024-10-29 15:26:43 +00:00 · 4fe3e30abc
commit 4fe3e30abc
parent 82a4e70248 372ad8f6b9
1 changed files with 4 additions and 28 deletions
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
 #    Copyright (C) 2009-2011 Canonical Ltd.
 #    Copyright (C) 2011-2024 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@ -11,29 +12,11 @@
  abi <abi/4.0>,
-  # Many programs wish to perform nameservice-like operations, such as
+  include <abstractions/nameservice-strict>
  # looking up users by name or id, groups by name or id, hosts by name
  # or IP, etc. These operations may be performed through files, dns,
  # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
  @{etc_ro}/group          r,
  @{etc_ro}/host.conf      r,
  @{etc_ro}/hosts          r,
  @{etc_ro}/nsswitch.conf  r,
  @{etc_ro}/gai.conf       r,
  @{etc_ro}/passwd         r,
  @{etc_ro}/protocols      r,
  # On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
  @{etc_ro}/authselect/nsswitch.conf r,
  # libtirpc (used for NIS/YP login) needs this
  @{etc_ro}/netconfig r,
  # When using libnss-extrausers, the passwd and group files are merged from
  # an alternate path
  /var/lib/extrausers/group  r,
  /var/lib/extrausers/passwd r,
  # When using sssd, the passwd and group files are stored in an alternate path
  # and the nss plugin also needs to talk to a pipe
  /var/lib/sss/mc/group   r,
@ -41,16 +24,13 @@
  /var/lib/sss/mc/passwd  r,
  /var/lib/sss/pipes/nss  rw,
  @{etc_ro}/resolv.conf r,
  # On systems where /etc/resolv.conf is managed programmatically, it is
  # a symlink to @{run}/(whatever program is managing it)/resolv.conf.
-  @{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
+  @{run}/{NetworkManager,connman,netconfig}/resolv.conf r,
  @{etc_ro}/resolvconf/run/resolv.conf  r,
  @{run}/systemd/resolve/stub-resolv.conf r,
  /mnt/wsl/resolv.conf r,
  @{etc_ro}/samba/lmhosts  r,
  @{etc_ro}/services       r,
  # db backend
  /var/lib/misc/*.db      r,
  # The Name Service Cache Daemon can cache lookups, sometimes leading
@ -60,7 +40,7 @@
  /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts}    r,
  # nscd renames and unlinks files in it's operation that clients will
  # have open
-  @{run}/nscd/db*  rmix,
+  @{run}/nscd/db*  mix,
  # make libnss-libvirt name resolution work.
  /var/lib/libvirt/dnsmasq/  r,
@ -70,7 +50,6 @@
  # they are available
  /{usr/,}lib{,32,64}/libnss_*.so*      mr,
  /{usr/,}lib/@{multiarch}/libnss_*.so*      mr,
  @{etc_ro}/default/nss               r,
  # avahi-daemon is used for mdns4 resolution
  @{run}/avahi-daemon/socket rw,
@ -97,9 +76,6 @@
  # kerberos
  include <abstractions/kerberosclient>
  #libnss-systemd
  include <abstractions/nss-systemd>
  # Also allow lookups for systemd-exec's DynamicUsers via D-Bus
  #   https://www.freedesktop.org/software/systemd/man/systemd.exec.html
  dbus send