mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity

Merge: abstractions/nameservice: allow accessing /run/systemd/userdb/

Browse Source 
On systems with systemd 245, `nss-systemd` additionally queries NSS records from `systemd-userdbd.service`. See https://systemd.io/USER_GROUP_API/ .

This does not bring full support for `systemd-homed`, but I don't use that service so I can't help with that.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/459
Acked-by: John Johansen <john.johansen@canonical.com>

(cherry picked from commit d4296d217c888e08e10bec300fe35351c2ef2f81)

16f9f688 abstractions/nameservice: allow accessing /run/systemd/userdb/
This commit is contained in:
John Johansen 2020-03-29 08:51:55 +00:00
parent 411af09c97
commit 50d12dbd5e
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
profiles/apparmor.d/abstractions/nameservice
View File

@ -29,6 +29,11 @@
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
# NSS records from systemd-userdbd.service
@{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
@{PROC}/sys/kernel/random/boot_id r,
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,