feat(profiles): better system nss rules in nameservice-strict.

apparmor.d/abstractions/nameservice-strict

@@ -1,24 +1,30 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/3.0>,
 
-  /etc/hosts r,
-  /etc/host.conf r,
-  /etc/resolv.conf r,
+  @{etc_ro}/default/nss r,
+  @{etc_ro}/gai.conf r,
+  @{etc_ro}/group r,
+  @{etc_ro}/host.conf r,
+  @{etc_ro}/hosts r,
+  @{etc_ro}/nsswitch.conf r,
+  @{etc_ro}/passwd r,
+  @{etc_ro}/protocols r,
+  @{etc_ro}/resolv.conf r,
+  @{etc_ro}/services r,
+
   @{run}/systemd/resolve/stub-resolv.conf r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
-  /etc/gai.conf r,
-  /etc/group r,
-  /etc/protocols r,
-  /etc/default/nss r,
-  /etc/services r,
 
   # NSS records from systemd-userdbd.service
   @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
+  @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
+  @{run}/systemd/userdb/io.systemd.Machine rw,            # systemd-machined
+  @{run}/systemd/userdb/io.systemd.Multiplexer rw,
+  @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
   @{PROC}/sys/kernel/random/boot_id r,
 
   include if exists <abstractions/nameservice-strict.d>

apparmor.d/groups/bus/dbus-daemon

@@ -74,8 +74,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/dbus-1/services/ rw,
         @{run}/systemd/inhibit/[0-9]*.ref rw,
         @{run}/systemd/sessions/*.ref rw,
-        @{run}/systemd/userdb/io.systemd.DynamicUser  w,
-        @{run}/systemd/userdb/io.systemd.Machine     rw,
         @{run}/systemd/users/@{uid} r,
 
   @{sys}/kernel/security/apparmor/.access rw,

apparmor.d/groups/freedesktop/polkit-agent-helper

@@ -35,7 +35,6 @@ profile polkit-agent-helper @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
 
   include if exists <local/polkit-agent-helper>
 }

apparmor.d/groups/freedesktop/polkitd

@@ -52,7 +52,6 @@ profile polkitd @{exec_path} {
 
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
 
   # Silencer
   deny /.cache/ rw,

apparmor.d/groups/gnome/gdm

@@ -46,7 +46,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/seats/seat[0-9]* r,
   @{run}/systemd/sessions/*     r,
   @{run}/systemd/sessions/*.ref r,
-  @{run}/systemd/userdb/ r,
   @{run}/systemd/users/@{uid} r,
   @{run}/udev/tags/master-of-seat/ r,
 

apparmor.d/groups/gnome/nautilus

@@ -46,7 +46,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/dconf/user rw,
 
   @{run}/mount/utab r,
-  @{run}/systemd/userdb/ r,
 
   @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
   @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,

apparmor.d/groups/gvfs/gvfsd-recent

@@ -31,7 +31,6 @@ profile gvfsd-recent @{exec_path} {
   
   owner @{PROC}/@{pid}/mountinfo r,
 
-  @{run}/systemd/userdb/ r,
   @{run}/mount/utab r,
 
   include if exists <local/gvfsd-recent>

apparmor.d/groups/network/nm-openvpn-service

@@ -24,7 +24,6 @@ profile nm-openvpn-service @{exec_path} {
   /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
   /{usr/,}bin/kmod rPx,
 
-  @{run}/systemd/userdb/ r,
   @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
 
   /dev/net/tun rw,

apparmor.d/groups/systemd/systemd-logind

@@ -26,8 +26,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{exec_path} mr,
 
   /etc/machine-id r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
   /etc/systemd/logind.conf r,
   /etc/systemd/sleep.conf r,
 
@@ -67,9 +65,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{run}/systemd/seats/seat[0-9]* rw,
   @{run}/systemd/sessions/{,*}  rw,
   @{run}/systemd/sessions/*.ref rw,
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
-  @{run}/systemd/userdb/io.systemd.Machine     rw,
   @{run}/systemd/users/ rw,
   @{run}/systemd/users/.#* rw,
   @{run}/systemd/users/@{uid} rw,

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -46,7 +46,6 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   /usr/{,**} rw,
   /var/{,**} rwk,
 
-  @{run}/systemd/userdb/ r,
   @{sys}/devices/system/cpu/microcode/reload w,
 
   @{PROC}/@{pid}/net/unix r,

apparmor.d/groups/systemd/userdbctl

@@ -18,12 +18,9 @@ profile userdbctl @{exec_path} {
   
   /{usr/,}bin/less rPx -> child-pager,
 
-  /etc/group r,
   /etc/shadow r,
   /etc/gshadow r,
 
-  @{run}/systemd/userdb/ r,
-
   @{PROC}/@{pid}/cgroup r,
 
   include if exists <local/userdbctl>

apparmor.d/groups/ubuntu/ubuntu-report

@@ -17,8 +17,6 @@ profile ubuntu-report @{exec_path} {
 
   owner @{user_cache_dirs}/ubuntu-report/{,*} r,
 
-  @{run}/systemd/resolve/stub-resolv.conf r,
-
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   include if exists <local/ubuntu-report>

apparmor.d/groups/ubuntu/update-notifier

@@ -52,12 +52,8 @@ profile update-notifier @{exec_path} {
 
   owner /tmp/#[0-9]* rw,
 
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
-  @{run}/systemd/userdb/ r,
-
   owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pids}/mountinfo r,
-        @{PROC}/sys/kernel/random/boot_id r,
 
   include if exists <local/update-notifier>
 }

apparmor.d/groups/virt/cockpit-bridge

@@ -39,7 +39,6 @@ profile cockpit-bridge @{exec_path} {
 
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
 
-  @{run}/systemd/userdb/ r,
   @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
   @{run}/utmp r,
 

apparmor.d/groups/virt/cockpit-session

@@ -33,7 +33,6 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
   @{run}/systemd/sessions/*.ref rw,
-  @{run}/systemd/userdb/ r,
   @{run}/utmp rwk,
 
   /var/log/btmp rw,

apparmor.d/profiles-a-f/auditd

@@ -30,7 +30,6 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/auditd.pid rwl,
   owner @{run}/auditd.state rw,
         @{run}/systemd/journal/dev-log w,
-        @{run}/systemd/userdb/ r,
 
   owner @{PROC}/@{pid}/attr/current r,
   owner @{PROC}/@{pid}/loginuid r,

apparmor.d/profiles-g-l/lastlog

@@ -19,7 +19,5 @@ profile lastlog @{exec_path} {
   /var/log/lastlog r,
   /etc/login.defs r,
 
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
-
   include if exists <local/lastlog>
 }

apparmor.d/profiles-g-l/login

@@ -41,8 +41,6 @@ profile login @{exec_path} {
   /var/log/btmp{,.[0-9]*} r,
 
   @{run}/faillock/root rwk,
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
   @{run}/dbus/system_bus_socket rw,
   @{run}/motd.dynamic{,.new} rw,
   @{run}/systemd/sessions/*.ref rw,

apparmor.d/profiles-m-r/pwck

@@ -24,7 +24,5 @@ profile pwck @{exec_path} {
   /etc/shadow.[0-9]* rw,
   /etc/shadow.lock wl,
 
-  @{run}/systemd/userdb/ r,
-
   include if exists <local/pwck>
 }

apparmor.d/profiles-m-r/rsyslogd

@@ -60,7 +60,6 @@ profile rsyslogd @{exec_path} {
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
 
-  @{run}/systemd/userdb/io.systemd.Machine rw,
   @{run}/systemd/notify w,
 
   include if exists <local/rsyslogd>

apparmor.d/profiles-s-z/su

@@ -60,9 +60,6 @@ profile su @{exec_path} {
   /dev/{,pts/}ptmx rw,
 
   @{run}/dbus/system_bus_socket rw,
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.Machine rw,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
 
   dbus (send)
      bus=system

apparmor.d/profiles-s-z/sudo

@@ -77,8 +77,6 @@ profile sudo @{exec_path} {
 
   owner @{HOME}/.sudo_as_admin_successful rw,
 
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
   @{run}/resolvconf/resolv.conf r,
 
   /dev/ r,    # interactive login