From c923cc7ccffb9c49c3b54adaf2918092631247e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 9 Oct 2024 21:37:26 +0100 Subject: [PATCH] feat(abs): use nss-systemd in nameservice-strict. --- apparmor.d/abstractions/nameservice-strict | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict index b1d47471..0cac5a1a 100644 --- a/apparmor.d/abstractions/nameservice-strict +++ b/apparmor.d/abstractions/nameservice-strict @@ -6,6 +6,8 @@ # Many programs wish to perform nameservice-like operations, such as looking up # users by name or id, groups by name or id, hosts by name or IP, etc. + include + @{etc_ro}/default/nss r, @{etc_ro}/gai.conf r, @{etc_ro}/group r, @@ -31,23 +33,6 @@ @{run}/systemd/resolve/resolv.conf r, @{run}/systemd/resolve/stub-resolv.conf r, - # NSS records from systemd-userdbd.service - # - # Allow User/Group lookups via common VarLink socket APIs. Applications need - # to either consult all of them or the io.systemd.Multiplexer frontend. - # - # https://systemd.io/USER_GROUP_API/ - # https://systemd.io/USER_RECORD/ - # https://www.freedesktop.org/software/systemd/man/nss-systemd.html - # - @{run}/systemd/userdb/ r, - @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users - @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs - @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined - @{run}/systemd/userdb/io.systemd.Multiplexer rw, - @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS - @{PROC}/sys/kernel/random/boot_id r, - - include if exists + include if exists # vim:syntax=apparmor