apparmor/profiles/apparmor.d/abstractions/nss-systemd

# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# libnss-systemd
  #
  #   https://systemd.io/USER_GROUP_API/
  #   https://systemd.io/USER_RECORD/
  #   https://www.freedesktop.org/software/systemd/man/nss-systemd.html
  #
  # Allow User/Group lookups via common VarLink socket APIs. Applications need
  # to either consult all of them or the io.systemd.Multiplexer frontend.
  @{run}/systemd/userdb/ r,
  @{run}/systemd/userdb/io.systemd.Multiplexer rw,
  @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
  @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
  @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS

  @{PROC}/sys/kernel/random/boot_id r,

  #include if exists <abstractions/nss-systemd.d>
allow accessing the libnss-systemd VarLink sockets and DBus APIs https://systemd.io/USER_GROUP_API/ describes the libnss-systemd VarLink socket APIs: " When a client wants to look up a user or group record, it contacts all sockets bound in this directory in parallel, and enqueues the same query to each. The first positive reply is then returned to the application, or if all fail the last seen error is returned instead. (Alternatively a special Varlink service is available, io.systemd.Multiplexer which acts as frontend and will do the parallel queries on behalf of the client, drastically simplifying client development.) " This updates the nameservice abstraction to allow read/write on well-known systemd VarLink named sockets. In addition, allow lookups for systemd-exec's DynamicUsers via D-Bus References: - https://systemd.io/USER_GROUP_API/ - https://systemd.io/USER_RECORD/ - https://www.freedesktop.org/software/systemd/man/nss-systemd.html - https://www.freedesktop.org/software/systemd/man/systemd.exec.html - https://launchpad.net/bugs/1796911 - https://launchpad.net/bugs/1869024 Modified by John Johansen by: - moving rules nss-systemd include - replacing /proc/ with @{proc}/ - moving and merging commit 16f9f688 rules into nss-systemd include PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/480 PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/474 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> 2020-04-06 16:09:50 -05:00			`# ------------------------------------------------------------------`
			`#`
			`# Copyright (C) 2002-2009 Novell/SUSE`
			`# Copyright (C) 2009-2011 Canonical Ltd.`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

			`# libnss-systemd`
			`#`
			`# https://systemd.io/USER_GROUP_API/`
			`# https://systemd.io/USER_RECORD/`
			`# https://www.freedesktop.org/software/systemd/man/nss-systemd.html`
			`#`
			`# Allow User/Group lookups via common VarLink socket APIs. Applications need`
			`# to either consult all of them or the io.systemd.Multiplexer frontend.`
			`@{run}/systemd/userdb/ r,`
			`@{run}/systemd/userdb/io.systemd.Multiplexer rw,`
			`@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users`
			`@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs`
			`@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS`

			`@{PROC}/sys/kernel/random/boot_id r,`

			`#include if exists <abstractions/nss-systemd.d>`