From 50d12dbd5e63197e4117bedbedd1e705701a86d3 Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Sun, 29 Mar 2020 08:51:55 +0000
Subject: [PATCH] Merge: abstractions/nameservice: allow accessing
 /run/systemd/userdb/

On systems with systemd 245, `nss-systemd` additionally queries NSS records from `systemd-userdbd.service`. See https://systemd.io/USER_GROUP_API/ .

This does not bring full support for `systemd-homed`, but I don't use that service so I can't help with that.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/459
Acked-by: John Johansen <john.johansen@canonical.com>

(cherry picked from commit d4296d217c888e08e10bec300fe35351c2ef2f81)

16f9f688 abstractions/nameservice: allow accessing /run/systemd/userdb/
---
 profiles/apparmor.d/abstractions/nameservice | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index ef2c5b2e5..a78a874d8 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -29,6 +29,11 @@
   /var/lib/extrausers/group  r,
   /var/lib/extrausers/passwd r,
 
+  # NSS records from systemd-userdbd.service
+  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{PROC}/sys/kernel/random/boot_id r,
+
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,