From 16f9f6885aff84123c0b52197f435e40d656c0e4 Mon Sep 17 00:00:00 2001
From: nl6720 <nl6720@gmail.com>
Date: Thu, 19 Mar 2020 12:05:44 +0200
Subject: [PATCH] abstractions/nameservice: allow accessing
 /run/systemd/userdb/

On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .

Signed-off-by: nl6720 <nl6720@gmail.com>
---
 profiles/apparmor.d/abstractions/nameservice | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
index 760e449e7..2f3b1d154 100644
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -29,6 +29,11 @@
   /var/lib/extrausers/group  r,
   /var/lib/extrausers/passwd r,
 
+  # NSS records from systemd-userdbd.service
+  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{PROC}/sys/kernel/random/boot_id r,
+
   # When using sssd, the passwd and group files are stored in an alternate path
   # and the nss plugin also needs to talk to a pipe
   /var/lib/sss/mc/group   r,