mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-07 01:41:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/apparmor.d/abstractions/nameservice
Jamie Strandboge 5583569a29 allow accessing the libnss-systemd VarLink sockets and DBus APIs 
https://systemd.io/USER_GROUP_API/ describes the libnss-systemd VarLink
socket APIs:

"
When a client wants to look up a user or group record, it contacts all
sockets bound in this directory in parallel, and enqueues the same query
to each. The first positive reply is then returned to the application,
or if all fail the last seen error is returned instead. (Alternatively
a special Varlink service is available, io.systemd.Multiplexer which
acts as frontend and will do the parallel queries on behalf of the
client, drastically simplifying client development.)
"

This updates the nameservice abstraction to allow read/write on
well-known systemd VarLink named sockets.

In addition, allow lookups for systemd-exec's DynamicUsers via D-Bus

References:
- https://systemd.io/USER_GROUP_API/
- https://systemd.io/USER_RECORD/
- https://www.freedesktop.org/software/systemd/man/nss-systemd.html
- https://www.freedesktop.org/software/systemd/man/systemd.exec.html
- https://launchpad.net/bugs/1796911
- https://launchpad.net/bugs/1869024

Modified by John Johansen by:
- moving rules nss-systemd include
- replacing /proc/ with @{proc}/
- moving and merging commit 16f9f688 rules into nss-systemd include

PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/480
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/474
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
2020-04-16 10:21:04 -07:00

116 lines
3.7 KiB
Text
Raw Blame History

# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
/{usr/,}etc/group r,
/{usr/,}etc/host.conf r,
/{usr/,}etc/hosts r,
/{usr/,}etc/nsswitch.conf r,
/{usr/,}etc/gai.conf r,
/{usr/,}etc/passwd r,
/{usr/,}etc/protocols r,
# libtirpc (used for NIS/YP login) needs this
/{usr/,}etc/netconfig r,
# When using libnss-extrausers, the passwd and group files are merged from
# an alternate path
/var/lib/extrausers/group r,
/var/lib/extrausers/passwd r,
# When using sssd, the passwd and group files are stored in an alternate path
# and the nss plugin also needs to talk to a pipe
/var/lib/sss/mc/group r,
/var/lib/sss/mc/initgroups r,
/var/lib/sss/mc/passwd r,
/var/lib/sss/pipes/nss rw,
/{usr/,}etc/resolv.conf r,
# On systems where /etc/resolv.conf is managed programmatically, it is
# a symlink to @{run}/(whatever program is managing it)/resolv.conf.
@{run}/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
/{usr/,}etc/resolvconf/run/resolv.conf r,
@{run}/systemd/resolve/stub-resolv.conf r,
/{usr/,}etc/samba/lmhosts r,
/{usr/,}etc/services r,
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
# to vast speed increases when working with network-based lookups.
@{run}/.nscd_socket rw,
@{run}/nscd/socket rw,
/{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r,
# nscd renames and unlinks files in it's operation that clients will
# have open
@{run}/nscd/db* rmix,
# The nss libraries are sometimes used in addition to PAM; make sure
# they are available
/{usr/,}lib{,32,64}/libnss_*.so* mr,
/{usr/,}lib/@{multiarch}/libnss_*.so* mr,
/{usr/,}etc/default/nss r,
# avahi-daemon is used for mdns4 resolution
@{run}/avahi-daemon/socket rw,
# libnl-3-200 via libnss-gw-name
@{PROC}/@{pid}/net/psched r,
/{usr/,}etc/libnl-*/classid r,
# nis
#include <abstractions/nis>
# ldap
#include <abstractions/ldapclient>
# winbind
#include <abstractions/winbind>
# likewise
#include <abstractions/likewise>
# mdnsd
#include <abstractions/mdns>
# kerberos
#include <abstractions/kerberosclient>
#libnss-systemd
#include <abstractions/nss-systemd>
# Also allow lookups for systemd-exec's DynamicUsers via D-Bus
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
# TCP/UDP network access
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
# TODO: adjust when support finer-grained netlink rules
# Netlink raw needed for nscd
network netlink raw,
# interface details
@{PROC}/@{pid}/net/route r,
# Include additions to the abstraction
#include if exists <abstractions/nameservice.d>
Reference in a new issue View git blame Copy permalink