feat(profiles): better system nss rules in nameservice-strict.

2022-06-03 19:38:34 +01:00 · 2022-06-03 19:38:34 +01:00 · 879416b062
commit 879416b062
parent 1ca1aa8892
22 changed files with 18 additions and 50 deletions
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -74,8 +74,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/dbus-1/services/ rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
        @{run}/systemd/sessions/*.ref rw,
-        @{run}/systemd/userdb/io.systemd.DynamicUser  w,
-        @{run}/systemd/userdb/io.systemd.Machine     rw,
        @{run}/systemd/users/@{uid} r,

  @{sys}/kernel/security/apparmor/.access rw,
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -35,7 +35,6 @@ profile polkit-agent-helper @{exec_path} {
  owner @{HOME}/.xsession-errors w,

  @{run}/faillock/[a-zA-z0-9]* rwk,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,

  include if exists <local/polkit-agent-helper>
 }
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -52,7 +52,6 @@ profile polkitd @{exec_path} {

  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,

  # Silencer
  deny /.cache/ rw,
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -46,7 +46,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/seats/seat[0-9]* r,
  @{run}/systemd/sessions/*     r,
  @{run}/systemd/sessions/*.ref r,
-  @{run}/systemd/userdb/ r,
  @{run}/systemd/users/@{uid} r,
  @{run}/udev/tags/master-of-seat/ r,

--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -46,7 +46,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/dconf/user rw,

  @{run}/mount/utab r,
-  @{run}/systemd/userdb/ r,

  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@ -31,7 +31,6 @@ profile gvfsd-recent @{exec_path} {
  
  owner @{PROC}/@{pid}/mountinfo r,

-  @{run}/systemd/userdb/ r,
  @{run}/mount/utab r,

  include if exists <local/gvfsd-recent>
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@ -24,7 +24,6 @@ profile nm-openvpn-service @{exec_path} {
  /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
  /{usr/,}bin/kmod rPx,

-  @{run}/systemd/userdb/ r,
  @{run}/NetworkManager/nm-openvpn-@{uuid} rw,

  /dev/net/tun rw,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -26,8 +26,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{exec_path} mr,

  /etc/machine-id r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
  /etc/systemd/logind.conf r,
  /etc/systemd/sleep.conf r,

@ -67,9 +65,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{run}/systemd/seats/seat[0-9]* rw,
  @{run}/systemd/sessions/{,*}  rw,
  @{run}/systemd/sessions/*.ref rw,
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
-  @{run}/systemd/userdb/io.systemd.Machine     rw,
  @{run}/systemd/users/ rw,
  @{run}/systemd/users/.#* rw,
  @{run}/systemd/users/@{uid} rw,
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@ -46,7 +46,6 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
  /usr/{,**} rw,
  /var/{,**} rwk,

-  @{run}/systemd/userdb/ r,
  @{sys}/devices/system/cpu/microcode/reload w,

  @{PROC}/@{pid}/net/unix r,
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@ -18,12 +18,9 @@ profile userdbctl @{exec_path} {
  
  /{usr/,}bin/less rPx -> child-pager,

-  /etc/group r,
  /etc/shadow r,
  /etc/gshadow r,

-  @{run}/systemd/userdb/ r,
-
  @{PROC}/@{pid}/cgroup r,

  include if exists <local/userdbctl>
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@ -17,8 +17,6 @@ profile ubuntu-report @{exec_path} {

  owner @{user_cache_dirs}/ubuntu-report/{,*} r,

-  @{run}/systemd/resolve/stub-resolv.conf r,
-
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  include if exists <local/ubuntu-report>
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -52,12 +52,8 @@ profile update-notifier @{exec_path} {

  owner /tmp/#[0-9]* rw,

-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
-  @{run}/systemd/userdb/ r,
-
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pids}/mountinfo r,
-        @{PROC}/sys/kernel/random/boot_id r,

  include if exists <local/update-notifier>
 }
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -39,7 +39,6 @@ profile cockpit-bridge @{exec_path} {

  owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,

-  @{run}/systemd/userdb/ r,
  @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
  @{run}/utmp r,

--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@ -33,7 +33,6 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {

  @{run}/faillock/[a-zA-z0-9]* rwk,
  @{run}/systemd/sessions/*.ref rw,
-  @{run}/systemd/userdb/ r,
  @{run}/utmp rwk,

  /var/log/btmp rw,