abstractions/nameservice: allow accessing /run/systemd/userdb/

On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ . (cherry picked from commit 16f9f688) Fixes: #82 Signed-off-by: nl6720 <nl6720@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>

abstractions/nameservice: allow accessing /run/systemd/userdb/
feaae228 · nl6720 · John Johansen · b555cb2b · feaae228
Commit feaae228 authored 4 years ago by nl6720 Committed by John Johansen 4 years ago
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -29,6 +29,11 @@
  /var/lib/extrausers/group  r,
  /var/lib/extrausers/passwd r,

+  # NSS records from systemd-userdbd.service
+  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{PROC}/sys/kernel/random/boot_id r,
+
  # When using sssd, the passwd and group files are stored in an alternate path
  # and the nss plugin also needs to talk to a pipe
  /var/lib/sss/mc/group   r,