As mentioned in LP: #1796911 by xnox, some abstractions should be
augmented with the corresponding dbus rules. Support for userdb should
also be added IMHO.
Here are the rules that were needed in my tests on an up to date Focal:
# systemd DynamicUser
/run/systemd/userdb/ r,
/run/systemd/userdb/io.systemd.DynamicUser rw,
@{PROC}/sys/kernel/random/boot_id r,
#include <abstractions/dbus-strict>
dbus send
bus=system
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager"
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name=("org.freedesktop.systemd1")),
The boot_id is a concern for privacy/tracking abuse so I also tried denying it
and it doesn't seem to cause visible problems.
** Description changed:
systemd offers to create dynamic (and semi-stable) users for services.
This causes many services using Apparmor profiles to trigger those
denials (even when they don't use the DynamicUser feature):
audit: type=1107 audit(1585076282.591:30): pid=621 uid=103
auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call" bus="system"
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers"
mask="send" name="org.freedesktop.systemd1" pid=709
label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined"
And more recently with systemd 245 this also get shown:
audit: type=1400 audit(1585139000.628:39): apparmor="DENIED"
operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/"
pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
+
+
+ Additional information:
+ # lsb_release -rd
+ Description: Ubuntu Focal Fossa (development branch)
+ Release: 20.04
+
+ # uname -a
+ Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
+
+ # apt-cache policy apparmor squid
+ apparmor:
+ Installed: 2.13.3-7ubuntu2
+ Candidate: 2.13.3-7ubuntu2
+ Version table:
+ *** 2.13.3-7ubuntu2 500
+ 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
+ 100 /var/lib/dpkg/status
+ squid:
+ Installed: 4.10-1ubuntu1
+ Candidate: 4.10-1ubuntu1
+ Version table:
+ *** 4.10-1ubuntu1 500
+ 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
+ 100 /var/lib/dpkg/status
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1869024
Title:
add support for DynamicUser feature of systemd
Status in apparmor package in Ubuntu:
New
Bug description:
systemd offers to create dynamic (and semi-stable) users for services.
This causes many services using Apparmor profiles to trigger those
denials (even when they don't use the DynamicUser feature):
audit: type=1107 audit(1585076282.591:30): pid=621 uid=103
auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call" bus="system"
path="/org/freedesktop/systemd1"
interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers"
mask="send" name="org.freedesktop.systemd1" pid=709
label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined"
And more recently with systemd 245 this also get shown:
audit: type=1400 audit(1585139000.628:39): apparmor="DENIED"
operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/"
pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Additional information:
# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
# uname -a
Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
# apt-cache policy apparmor squid
apparmor:
Installed: 2.13.3-7ubuntu2
Candidate: 2.13.3-7ubuntu2
Version table:
*** 2.13.3-7ubuntu2 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
squid:
Installed: 4.10-1ubuntu1
Candidate: 4.10-1ubuntu1
Version table:
*** 4.10-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869024/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
