add support for DynamicUser feature of systemd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
apparmor (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
systemd offers to create dynamic (and semi-stable) users for services. This causes many services using Apparmor profiles to trigger those denials (even when they don't use the DynamicUser feature):
audit: type=1107 audit(158507628
And more recently with systemd 245 this also get shown:
audit: type=1400 audit(158513900
Additional information:
# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
# uname -a
Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# apt-cache policy apparmor squid
apparmor:
Installed: 2.13.3-7ubuntu2
Candidate: 2.13.3-7ubuntu2
Version table:
*** 2.13.3-7ubuntu2 500
500 http://
100 /var/lib/
squid:
Installed: 4.10-1ubuntu1
Candidate: 4.10-1ubuntu1
Version table:
*** 4.10-1ubuntu1 500
500 http://
100 /var/lib/
Changed in apparmor (Ubuntu): | |
status: | New → Fix Committed |
status: | Fix Committed → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
As mentioned in LP: #1796911 by xnox, some abstractions should be augmented with the corresponding dbus rules. Support for userdb should also be added IMHO.
Here are the rules that were needed in my tests on an up to date Focal:
# systemd DynamicUser systemd/ userdb/ r, systemd/ userdb/ io.systemd. DynamicUser rw, /sys/kernel/ random/ boot_id r, dbus-strict> "/org/freedeskt op/systemd1" "org.freedeskto p.systemd1. Manager" "{GetDynamicUse rs,LookupDynami cUserByName, LookupDynamicUs erByUID} " (name=( "org.freedeskto p.systemd1" )),
/run/
/run/
@{PROC}
#include <abstractions/
dbus send
bus=system
path=
interface=
member=
peer=
The boot_id is a concern for privacy/tracking abuse so I also tried denying it and it doesn't seem to cause visible problems.