As mentioned in LP: #1796911 by xnox, some abstractions should be
augmented with the corresponding dbus rules. Support for userdb should
also be added IMHO.

Here are the rules that were needed in my tests on an up to date Focal:

  # systemd DynamicUser
  /run/systemd/userdb/ r,
  /run/systemd/userdb/io.systemd.DynamicUser rw,
  @{PROC}/sys/kernel/random/boot_id r,
  #include <abstractions/dbus-strict>
  dbus send
     bus=system
     path="/org/freedesktop/systemd1"
     interface="org.freedesktop.systemd1.Manager"
     member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
     peer=(name=("org.freedesktop.systemd1")),


The boot_id is a concern for privacy/tracking abuse so I also tried denying it 
and it doesn't seem to cause visible problems.

** Description changed:

  systemd offers to create dynamic (and semi-stable) users for services.
  This causes many services using Apparmor profiles to trigger those
  denials (even when they don't use the DynamicUser feature):
  
  audit: type=1107 audit(1585076282.591:30): pid=621 uid=103
  auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
  operation="dbus_method_call"  bus="system"
  path="/org/freedesktop/systemd1"
  interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers"
  mask="send" name="org.freedesktop.systemd1" pid=709
  label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined"
  
  And more recently with systemd 245 this also get shown:
  
  audit: type=1400 audit(1585139000.628:39): apparmor="DENIED"
  operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/"
  pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
+ 
+ 
+ Additional information:
+ # lsb_release -rd
+ Description:  Ubuntu Focal Fossa (development branch)
+ Release:      20.04
+ 
+ # uname -a
+ Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC 
2020 x86_64 x86_64 x86_64 GNU/Linux
+ 
+ # apt-cache policy apparmor squid
+ apparmor:
+   Installed: 2.13.3-7ubuntu2
+   Candidate: 2.13.3-7ubuntu2
+   Version table:
+  *** 2.13.3-7ubuntu2 500
+         500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
+         100 /var/lib/dpkg/status
+ squid:
+   Installed: 4.10-1ubuntu1
+   Candidate: 4.10-1ubuntu1
+   Version table:
+  *** 4.10-1ubuntu1 500
+         500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
+         100 /var/lib/dpkg/status

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1869024

Title:
  add support for DynamicUser feature of systemd

Status in apparmor package in Ubuntu:
  New

Bug description:
  systemd offers to create dynamic (and semi-stable) users for services.
  This causes many services using Apparmor profiles to trigger those
  denials (even when they don't use the DynamicUser feature):

  audit: type=1107 audit(1585076282.591:30): pid=621 uid=103
  auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
  operation="dbus_method_call"  bus="system"
  path="/org/freedesktop/systemd1"
  interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers"
  mask="send" name="org.freedesktop.systemd1" pid=709
  label="/usr/sbin/squid" peer_pid=1 peer_label="unconfined"

  And more recently with systemd 245 this also get shown:

  audit: type=1400 audit(1585139000.628:39): apparmor="DENIED"
  operation="open" profile="/usr/sbin/squid" name="/run/systemd/userdb/"
  pid=769 comm="squid" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  
  Additional information:
  # lsb_release -rd
  Description:  Ubuntu Focal Fossa (development branch)
  Release:      20.04

  # uname -a
  Linux foo.example.com 5.4.0-18-generic #22-Ubuntu SMP Sat Mar 7 18:13:06 UTC 
2020 x86_64 x86_64 x86_64 GNU/Linux

  # apt-cache policy apparmor squid
  apparmor:
    Installed: 2.13.3-7ubuntu2
    Candidate: 2.13.3-7ubuntu2
    Version table:
   *** 2.13.3-7ubuntu2 500
          500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
          100 /var/lib/dpkg/status
  squid:
    Installed: 4.10-1ubuntu1
    Candidate: 4.10-1ubuntu1
    Version table:
   *** 4.10-1ubuntu1 500
          500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869024/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to