systemd-homed: various fixups #839
Open
+69
−1
Commits on Nov 28, 2024
-
systemd_stream_connect_homed: new interface to access account info
systemd-homed provides a varlink API with a unix socket at /run/systemd/userdb/io.systemd.Home to query user account records. As quite a few things will need to be able to query this API for basic functionality to work - such as `groups(1)` being able to operate on systemd-homed user accounts - let's make an interface for this. Signed-off-by: Rahul Sandhu <[email protected]>
-
locallogin: allow talking to systemd-homed user record APIs
systemd-homed user records rely on being able to talk to the dbus and varlink APIs provided to obtain basic account information such as user id, name, group membership, etc as they do not have /etc/passwd, /etc/group or /etc/shadow fields. For tty login to work for homed user accounts, local_login_t needs to be able to lookup this information, so let's grant it the ability to. Signed-off-by: Rahul Sandhu <[email protected]>
-
systemd_homed_t, systemd_homework_t: allow reading of /etc/machine-id
systemd-homed user records stored in identity files are machine-id specific and signed, so systemd-homed needs access to /etc/machine-id to create those records properly. Signed-off-by: Rahul Sandhu <[email protected]>
-
systemd-homed: label LUKS home images as systemd_homed_storage_t
systemd-homed stores LUKS home images as `/home/username.home`, so let's label that appropriately. Signed-off-by: Rahul Sandhu <[email protected]>
-
For commands such as `groups(1)` to work, nsswitch_domain needs to be able to talk to /run/systemd/userdb/io.systemd.Home to obtain information on systemd-homed users. Signed-off-by: Rahul Sandhu <[email protected]>
-
systemd_homed_runtime_work_dir_t: new type for systemd-homed workdir
As systemd-homed's workdir is an internal one, and external domains may be (reasonably) expected to connect to systemd_homed_runtime_t in the future, let's create a new domain for systemd-homed's internal work to differentiate between the two. Signed-off-by: Rahul Sandhu <[email protected]>
-
lvm_manage_runtime_dirs: new interface for managing LVM runtime dirs
Signed-off-by: Rahul Sandhu <[email protected]>
-
systemd_homework_t: allow managing of lvm_runtime_t files and dirs
systemd-homed needs access to `/run/cryptsetup` to properly setup and unlock LUKS encrypted home directories. Signed-off-by: Rahul Sandhu <[email protected]>
-
systemd_homed_record_t: new type for user records
As systemd identity files contain sensitive data, such as password hashes, let's create a new type systemd_homed_record_t for them. As systemd_homework_t needs to be able to read, create, and delete these files, let's give it permissions to do so. Signed-off-by: Rahul Sandhu <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.