-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-homed: various fixups #839
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
systemd-homed provides a varlink API with a unix socket at /run/systemd/userdb/io.systemd.Home to query user account records. As quite a few things will need to be able to query this API for basic functionality to work - such as `groups(1)` being able to operate on systemd-homed user accounts - let's make an interface for this. Signed-off-by: Rahul Sandhu <[email protected]>
systemd-homed user records rely on being able to talk to the dbus and varlink APIs provided to obtain basic account information such as user id, name, group membership, etc as they do not have /etc/passwd, /etc/group or /etc/shadow fields. For tty login to work for homed user accounts, local_login_t needs to be able to lookup this information, so let's grant it the ability to. Signed-off-by: Rahul Sandhu <[email protected]>
systemd-homed user records stored in identity files are machine-id specific and signed, so systemd-homed needs access to /etc/machine-id to create those records properly. Signed-off-by: Rahul Sandhu <[email protected]>
systemd-homed stores LUKS home images as `/home/username.home`, so let's label that appropriately. Signed-off-by: Rahul Sandhu <[email protected]>
For commands such as `groups(1)` to work, nsswitch_domain needs to be able to talk to /run/systemd/userdb/io.systemd.Home to obtain information on systemd-homed users. Signed-off-by: Rahul Sandhu <[email protected]>
As systemd-homed's workdir is an internal one, and external domains may be (reasonably) expected to connect to systemd_homed_runtime_t in the future, let's create a new domain for systemd-homed's internal work to differentiate between the two. Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
systemd-homed needs access to `/run/cryptsetup` to properly setup and unlock LUKS encrypted home directories. Signed-off-by: Rahul Sandhu <[email protected]>
As systemd identity files contain sensitive data, such as password hashes, let's create a new type systemd_homed_record_t for them. As systemd_homework_t needs to be able to read, create, and delete these files, let's give it permissions to do so. Signed-off-by: Rahul Sandhu <[email protected]>
pebenito
requested changes
Dec 4, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also some lint issues in the github actions.
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
pebenito
requested changes
Dec 9, 2024
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
pebenito
approved these changes
Dec 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit messages for each commit should explain more, let me know if you have any more questions.
Thanks!