[apparmor] [PATCH] update base abstraction for additional journald sockets

Jamie Strandboge jamie at canonical.com
Thu Apr 27 13:39:24 UTC 2017

The base abstraction already allows write access to
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
  (see systemd-cat(1)).
In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.
Signed-off-by: Jamie Strandboge <jamie at canonical.com>

Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: base-journald-updates.patch
Type: text/x-patch
Size: 1626 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170427/42e0c97f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170427/42e0c97f/attachment.pgp>

More information about the AppArmor mailing list