[apparmor] [PATCH] update base abstraction for additional journald sockets

Christian Boltz apparmor at cboltz.de
Thu Apr 27 16:31:05 UTC 2017 

Hello,

Am Donnerstag, 27. April 2017, 15:39:24 CEST schrieb Jamie Strandboge:
> The base abstraction already allows write access to
> /run/systemd/journal/dev-log but journald offers both:
> - a native journal API at /run/systemd/journal/socket (see
> sd_journal_print(4)) - /run/systemd/journal/stdout for connecting a
> program's output to the journal (see systemd-cat(1)).
>   
> In addition to systemd-cat, the stdout access is required for nested
> container (eg, LXD) logs to show up in the host. Interestingly,
> systemd-cat and LXD containers require 'r' in addtion to 'w' to work.
> journald does not allow reading log entries from this socket so the
> access is deemed safe. 
> Signed-off-by: Jamie Strandboge <jamie at canonical.com>

> === modified file 'profiles/apparmor.d/abstractions/base'
> --- profiles/apparmor.d/abstractions/base   2017-04-12 17:35:10 +0000
> +++ profiles/apparmor.d/abstractions/base   2017-04-27 13:28:46 +0000
> @@ -34,6 +34,12 @@
> 
>    /usr/share/zoneinfo/**         r,
>    /usr/share/X11/locale/**       r,
>    /{,var/}run/systemd/journal/dev-log w,
> 
> +  # systemd native journal API (see sd_journal_print(4))
> +  /{,var/}run/systemd/journal/socket w,
> +  # Nested containers and anything using systemd-cat need this. 'r'
> shouldn't +  # be required but applications fail without it. journald
> doesn't leak +  # anything when reading so this is ok.
> +  /{,var/}run/systemd/journal/stdout rw,

Is /var/run/... really needed, or is /run/... enough?

Some months ago we decided that we shouldn't blindly add the /var/ part 
anymore in new /run/ rules, so unless you know that /var/run/ is really 
used here, please only add rules for /run/...


Regards,

Christian Boltz
-- 
Wir brauchen ein "postfixbuchconf"-Kommando, damit wir Autor und Version
bestimmen können... ;)        [Patrick Ben Koetter in postfixbuch-users]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170427/b9ce7df6/attachment.pgp>

More information about the AppArmor mailing list