[apparmor] [PATCH] update base abstraction for additional journald sockets
Jamie Strandboge
jamie at canonical.com
Thu Apr 27 16:49:28 UTC 2017
On Thu, 2017-04-27 at 18:31 +0200, Christian Boltz wrote:
> Hello,
>
> Am Donnerstag, 27. April 2017, 15:39:24 CEST schrieb Jamie Strandboge:
> > The base abstraction already allows write access to
> > /run/systemd/journal/dev-log but journald offers both:
> > - a native journal API at /run/systemd/journal/socket (see
> > sd_journal_print(4)) - /run/systemd/journal/stdout for connecting a
> > program's output to the journal (see systemd-cat(1)).
> >
> > In addition to systemd-cat, the stdout access is required for nested
> > container (eg, LXD) logs to show up in the host. Interestingly,
> > systemd-cat and LXD containers require 'r' in addtion to 'w' to work.
> > journald does not allow reading log entries from this socket so the
> > access is deemed safe.
> > Signed-off-by: Jamie Strandboge <jamie at canonical.com>
> > === modified file 'profiles/apparmor.d/abstractions/base'
> > --- profiles/apparmor.d/abstractions/base 2017-04-12 17:35:10 +0000
> > +++ profiles/apparmor.d/abstractions/base 2017-04-27 13:28:46 +0000
> > @@ -34,6 +34,12 @@
> >
> > /usr/share/zoneinfo/** r,
> > /usr/share/X11/locale/** r,
> > /{,var/}run/systemd/journal/dev-log w,
> >
> > + # systemd native journal API (see sd_journal_print(4))
> > + /{,var/}run/systemd/journal/socket w,
> > + # Nested containers and anything using systemd-cat need this. 'r'
> > shouldn't + # be required but applications fail without it. journald
> > doesn't leak + # anything when reading so this is ok.
> > + /{,var/}run/systemd/journal/stdout rw,
>
> Is /var/run/... really needed, or is /run/... enough?
>
> Some months ago we decided that we shouldn't blindly add the /var/ part
> anymore in new /run/ rules, so unless you know that /var/run/ is really
> used here, please only add rules for /run/...
>
It probably isn't needed, but in Ubuntu we are backporting more and more
AppArmor to earlier releases (I don't know what other distros are doing, but it
seemed conceivable they might do the same) and it seemed best to leave it.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170427/afda1880/attachment.pgp>
More information about the AppArmor
mailing list