Upcoming change: rsyslog's apparmor enforced by default

Andreas Hasenack andreas at canonical.com
Sat Feb 11 17:45:17 UTC 2023


Hi,

In the next few days, if all goes according to plan, I'll upload
rsyslogd to lunar with a change[1] to the way its apparmor profile is
applied.

The confinement status won't be changed during upgrades, but fresh
installs will have the apparmor profile enforced by default. Up until
now, it's been disabled.

A summary is in the README.apparmor[2] file, and d/NEWS was also
updated/created. I tried a mix of fixed and dynamic profile snippets,
and packages can install their own snippets if needed. These would
usually be packages that alter the rsyslog configuration to log
somewhere else where the normal apparmor profile would have denied
that, but at the same time we don't want to allow that by default if
it's not needed.

There are a few more use cases I would like to tackle, including more
test cases, and the `omprog` plugin is an obvious one. This is not yet
covered, and I hope to get more data about its usage before coming up
with a solution. It's hard to try to detect its usage in the config
file because the config can be in so many different formats. Maybe we
can come up with generic sandbox of some sort for binaries used with
the omprog plugin, or maybe we will just have to leave users to adjust
that via the existing /etc/apparmor.d/local/usr.sbin.rsyslogd
mechanism.

This adds a lot of delta to the package, at least in line count, but I
don't think it's hard to maintain. I'll also of course try to submit
this to debian, once we settled on the approach in lunar.

1. https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/436955
2. https://git.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/tree/debian/README.apparmor?h=lunar-rsyslog-enable-apparmor-dep8-take4-dot-d



More information about the ubuntu-devel mailing list