[apparmor] [PATCH] update base abstraction for additional journald sockets

[Jamie Strandboge]

The base abstraction already allows write access to
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
  (see systemd-cat(1)).
  
In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.
  
Signed-off-by: Jamie Strandboge <ja...@canonical.com>

-- 
Jamie Strandboge             | http://www.canonical.com
------------------------------------------------------------
revno: 3658
committer: Jamie Strandboge <ja...@ubuntu.com>
branch nick: apparmor.trunk
timestamp: Thu 2017-04-27 08:28:46 -0500
message:
  The base abstraction already allows write access to
  /run/systemd/journal/dev-log but journald offers both:
  - a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
  - /run/systemd/journal/stdout for connecting a program's output to the journal
    (see systemd-cat(1)).
  
  In addition to systemd-cat, the stdout access is required for nested container
  (eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
  containers require 'r' in addtion to 'w' to work. journald does not allow
  reading log entries from this socket so the access is deemed safe.
  
  Signed-off-by: Jamie Strandboge <ja...@canonical.com>
diff:
=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base	2017-04-12 17:35:10 +0000
+++ profiles/apparmor.d/abstractions/base	2017-04-27 13:28:46 +0000
@@ -34,6 +34,12 @@
   /usr/share/zoneinfo/**         r,
   /usr/share/X11/locale/**       r,
   /{,var/}run/systemd/journal/dev-log w,
+  # systemd native journal API (see sd_journal_print(4))
+  /{,var/}run/systemd/journal/socket w,
+  # Nested containers and anything using systemd-cat need this. 'r' shouldn't
+  # be required but applications fail without it. journald doesn't leak
+  # anything when reading so this is ok.
+  /{,var/}run/systemd/journal/stdout rw,
 
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,

signature.asc
Description: This is a digitally signed message part

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor