Re: [apparmor] [PATCH] update base abstraction for additional journald sockets

Thu, 27 Apr 2017 09:49:58 -0700 

On Thu, 2017-04-27 at 18:31 +0200, Christian Boltz wrote:
> Hello,
> 
> Am Donnerstag, 27. April 2017, 15:39:24 CEST schrieb Jamie Strandboge:
> > The base abstraction already allows write access to
> > /run/systemd/journal/dev-log but journald offers both:
> > - a native journal API at /run/systemd/journal/socket (see
> > sd_journal_print(4)) - /run/systemd/journal/stdout for connecting a
> > program's output to the journal (see systemd-cat(1)).
> >   
> > In addition to systemd-cat, the stdout access is required for nested
> > container (eg, LXD) logs to show up in the host. Interestingly,
> > systemd-cat and LXD containers require 'r' in addtion to 'w' to work.
> > journald does not allow reading log entries from this socket so the
> > access is deemed safe. 
> > Signed-off-by: Jamie Strandboge <ja...@canonical.com>
> > === modified file 'profiles/apparmor.d/abstractions/base'
> > --- profiles/apparmor.d/abstractions/base   2017-04-12 17:35:10 +0000
> > +++ profiles/apparmor.d/abstractions/base   2017-04-27 13:28:46 +0000
> > @@ -34,6 +34,12 @@
> > 
> >    /usr/share/zoneinfo/**         r,
> >    /usr/share/X11/locale/**       r,
> >    /{,var/}run/systemd/journal/dev-log w,
> > 
> > +  # systemd native journal API (see sd_journal_print(4))
> > +  /{,var/}run/systemd/journal/socket w,
> > +  # Nested containers and anything using systemd-cat need this. 'r'
> > shouldn't +  # be required but applications fail without it. journald
> > doesn't leak +  # anything when reading so this is ok.
> > +  /{,var/}run/systemd/journal/stdout rw,
> 
> Is /var/run/... really needed, or is /run/... enough?
> 
> Some months ago we decided that we shouldn't blindly add the /var/ part 
> anymore in new /run/ rules, so unless you know that /var/run/ is really 
> used here, please only add rules for /run/...
> 
It probably isn't needed, but in Ubuntu we are backporting more and more
AppArmor to earlier releases (I don't know what other distros are doing, but it
seemed conceivable they might do the same) and it seemed best to leave it.

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to