On Thu, 2017-04-27 at 19:13 +0100, Simon McVittie wrote: > On Thu, 27 Apr 2017 at 11:49:28 -0500, Jamie Strandboge wrote: > > On Thu, 2017-04-27 at 18:31 +0200, Christian Boltz wrote: > > > Is /var/run/... really needed, or is /run/... enough? > > > > It probably isn't needed, but in Ubuntu we are backporting more and more > > AppArmor to earlier releases (I don't know what other distros are doing, but > > it > > seemed conceivable they might do the same) and it seemed best to leave it. > > As far as I'm aware, systemd pid 1 explicitly does not support any setup > other than "/run is a directory, /var/run is a symlink to /run", and > systemd-journald requires systemd pid 1. > > Or does Ubuntu have some workaround to use systemd-journald in releases > older than the one in which you moved from Upstart to systemd as init? > No, Ubuntu does not.
> The /run migration happened in sysvinit 2.88dsf-29 or earlier (2012) > so I would hope that any still-relevant system had this change long ago. Ok, attached is an updated patch that removes the var/ alternation as well as adjusting an existing dev-log rule. -- Jamie Strandboge | http://www.canonical.com
Update base abstraction for additional journald sockets
The base abstraction already allows write access to
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see
sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the
journal
(see systemd-cat(1)).
In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.
Signed-off-by: Jamie Strandboge <ja...@canonical.com>
=== modified file 'profiles/apparmor.d/abstractions/base'
--- profiles/apparmor.d/abstractions/base 2017-04-12 17:35:10 +0000
+++ profiles/apparmor.d/abstractions/base 2017-05-03 21:03:55 +0000
@@ -33,7 +33,13 @@
/usr/share/zoneinfo/ r,
/usr/share/zoneinfo/** r,
/usr/share/X11/locale/** r,
- /{,var/}run/systemd/journal/dev-log w,
+ /run/systemd/journal/dev-log w,
+ # systemd native journal API (see sd_journal_print(4))
+ /run/systemd/journal/socket w,
+ # Nested containers and anything using systemd-cat need this. 'r' shouldn't
+ # be required but applications fail without it. journald doesn't leak
+ # anything when reading so this is ok.
+ /run/systemd/journal/stdout rw,
/usr/lib{,32,64}/locale/** mr,
/usr/lib{,32,64}/gconv/*.so mr,
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
