On Thu, 2017-04-27 at 19:13 +0100, Simon McVittie wrote: > On Thu, 27 Apr 2017 at 11:49:28 -0500, Jamie Strandboge wrote: > > On Thu, 2017-04-27 at 18:31 +0200, Christian Boltz wrote: > > > Is /var/run/... really needed, or is /run/... enough? > > > > It probably isn't needed, but in Ubuntu we are backporting more and more > > AppArmor to earlier releases (I don't know what other distros are doing, but > > it > > seemed conceivable they might do the same) and it seemed best to leave it. > > As far as I'm aware, systemd pid 1 explicitly does not support any setup > other than "/run is a directory, /var/run is a symlink to /run", and > systemd-journald requires systemd pid 1. > > Or does Ubuntu have some workaround to use systemd-journald in releases > older than the one in which you moved from Upstart to systemd as init? > No, Ubuntu does not.
> The /run migration happened in sysvinit 2.88dsf-29 or earlier (2012) > so I would hope that any still-relevant system had this change long ago. Ok, attached is an updated patch that removes the var/ alternation as well as adjusting an existing dev-log rule. -- Jamie Strandboge | http://www.canonical.com
Update base abstraction for additional journald sockets The base abstraction already allows write access to /run/systemd/journal/dev-log but journald offers both: - a native journal API at /run/systemd/journal/socket (see sd_journal_print(4)) - /run/systemd/journal/stdout for connecting a program's output to the journal (see systemd-cat(1)). In addition to systemd-cat, the stdout access is required for nested container (eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD containers require 'r' in addtion to 'w' to work. journald does not allow reading log entries from this socket so the access is deemed safe. Signed-off-by: Jamie Strandboge <ja...@canonical.com> === modified file 'profiles/apparmor.d/abstractions/base' --- profiles/apparmor.d/abstractions/base 2017-04-12 17:35:10 +0000 +++ profiles/apparmor.d/abstractions/base 2017-05-03 21:03:55 +0000 @@ -33,7 +33,13 @@ /usr/share/zoneinfo/ r, /usr/share/zoneinfo/** r, /usr/share/X11/locale/** r, - /{,var/}run/systemd/journal/dev-log w, + /run/systemd/journal/dev-log w, + # systemd native journal API (see sd_journal_print(4)) + /run/systemd/journal/socket w, + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + /run/systemd/journal/stdout rw, /usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/gconv/*.so mr,
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor