Hello, Am Donnerstag, 27. April 2017, 15:39:24 CEST schrieb Jamie Strandboge: > The base abstraction already allows write access to > /run/systemd/journal/dev-log but journald offers both: > - a native journal API at /run/systemd/journal/socket (see > sd_journal_print(4)) - /run/systemd/journal/stdout for connecting a > program's output to the journal (see systemd-cat(1)). > > In addition to systemd-cat, the stdout access is required for nested > container (eg, LXD) logs to show up in the host. Interestingly, > systemd-cat and LXD containers require 'r' in addtion to 'w' to work. > journald does not allow reading log entries from this socket so the > access is deemed safe. > Signed-off-by: Jamie Strandboge <[email protected]>
> === modified file 'profiles/apparmor.d/abstractions/base'
> --- profiles/apparmor.d/abstractions/base 2017-04-12 17:35:10 +0000
> +++ profiles/apparmor.d/abstractions/base 2017-04-27 13:28:46 +0000
> @@ -34,6 +34,12 @@
>
> /usr/share/zoneinfo/** r,
> /usr/share/X11/locale/** r,
> /{,var/}run/systemd/journal/dev-log w,
>
> + # systemd native journal API (see sd_journal_print(4))
> + /{,var/}run/systemd/journal/socket w,
> + # Nested containers and anything using systemd-cat need this. 'r'
> shouldn't + # be required but applications fail without it. journald
> doesn't leak + # anything when reading so this is ok.
> + /{,var/}run/systemd/journal/stdout rw,
Is /var/run/... really needed, or is /run/... enough?
Some months ago we decided that we shouldn't blindly add the /var/ part
anymore in new /run/ rules, so unless you know that /var/run/ is really
used here, please only add rules for /run/...
Regards,
Christian Boltz
--
Wir brauchen ein "postfixbuchconf"-Kommando, damit wir Autor und Version
bestimmen können... ;) [Patrick Ben Koetter in postfixbuch-users]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
