Viewing all changes in revision 3658.
- Committer: Jamie Strandboge
- Date: 2017-05-04 14:15:28 UTC
- mfrom: (3657.1.2 apparmor.trunk)
- Revision ID: jamie@ubuntu.com-20170504141528-4r356io2kxlgfeum
Update base abstraction for additional journald sockets
The base abstraction already allows write access to
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
(see systemd-cat(1)).
In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The base abstraction already allows write access to
/run/systemd/journal/dev-log but journald offers both:
- a native journal API at /run/systemd/journal/socket (see sd_journal_print(4))
- /run/systemd/journal/stdout for connecting a program's output to the journal
(see systemd-cat(1)).
In addition to systemd-cat, the stdout access is required for nested container
(eg, LXD) logs to show up in the host. Interestingly, systemd-cat and LXD
containers require 'r' in addtion to 'w' to work. journald does not allow
reading log entries from this socket so the access is deemed safe.
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- files modified:
- profiles/apparmor.d/abstractions/base
expand all
collapse all
added
removed
