feat(profile): snapd: add journalctl subprofile.

2025-05-18 14:50:09 +02:00 · 2025-05-18 14:50:09 +02:00 · 64f02ff608
commit 64f02ff608
parent 21abf59132
1 changed files with 21 additions and 2 deletions
--- a/apparmor.d/groups/snap/snapd
+++ b/apparmor.d/groups/snap/snapd
@ -60,7 +60,7 @@ profile snapd @{exec_path} {
  dbus send bus=system path=/org/freedesktop/timedate1
       interface=org.freedesktop.DBus.Properties
       member=Get
-       peer=(name=org.freedesktop.timedate1, label=unconfined),
+       peer=(name=org.freedesktop.timedate1),

  @{exec_path} mrix,

@ -72,7 +72,7 @@ profile snapd @{exec_path} {
  @{sbin}/groupadd                rPx,
  @{bin}/gzip                     rix,
  @{bin}/hostnamectl              rPx,
-  @{bin}/journalctl               rPx,
+  @{bin}/journalctl               rCx -> journalctl,
  @{bin}/kmod                     rPx,
  @{bin}/mount                    rix,
  @{sbin}/runuser                 rCx -> runuser,
@ -199,6 +199,25 @@ profile snapd @{exec_path} {
    include if exists <local/snapd_systemctl>
  }

+  profile journalctl {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability net_admin,
+
+    network netlink raw,
+
+    @{bin}/journalctl mr,
+
+    /etc/machine-id r,
+    /var/lib/dbus/machine-id r,
+
+    /{run,var}/log/journal/ r,
+    /{run,var}/log/journal/@{hex32}/{,*} r,
+
+    include if exists <local/snapd_journalctl>
+  }
+
  profile runuser {
    include <abstractions/base>