From 64f02ff6084d5084339211cdcd7f5a468cab5bf2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 18 May 2025 14:50:09 +0200
Subject: [PATCH] feat(profile): snapd: add journalctl subprofile.

---
 apparmor.d/groups/snap/snapd | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd
index 38d803655..c1b24176e 100644
--- a/apparmor.d/groups/snap/snapd
+++ b/apparmor.d/groups/snap/snapd
@@ -60,7 +60,7 @@ profile snapd @{exec_path} {
   dbus send bus=system path=/org/freedesktop/timedate1
        interface=org.freedesktop.DBus.Properties
        member=Get
-       peer=(name=org.freedesktop.timedate1, label=unconfined),
+       peer=(name=org.freedesktop.timedate1),
 
   @{exec_path} mrix,
 
@@ -72,7 +72,7 @@ profile snapd @{exec_path} {
   @{sbin}/groupadd                rPx,
   @{bin}/gzip                     rix,
   @{bin}/hostnamectl              rPx,
-  @{bin}/journalctl               rPx,
+  @{bin}/journalctl               rCx -> journalctl,
   @{bin}/kmod                     rPx,
   @{bin}/mount                    rix,
   @{sbin}/runuser                 rCx -> runuser,
@@ -199,6 +199,25 @@ profile snapd @{exec_path} {
     include if exists <local/snapd_systemctl>
   }
 
+  profile journalctl {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability net_admin,
+
+    network netlink raw,
+
+    @{bin}/journalctl mr,
+
+    /etc/machine-id r,
+    /var/lib/dbus/machine-id r,
+
+    /{run,var}/log/journal/ r,
+    /{run,var}/log/journal/@{hex32}/{,*} r,
+
+    include if exists <local/snapd_journalctl>
+  }
+
   profile runuser {
     include <abstractions/base>