From e73ea12cea82e3183eafa7cc47fec30724cd2d15 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 30 Mar 2025 18:31:25 +0200
Subject: [PATCH] feat(profile): aa-log - move call to journalctl to a
 subprofile.

---
 apparmor.d/groups/apparmor/aa-log | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log
index 39c42d435..03352e8bf 100644
--- a/apparmor.d/groups/apparmor/aa-log
+++ b/apparmor.d/groups/apparmor/aa-log
@@ -16,21 +16,34 @@ profile aa-log @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/journalctl rix,
-
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
+  @{bin}/journalctl rCx -> journalctl,
 
   /var/log/audit/* r,
   /var/log/syslog* r,
 
-  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/@{hex32}/{,*} r,
-
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   /dev/tty@{int} rw,
 
+  profile journalctl {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability sys_resource,
+
+    @{bin}/journalctl mr,
+
+    /etc/machine-id r,
+    /var/lib/dbus/machine-id r,
+
+    /{run,var}/log/journal/ r,
+    /{run,var}/log/journal/@{hex32}/{,*} r,
+
+    @{PROC}/sys/kernel/random/boot_id r,
+
+    include if exists <local/aa-log_journalctl>
+  }
+
   include if exists <local/aa-log>
 }