gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/log_observe.go

gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/log_observe.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const logObserveSummary = `allows read access to system logs`
    23  
    24  const logObserveBaseDeclarationSlots = `
    25    log-observe:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29      deny-auto-connection: true
    30  `
    31  
    32  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/log-observe
    33  const logObserveConnectedPlugAppArmor = `
    34  # Description: Can read system logs and set kernel log rate-limiting
    35  
    36  /var/log/ r,
    37  /var/log/** r,
    38  # for accessing dmesg
    39  /dev/kmsg r,
    40  
    41  # for accessing journald and journalctl
    42  /run/log/journal/ r,
    43  /run/log/journal/** r,
    44  /var/lib/systemd/catalog/database r,
    45  /{,usr/}bin/journalctl ixr,
    46  # allow using journalctl on the host to support new logs on classic systems
    47  /var/lib/snapd/hostfs/bin/journalctl ixr,
    48  /var/lib/snapd/hostfs/lib/systemd/*.so* mr,
    49  
    50  # journalctl wants this but it grants far more than 'observe' so don't enable
    51  # it. We could silence the denial, but let's avoid that for now.
    52  # capability sys_resource,
    53  
    54  # Allow sysctl -w kernel.printk_ratelimit=#
    55  /{,usr/}sbin/sysctl ixr,
    56  @{PROC}/sys/kernel/printk_ratelimit rw,
    57  
    58  # Allow controlling apparmor logging levels, the possible values written to this
    59  # are as follows:
    60  # normal       - return to normal auditing behavior
    61  # quiet_denied - don't log denial messages
    62  # quiet        - turn off all auditing
    63  # noquiet      - turn of quieting of denial messages by the quiet flag (what deny rules set unless preceded by the audit keyword)
    64  # all          - audit everything even stuff that is being allowed, it is very noisy
    65  # Note that we cannot restrict what is written to the file, we can only allow
    66  # all writes to the file.
    67  /sys/module/apparmor/parameters/audit rw,
    68  
    69  # Allow resolving kernel seccomp denials
    70  /usr/bin/scmp_sys_resolver ixr,
    71  
    72  # Needed since we are root and the owner/group doesn't match :\
    73  # So long as we have this, the cap must be reserved.
    74  capability dac_override,
    75  `
    76  
    77  func init() {
    78  	registerIface(&commonInterface{
    79  		name:                  "log-observe",
    80  		summary:               logObserveSummary,
    81  		implicitOnCore:        true,
    82  		implicitOnClassic:     true,
    83  		baseDeclarationSlots:  logObserveBaseDeclarationSlots,
    84  		connectedPlugAppArmor: logObserveConnectedPlugAppArmor,
    85  	})
    86  }