github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/log_observe.go

github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/log_observe.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const logObserveSummary = `allows read access to system logs`
    23  
    24  const logObserveBaseDeclarationSlots = `
    25    log-observe:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29      deny-auto-connection: true
    30  `
    31  
    32  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/log-observe
    33  const logObserveConnectedPlugAppArmor = `
    34  # Description: Can read system logs and set kernel log rate-limiting
    35  
    36  /var/log/ r,
    37  /var/log/** r,
    38  
    39  # for accessing journald and journalctl
    40  /run/log/journal/ r,
    41  /run/log/journal/** r,
    42  /var/lib/systemd/catalog/database r,
    43  /{,usr/}bin/journalctl ixr,
    44  # allow using journalctl on the host to support new logs on classic systems
    45  /var/lib/snapd/hostfs/bin/journalctl ixr,
    46  /var/lib/snapd/hostfs/lib/systemd/*.so* mr,
    47  
    48  # journalctl wants this but it grants far more than 'observe' so don't enable
    49  # it. We could silence the denial, but let's avoid that for now.
    50  # capability sys_resource,
    51  
    52  # Allow sysctl -w kernel.printk_ratelimit=#
    53  /{,usr/}sbin/sysctl ixr,
    54  @{PROC}/sys/kernel/printk_ratelimit rw,
    55  
    56  # Allow resolving kernel seccomp denials
    57  /usr/bin/scmp_sys_resolver ixr,
    58  
    59  # Needed since we are root and the owner/group doesn't match :\
    60  # So long as we have this, the cap must be reserved.
    61  capability dac_override,
    62  `
    63  
    64  func init() {
    65  	registerIface(&commonInterface{
    66  		name:                  "log-observe",
    67  		summary:               logObserveSummary,
    68  		implicitOnCore:        true,
    69  		implicitOnClassic:     true,
    70  		baseDeclarationSlots:  logObserveBaseDeclarationSlots,
    71  		connectedPlugAppArmor: logObserveConnectedPlugAppArmor,
    72  		reservedForOS:         true,
    73  	})
    74  }