github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/log_observe.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const logObserveSummary = `allows read access to system logs` 23 24 const logObserveBaseDeclarationSlots = ` 25 log-observe: 26 allow-installation: 27 slot-snap-type: 28 - core 29 deny-auto-connection: true 30 ` 31 32 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/log-observe 33 const logObserveConnectedPlugAppArmor = ` 34 # Description: Can read system logs and set kernel log rate-limiting 35 36 /var/log/ r, 37 /var/log/** r, 38 39 # for accessing journald and journalctl 40 /run/log/journal/ r, 41 /run/log/journal/** r, 42 /var/lib/systemd/catalog/database r, 43 /{,usr/}bin/journalctl ixr, 44 # allow using journalctl on the host to support new logs on classic systems 45 /var/lib/snapd/hostfs/bin/journalctl ixr, 46 /var/lib/snapd/hostfs/lib/systemd/*.so* mr, 47 48 # journalctl wants this but it grants far more than 'observe' so don't enable 49 # it. We could silence the denial, but let's avoid that for now. 50 # capability sys_resource, 51 52 # Allow sysctl -w kernel.printk_ratelimit=# 53 /{,usr/}sbin/sysctl ixr, 54 @{PROC}/sys/kernel/printk_ratelimit rw, 55 56 # Allow resolving kernel seccomp denials 57 /usr/bin/scmp_sys_resolver ixr, 58 59 # Needed since we are root and the owner/group doesn't match :\ 60 # So long as we have this, the cap must be reserved. 61 capability dac_override, 62 ` 63 64 func init() { 65 registerIface(&commonInterface{ 66 name: "log-observe", 67 summary: logObserveSummary, 68 implicitOnCore: true, 69 implicitOnClassic: true, 70 baseDeclarationSlots: logObserveBaseDeclarationSlots, 71 connectedPlugAppArmor: logObserveConnectedPlugAppArmor, 72 reservedForOS: true, 73 }) 74 }