github.com/ubuntu-core/snappy@v0.0.0-20210827154228-9e584df982bb/interfaces/builtin/log_observe.go

github.com/ubuntu-core/snappy@v0.0.0-20210827154228-9e584df982bb/interfaces/builtin/log_observe.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const logObserveSummary = `allows read access to system logs`
    23  
    24  const logObserveBaseDeclarationSlots = `
    25    log-observe:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29      deny-auto-connection: true
    30  `
    31  
    32  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/log-observe
    33  const logObserveConnectedPlugAppArmor = `
    34  # Description: Can read system logs and set kernel log rate-limiting
    35  
    36  /var/log/ r,
    37  /var/log/** r,
    38  
    39  # for accessing journald and journalctl
    40  /run/log/journal/ r,
    41  /run/log/journal/** r,
    42  /var/lib/systemd/catalog/database r,
    43  /{,usr/}bin/journalctl ixr,
    44  # allow using journalctl on the host to support new logs on classic systems
    45  /var/lib/snapd/hostfs/bin/journalctl ixr,
    46  /var/lib/snapd/hostfs/lib/systemd/*.so* mr,
    47  
    48  # journalctl wants this but it grants far more than 'observe' so don't enable
    49  # it. We could silence the denial, but let's avoid that for now.
    50  # capability sys_resource,
    51  
    52  # Allow sysctl -w kernel.printk_ratelimit=#
    53  /{,usr/}sbin/sysctl ixr,
    54  @{PROC}/sys/kernel/printk_ratelimit rw,
    55  
    56  # Allow controlling apparmor logging levels, the possible values written to this
    57  # are as follows:
    58  # normal       - return to normal auditing behavior
    59  # quiet_denied - don't log denial messages
    60  # quiet        - turn off all auditing
    61  # noquiet      - turn of quieting of denial messages by the quiet flag (what deny rules set unless preceded by the audit keyword)
    62  # all          - audit everything even stuff that is being allowed, it is very noisy
    63  # Note that we cannot restrict what is written to the file, we can only allow
    64  # all writes to the file.
    65  /sys/module/apparmor/parameters/audit rw,
    66  
    67  # Allow resolving kernel seccomp denials
    68  /usr/bin/scmp_sys_resolver ixr,
    69  
    70  # Needed since we are root and the owner/group doesn't match :\
    71  # So long as we have this, the cap must be reserved.
    72  capability dac_override,
    73  `
    74  
    75  func init() {
    76  	registerIface(&commonInterface{
    77  		name:                  "log-observe",
    78  		summary:               logObserveSummary,
    79  		implicitOnCore:        true,
    80  		implicitOnClassic:     true,
    81  		baseDeclarationSlots:  logObserveBaseDeclarationSlots,
    82  		connectedPlugAppArmor: logObserveConnectedPlugAppArmor,
    83  	})
    84  }