mirror of
https://aur.archlinux.org/snapd.git
synced 2025-11-27 20:00:30 +08:00
d61fa1ae91
Upstream release. Cherry pick patch from https://github.com/canonical/snapd/pull/16131. Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
46 lines
1.6 KiB
Diff
46 lines
1.6 KiB
Diff
From 079605bdacc82243efdd44ec6d81bc4a93d2859f Mon Sep 17 00:00:00 2001
|
|
Message-ID: <079605bdacc82243efdd44ec6d81bc4a93d2859f.1760438845.git.maciej.borzecki@canonical.com>
|
|
From: Maciej Borzecki <maciej.borzecki@canonical.com>
|
|
Date: Mon, 13 Oct 2025 19:15:54 +0200
|
|
Subject: [PATCH] cmd/snap-confine/snap-confine: update AppArmor profile to
|
|
allow read/write to journal (#16131)
|
|
|
|
Update the AppArmor profile of snap-confine to allow read-write access
|
|
to the journal provided stdout. This scenario occurs when snap-confine
|
|
is invoked to set up a sandbox for snap services.
|
|
|
|
Fixes: LP#2127244 LP#2121169
|
|
Related: SNAPDENG-35767
|
|
|
|
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
|
|
---
|
|
cmd/snap-confine/snap-confine.apparmor.in | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
|
|
index a653f1f70f7a7abfadc6414fb78a6c8ae3273e67..51964ad7ec2bdc714292310cee507de34498eacf 100644
|
|
--- a/cmd/snap-confine/snap-confine.apparmor.in
|
|
+++ b/cmd/snap-confine/snap-confine.apparmor.in
|
|
@@ -66,6 +66,9 @@
|
|
/dev/pts/[0-9]* rw,
|
|
/dev/tty rw,
|
|
|
|
+ # Stdout may be inherited from systemd. This is normally provided by <abstractions/base>
|
|
+ /{,var/}run/systemd/journal/stdout rw,
|
|
+
|
|
# SNAP_MOUNT_DIR probe logic
|
|
/proc/1/root/snap r,
|
|
|
|
@@ -546,6 +549,9 @@
|
|
/dev/random r,
|
|
/dev/urandom r,
|
|
|
|
+ # Stdout may be inherited from systemd. This is normally provided by <abstractions/base>
|
|
+ /{,var/}run/systemd/journal/stdout rw,
|
|
+
|
|
capability dac_override,
|
|
capability sys_ptrace,
|
|
capability sys_admin,
|
|
--
|
|
2.51.0
|
|
|