journald send does not work with snaps
alex1891 opened this issue · 3 comments
Hey,
I have a problem using the journald part of your library in a snap. When I get the following error:
[13361.336015] audit: type=1400 audit(1583420412.816:395): apparmor="DENIED" operation="bind" profile="snap.mysnap.web" pid=6537 comm="wasp" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr=none
In snaps you only have write permissions to the journald socket and I assume that sock, err := net.ListenUnixgram("unixgram", autobind)
also tries to read from socket.
Best reguards
Alex
Edit: When I use an older version before the following commit: 728309f#diff-985ded8023b21268d0d5cf7f29781d2e it works fine.
Thanks for the report.
I am not an AppArmor user, but reading this:
family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr=none
It looks like it is not allowing the creation of an auto-binding Unix datagram socket (see "Autobind feature" in man 7 unix
).
I guess it is mostly a matter of adjusting the policy for that.
Hi lucab,
adjusting the AppAmour policies is no option because this would be an security incident - I do not want that any application on the system can read the journald logs.
I think the problem is the way you open the socket - the old version of your lib works fine and my C++ applications that use sd_journal_send() works fine.
Greetings from Germany
Alex
Looking at the backlinks, I see that the AppArmor policies shipped with snapd have indeed been fixed.
Third-party ones can be tweaked the same way as snapcore/snapd#9924 did.
Closing this now.