# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

# Debugging the syslogger can be difficult if it can't write to the file
# that the kernel is logging denials to. In these cases, you can do the
# following:
# watch -n 1 'dmesg | tail -5'

@{exec_path} = /{usr/,}{s,}bin/rsyslogd
profile rsyslogd @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice>

  capability chown,  # For creating new log files and changing their owner/group
  capability net_admin,  # For remote logs
  capability setgid,  # For downgrading privileges
  capability setuid,
  capability sys_nice,
  capability syslog,

  @{exec_path} mr,

  /{usr/,}lib/@{multiarch}/rsyslog/*.so mr,

  /etc/rsyslog.conf r,
  /etc/rsyslog.d/{,**} r,

  /etc/CA/*.crt r,
  /etc/CA/*.key r,

  /var/log/** rw,
  /var/spool/rsyslog/ r,
  /var/spool/rsyslog/** rw,

        @{run}/systemd/notify rw,
  owner @{run}/rsyslogd.pid{,.tmp} rwk,
  owner @{run}/systemd/journal/syslog w,

  @{PROC}/1/environ r,
  @{PROC}/cmdline r,
  @{PROC}/kmsg r,
  @{PROC}/sys/kernel/osrelease r,

  include if exists <local/rsyslogd>
}