Ubuntu
rsyslog package

Merge ~ahasenack/ubuntu/+source/rsyslog:plucky-rsyslog-imfile-apparmor into ubuntu/+source/rsyslog:ubuntu/devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/rsyslog
  3. plucky-rsyslog-imfile-apparmor
  4. Merge into ubuntu/devel
Proposed by Andreas Hasenack
Status: Work in progress
Proposed branch: ~ahasenack/ubuntu/+source/rsyslog:plucky-rsyslog-imfile-apparmor
Merge into: ubuntu/+source/rsyslog:ubuntu/devel
Diff against target: 29 lines (+10/-0)
2 files modified
debian/changelog (+6/-0)
debian/usr.sbin.rsyslogd (+4/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lukas Märdian (community) Approve
Canonical Server Reporter Pending
Review via email: mp+482790@code.launchpad.net

Description of the change

Another apparmor fix, this time for the imjournal module. The module works, but produces apparmor noise in the logs.

The change is following the recommendations[1][2] from @jjohansen, apparmor upstream.

I'm starting to think we should have a DEP8 test hook that would check the logs for apparmor DENIED messages, regardless if the test is passing or not, and fail it if there are such messages in the logs.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/rsyslog-imfile-apparmor/+packages
DEP8: green
Tests for PPA rsyslog-imfile-apparmor
---- ---- ---- ----
Release: plucky
Sources:
  SRC: rsyslog @ 8.2412.0-2ubuntu3~ppa1 - Published
Triggers on published Sources:
               rsyslog @ amd64 for rsyslog/8.2412.0-2ubuntu3~ppa1 Trigger @amd64 ♻️ Trigger all proposed @amd64 ♻️ 💍
               rsyslog @ s390x for rsyslog/8.2412.0-2ubuntu3~ppa1 Trigger @s390x ♻️ Trigger all proposed @s390x ♻️ 💍
               rsyslog @ ppc64el for rsyslog/8.2412.0-2ubuntu3~ppa1 Trigger @ppc64el ♻️ Trigger all proposed @ppc64el ♻️ 💍
               rsyslog @ arm64 for rsyslog/8.2412.0-2ubuntu3~ppa1 Trigger @arm64 ♻️ Trigger all proposed @arm64 ♻️ 💍
               rsyslog @ armhf for rsyslog/8.2412.0-2ubuntu3~ppa1 Trigger @armhf ♻️ Trigger all proposed @armhf ♻️ 💍
               rsyslog @ riscv64 for rsyslog/8.2412.0-2ubuntu3~ppa1 Trigger @riscv64 ♻️ Trigger all proposed @riscv64 ♻️ 💍
               rsyslog @ i386 for rsyslog/8.2412.0-2ubuntu3~ppa1 Trigger @i386 ♻️ Trigger all proposed @i386 ♻️ 💍
Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-plucky-ahasenack-rsyslog-imfile-apparmor/?format=plain)
  rsyslog @ amd64:
    11.03.25 21:13:18 Log 🗒️ ✅ Triggers: rsyslog/8.2412.0-2ubuntu3~ppa1
  rsyslog @ arm64:
    11.03.25 21:21:04 Log 🗒️ ✅ Triggers: rsyslog/8.2412.0-2ubuntu3~ppa1
  rsyslog @ armhf:
    11.03.25 21:12:56 Log 🗒️ ✅ Triggers: rsyslog/8.2412.0-2ubuntu3~ppa1
  rsyslog @ ppc64el:
    11.03.25 21:18:46 Log 🗒️ ✅ Triggers: rsyslog/8.2412.0-2ubuntu3~ppa1
  rsyslog @ s390x:
    11.03.25 21:12:43 Log 🗒️ ✅ Triggers: rsyslog/8.2412.0-2ubuntu3~ppa1

1. https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2101180/comments/6
2. https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2101180/comments/7

To post a comment you must log in.
Revision history for this message
Lukas Märdian (slyon) wrote :

OK:
- correct version and formatting of d/changelog (incl. bug ref)
- new changes in debian/* are OK, as suggested by @jjohansen (apparmor upstream)
- No new patches added
- Commits are properly split
- PPA build is OK
- autopkgtest against the PPA package passes (if possible, evidence was provided already)

Nitpicks/Notes (non-blocking):
- Testcases added or adapted (N/A if not strictly required or already present)
  => As state in the description above, we could consider adding a new test that would check the logs for apparmor DENIED messages. Can you create a LP bug about this, subscribing ~ubuntu-server?
- Checking the d/usr.sbin.rsyslogd against Noble/Oracular, I wonder if this should be SRUed as well?

LGTM! But beware of the Beta freeze before uploading, as rsyslog is seeded on daily-live/daily-preinstalled images. So better wait until after Beta images were spun.

review: Approve
Reply
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, slyon
Uploaders: ahasenack, slyon
MP auto-approved

review: Approve
Reply
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> => As state in the description above, we could consider adding a new test that would check the logs for
> apparmor DENIED messages. Can you create a LP bug about this, subscribing ~ubuntu-server?

Agreed, I filed https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2104929

Reply
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> - Checking the d/usr.sbin.rsyslogd against Noble/Oracular, I wonder if this should be SRUed as well?

Yes, it should. I have added tasks.

Reply
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> But beware of the Beta freeze before uploading,

I just checked with the release team today, first day after plucky beta, and they are fine with this upload.

Reply
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Filing that extra bug got me thinking, so I'm doing a full dep8 run in a vm and will manually check if there are any apparmor DENIED messages for rsyslog, even with the tests passing.

Reply
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

no DENIED messages for the whole run

Reply
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm suddenly having second thoughts about these changes. I added a comment[1] to the bug, and will have a brief discussion with jjohansen next week.

1. https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/2101180/comments/10

Reply

Unmerged commits

e7b6576... by Andreas Hasenack

changelog

e55b014... by Andreas Hasenack

  * d/usr.sbin.rsyslogd: more rules for the imfile module (LP: #2101180)

e16ab30... by Andreas Hasenack

changelog

c8228e6... by Andreas Hasenack

  * d/t/logcheck: when checking the journal, only consider current boot
    (LP: #2100765)

8878ee9... by Simon Quigley

8.2412.0-2ubuntu1 (patches unapplied)

Imported using git-ubuntu import.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 1639ba5..ec7c57b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+rsyslog (8.2412.0-2ubuntu3) plucky; urgency=medium
7+
8+ * d/usr.sbin.rsyslogd: more rules for the imfile module (LP: #2101180)
9+
10+ -- Andreas Hasenack <andreas@canonical.com> Tue, 11 Mar 2025 13:49:05 -0300
11+
12 rsyslog (8.2412.0-2ubuntu2) plucky; urgency=medium
13
14 * d/t/logcheck: when checking the journal, only consider current boot
15diff --git a/debian/usr.sbin.rsyslogd b/debian/usr.sbin.rsyslogd
16index 213983d..42a5664 100644
17--- a/debian/usr.sbin.rsyslogd
18+++ b/debian/usr.sbin.rsyslogd
19@@ -54,6 +54,10 @@ profile rsyslogd /usr/sbin/rsyslogd {
20 /{,var/}run/systemd/notify w,
21
22 # 'r' is needed when using imfile
23+ # more imfile permissions (LP: #2101180)
24+ /var/ r,
25+ /var/log/ r,
26+ deny / r,
27 /var/log/** rw,
28
29 # LP: #2061726

Subscribers

People subscribed via source and target branches