File 0001-cmd-snap-confine-snap-confine-update-AppArmor-profil.patch of Package snapd

From 079605bdacc82243efdd44ec6d81bc4a93d2859f Mon Sep 17 00:00:00 2001
Message-ID: <079605bdacc82243efdd44ec6d81bc4a93d2859f.1760438845.git.maciej.borzecki@canonical.com>
From: Maciej Borzecki <maciej.borzecki@canonical.com>
Date: Mon, 13 Oct 2025 19:15:54 +0200
Subject: [PATCH] cmd/snap-confine/snap-confine: update AppArmor profile to
 allow read/write to journal (#16131)
Upstream: merged

Update the AppArmor profile of snap-confine to allow read-write access
to the journal provided stdout. This scenario occurs when snap-confine
is invoked to set up a sandbox for snap services.

Fixes: LP#2127244 LP#2121169
Related: SNAPDENG-35767

Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
---
 cmd/snap-confine/snap-confine.apparmor.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
index a653f1f70f7a7abfadc6414fb78a6c8ae3273e67..51964ad7ec2bdc714292310cee507de34498eacf 100644
--- a/cmd/snap-confine/snap-confine.apparmor.in
+++ b/cmd/snap-confine/snap-confine.apparmor.in
@@ -66,6 +66,9 @@
     /dev/pts/[0-9]* rw,
     /dev/tty rw,
 
+    # Stdout may be inherited from systemd. This is normally provided by <abstractions/base>
+    /{,var/}run/systemd/journal/stdout rw,
+
     # SNAP_MOUNT_DIR probe logic
     /proc/1/root/snap r,
 
@@ -546,6 +549,9 @@
         /dev/random r,
         /dev/urandom r,
 
+        # Stdout may be inherited from systemd. This is normally provided by <abstractions/base>
+        /{,var/}run/systemd/journal/stdout rw,
+
         capability dac_override,
         capability sys_ptrace,
         capability sys_admin,
-- 
2.51.0