Apparmor profile for chronyd needs to allow creation of /var/run/chrony.tty*.sock
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
chrony (Debian) |
Fix Released
|
Unknown
|
|||
chrony (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Configurations that are not the default, but suggeste din the man page
hit apparmor denies. Super uncommon configurations are fine, then we'd
say please adapt this apparmor conffile, but those suggeste din the man
page should work.
* Fixed by backporting the apparmor rules we just brought to Debian and
Cosmic allowing those paths to be accessed
[Test Case]
* Use the features and start chrony, here two example for the issues
Edit /etc/chrony/
refclock SOCK /var/run/
tempcomp /sys/class/
systemctl restart chrony
* With the fixes there will be no denies anymore for these config entries
which are the default suggestions from the man page
* The thirs subcase with smb signing is ridiculously harder to test, but
I think the issue is clear enough that we can test the other two and
feel confident.
[Regression Potential]
* Two things come to mind:
- one is if we added a mistake to the apprmor rule then it won't load
correctly anymore
- any of the now allowed paths represent a security issue for somebody
out there and we missed that in our consideration
I must say both are highly unlikely, but since this section is about
thinking the impossible to describe what "could" happen, here you go.
[Other Info]
* n/a
---
When using chrony with gpsd for very accurate time, chrony wants to create a file called /var/run chrony.ttyXX.sock which gpsd will use when it starts. The current apparmor rules for chrony prevent that file from being created. I was able to fix this by manually adding this:
/{,var/
Please check that for sanity and update the apparmor rules as needed.
Related branches
- Robie Basak: Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 37 lines (+18/-0)2 files modifieddebian/changelog (+8/-0)
debian/usr.sbin.chronyd (+10/-0)
- Robie Basak: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 534 lines (+391/-5)13 files modifieddebian/README.container (+60/-0)
debian/changelog (+143/-0)
debian/chrony.conf (+18/-1)
debian/chrony.default (+4/-0)
debian/chrony.service (+2/-2)
debian/chronyd-starter.sh (+70/-0)
debian/control (+4/-1)
debian/docs (+1/-0)
debian/install (+1/-0)
debian/links (+5/-0)
debian/patches/lp-1718227-nm-dispatcher-for-networkd.patch (+66/-0)
debian/patches/series (+1/-0)
debian/postrm (+16/-1)
Changed in chrony (Debian): | |
status: | Unknown → New |
Changed in chrony (Debian): | |
status: | New → Fix Committed |
Changed in chrony (Debian): | |
status: | Fix Committed → Fix Released |
Hi Mark,
thanks for the report - we only discussed with peers about gpsd via shm so far.
The rule for that would be too open which is why it is disabled with a comment in the apparmor profile atm.
For gpsd via tty I'd have expected all chrony files in /var/run/chrony/... as most of them are in general, which is why we have the rule: }run/chrony/ {,*} rw,
/{,var/
Similar for /var/log and /var/lib
But the path you mention is obviously outside that rule :-/ chrony/ ..., but I've also seen that the example in man chrony.conf is exactly the path that you are reporting, like: chrony. ttyS0.sock
I realized this is a free-form config entry for the refclock and one "could" set /var/run/
refclock SOCK /var/run/
After your report of this example being "outside" the usual paths I wanted to make sure there are no similar examples we hit in just a few weeks. So I read through the man page and found a few more.
Overall I found: }run/chrony. tty{,*} .sock rw, lib/samba/ ntp_signd rw,
# Support all paths suggested in the man page (LP: #1771028). Assume these
# are common use cases; others should be set as local include (see below).
# Configs using a 'chrony.' prefix like the tempcomp config file example
/etc/chrony.* r,
# Example gpsd socket is outside /{,var/}run/chrony/
/{,var/
# To sign replies to MS-SNTP clients by the smbd daemon
/var/
Lets (try to) combine that with a merge (unless it is complex and would stall this fix) of the most recent chrony as there was a new release way into our Feature Freeze and from there SRU to Bionic.
Summary:
- most common cases were covered by generic rules for lib/log/run and device paths already
- the suggested new rule is fine (Thanks!)
- the new use case (due to the man page pointing there) is expected to be common as well
- now that we spotted this lets look at similar cases to fix all at once
P.S. @Mark - if you find other issues due to using GPSD or other less common options please let me know as well.