gpsd unable to open chrony PPS socket
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gpsd (Ubuntu) |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Focal |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
* Current GPSD apparmor isolation is too strict to use PPS devices
properly.
* backport changes we added to 20.10 to fix this
[Test Case]
* Set up a PPS device with chrony/gpsd as described in [1]
Check the log output.
Bad case:
gpsd:PROG: PPS:/dev/ttyS0 connect chrony socket failed: /var/run/
Good case does not show the errors above. Check that gpsd properly
initializes the device by ensuring this works for the whole stack
and chrony ends up getting proper PPS time data (also in [1]).
[1]: https:/
[Regression Potential]
* As always with apparmor changes the regression risk comes in two way:
- we allow more than before, that could be insecure but we have the +1
from the security team and optimized to further reduce permissions.
- we deny some access (to silence warnings) which could, if strictly
required for un-tested use cases break these use-cases. Neither in the
tests nor in the review/discussion such cases were identified.
[Other Info]
* This is accepted in Debians packaging git, if not in Groovy in time I'll
need to put an 3.20-8ubuntu1 there, but I can preparing the SRU
independent to that.
---- ----
GPSd fails to access the socket used to communicate PPS signals with Chrony.
From the startup log:
gpsd:PROG: PPS:/dev/ttyS0 connect chrony socket failed: /var/run/
The socket in question has these permissions:
$ ls -l /var/run/
srwxr-xr-x 1 root root 0 Apr 10 17:25 /var/run/
gpsd is running as its own user gpsd, and chrony as _chrony.
$ groups gpsd
gpsd : dialout
$ groups _chrony
_chrony : _chrony
I have tried adding gpsd to group _chrony and changing the ownership and permissions of chrony.ttyS0.sock but to no avail. I always see the permission denied message.
AppArmor rules for gpsd appear to allow the connection, too:
# default paths feeding GPS data into chrony
/{,var/
/tmp/
So I am stumped.
Related branches
- Christian Ehrhardt (community): Approve
- Lucas Kanashiro (community): Needs Fixing
- Canonical Server: Pending requested
-
Diff: 115 lines (+56/-0) (has conflicts)5 files modifieddebian/changelog (+11/-0)
debian/control (+5/-0)
debian/control.in (+5/-0)
debian/gpsd.default (+6/-0)
debian/usr.sbin.gpsd (+29/-0)
tags: | added: server-next |
description: | updated |
no longer affects: | chrony (Ubuntu) |
no longer affects: | chrony (Ubuntu Focal) |
For the sake of apparmor rules being sometimes odd, there is no "other" apparmor denial in your dmesg around that time is there?