Ubuntu
chrony package

enabling RTC support is blocked by apparmor

Bug #1751241 reported by Christian Ehrhardt 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chrony (Debian)
Fix Released
Unknown
chrony (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

If enabling rtc support:
/etc/chrony/chrony.conf:
#rtcsync
rtcfile /var/lib/chrony/rtc

And restarting chrony into that config
$ sudo systemctl restart chrony

It will fail to use that:
Feb 23 09:53:02 bionic-test chronyd[4216]: Could not open /etc/adjtime : No such file or directory
Feb 23 09:53:02 bionic-test chronyd[4216]: Could not open RTC device /dev/rtc : Permission denied

One is an apparmor Deny:
[ 5756.216096] audit: type=1400 audit(1519379582.153:21): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/dev/rtc0" pid=4216 comm="chronyd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

The access to /etc/adjtime would be ok if it exists.
I created it in my setup and it is good now.
But the apparmor profile needs to allow rtc.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The same applied to:
/dev/pps*
/dev/ptp*

There are actually rules for this, and the problem is that they are read only but chrony needs write as well.
Maybe to some r-only would be ok, but until that is fixed in code (takes time) allow on these devices. They are not terribly security critical in regard to write access fortunately.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Adding w would be
  /dev/rtc{,[0-9]*} rw,
  /dev/pps[0-9]* rw,
  /dev/ptp[0-9]* rw,

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Adding jdstrand to comment here if my assumption that w on these entries is fine.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Reported to Debian, with some luck I'll have on Monday jdstrand and Debian responses and can integrate a fix.

Bug Watch Updater (bug-watch-updater)
Changed in chrony (Debian):
status: Unknown → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Yes, it makes sense for them. I see now there is an '-s' option for the system clock, so write access for rtc makes a lot of sense. Based on your comments on the other two, +1.

Bug Watch Updater (bug-watch-updater)
Changed in chrony (Debian):
status: New → Fix Committed
Christian Ehrhardt  (paelzer)
Changed in chrony (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chrony - 3.2-4ubuntu1

---------------
chrony (3.2-4ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - d/control: switch to nss instead of tomcrypt (nss is in main)
    - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664)
  * Dropped changes (in Debian)
    - d/chrony.default, d/chrony.service: support /etc/default/chrony
      DAEMON_OPTS in systemd environment (LP: 1746081)
    - d/chrony.service: properly start after networking (LP: 1746458)
    - d/usr.sbin.chronyd: allow to create /run/chrony on demand (LP: 1746444)
  * Added Changes:
    - debian/usr.sbin.chronyd: ensure RTC/GPS usage isn't blocked by apparmor
      (LP: #1751241, Closes: #891201)

 -- Christian Ehrhardt <email address hidden> Mon, 26 Feb 2018 14:44:54 +0100

Changed in chrony (Ubuntu):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in chrony (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.