Apparmor denies net_admin for hwtimestamp
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| chrony (Debian) |
Fix Released
|
Unknown
|
|||
| chrony (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
Summary:
When enabling hwtimestamp capability for chrony apparmor reports a denied operation for net_admin. hwtimestamp is a nice feature for very fast time setting on a local network when devices have the capabilities.
Expected Results:
syslog messges stating that hwtimestamping was enabled
Actual Results:
[ 8093.250474] audit: type=1400 audit(152288052
[ 8514.101791] audit: type=1400 audit(152288094
Steps to reproduce:
1. sudo apt update; sudo apt install -y chrony
2. echo "hwtimestamp *" | sudo tee -a /etc/chrony/
3. sudo systemctl restart chrony.service
Output from syslog during the service restart:
Apr 4 22:48:30 wind chronyd[1378]: chronyd exiting
Apr 4 22:48:30 wind systemd[1]: Stopping chrony, an NTP client/server...
Apr 4 22:48:30 wind systemd[1]: Stopped chrony, an NTP client/server.
Apr 4 22:48:30 wind systemd[1]: Starting chrony, an NTP client/server...
Apr 4 22:48:30 wind chronyd[1649]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG)
Apr 4 22:48:30 wind chronyd[1649]: Frequency 2.390 +/- 11.697 ppm read from /var/lib/
Apr 4 22:48:30 wind kernel: [ 4036.581454] kauditd_printk_skb: 7 callbacks suppressed
Apr 4 22:48:30 wind kernel: [ 4036.581455] audit: type=1400 audit(152288211
Apr 4 22:48:30 wind systemd[1]: Started chrony, an NTP client/server.
Removing the hwtimestamp line from the configuration file removes the apparmor denied message.
Fix:
1. Add the net_admin capability to /etc/apparmor.
2. sudo apparmor_parser -r /etc/apparmor.
3. sudo systemctl restart chrony.service
Apparmor message no longer occurs and in the syslog the HW timestamping message appears:
Apr 4 22:52:12 wind chronyd[2066]: Enabled HW timestamping on enp0s25
And eventually `sudo chronyc ntpdata` shows:
TX timestamping : Hardware
RX timestamping : Hardware
instead of:
TX timestamping : Kernel
RX timestamping : Kernel
System Info:
Ubuntu Bionic
chrony 3.2-4ubuntu2
Related branches
- Joshua Powers (community): Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 26 lines (+8/-0)2 files modifieddebian/changelog (+6/-0)
debian/usr.sbin.chronyd (+2/-0)
| Christian Ehrhardt (paelzer) wrote | #1 |
| Christian Ehrhardt (paelzer) wrote | #2 |
| Christian Ehrhardt (paelzer) wrote | #3 |
| Changed in chrony (Ubuntu): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| Christian Ehrhardt (paelzer) wrote | #4 |
| Changed in chrony (Debian): | |
| status: | Unknown → New |
| Launchpad Janitor (janitor) wrote | #5 |
| Changed in chrony (Ubuntu): | |
| status: | In Progress → Fix Released |
| Changed in chrony (Debian): | |
| status: | New → Fix Committed |
| Changed in chrony (Debian): | |
| status: | Fix Committed → Fix Released |
Thanks for the repro steps, to add to that is only triggers if the HW REALLY can do HW Timestamping (which likely is the reason it was missed as e.g. virtio devs can't).
You can check with:
ethtool -T <dev>
From man chrony.conf
This directive is supported on Linux 3.19 and newer. The NIC must support HW timestamping, which can be verified with the ethtool -T command. The list of capabilities should include
SOF_TIMESTAMPIN
In a KVM guest it will run with SW timestamping which works.
From chronc > ntpdata
[...]
TX timestamping : Kernel
RX timestamping : Kernel