Ubuntu
chrony package

  1. Bug #2004525
  2. Comment #2

Comment 2 for bug 2004525

Revision history for this message
Alex Murray (alexmurray) wrote :

Hmm I am a bit surprised by this - the existing rule would appear to cover /run/chrony/chrony.pid

ie `@{run}/chrony/{,*} rw`, says allow read and write to the directory `/run/chrony/` and any files immediately inside it - of which chrony.pid should be allowed.

Also FWIW I can't reproduce this in a clean 22.04 VM:

root@sec-jammy-amd64:~# apt install chrony
...
root@sec-jammy-amd64:~# aa-status
apparmor module is loaded.
19 profiles are loaded.
19 profiles are in enforce mode.
   /snap/core/14399/usr/lib/snapd/snap-confine
   /snap/core/14399/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/chronyd
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.core
   snap-update-ns.hello-world
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/chronyd (1063)
   /usr/sbin/chronyd (1064)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
root@sec-jammy-amd64:~# systemctl status chrony.service
● chrony.service - chrony, an NTP client/server
     Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-02-02 03:33:19 UTC; 1min 50s ago
       Docs: man:chronyd(8)
             man:chronyc(1)
             man:chrony.conf(5)
    Process: 1054 ExecStart=/usr/lib/systemd/scripts/chronyd-starter.sh $DAEMON_OPTS (code=exited, status=0/SUCCESS)
   Main PID: 1063 (chronyd)
      Tasks: 2 (limit: 1120)
     Memory: 1.5M
        CPU: 38ms
     CGroup: /system.slice/chrony.service
             ├─1063 /usr/sbin/chronyd -F 1
             └─1064 /usr/sbin/chronyd -F 1

Feb 02 03:33:19 sec-jammy-amd64 systemd[1]: Starting chrony, an NTP client/server...
Feb 02 03:33:19 sec-jammy-amd64 chronyd[1063]: chronyd version 4.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
Feb 02 03:33:19 sec-jammy-amd64 chronyd[1063]: Using right/UTC timezone to obtain leap second data
Feb 02 03:33:19 sec-jammy-amd64 chronyd[1063]: Loaded seccomp filter (level 1)
Feb 02 03:33:19 sec-jammy-amd64 systemd[1]: Started chrony, an NTP client/server.
Feb 02 03:33:27 sec-jammy-amd64 chronyd[1063]: Selected source 212.243.96.76 (2.ubuntu.pool.ntp.org)
Feb 02 03:33:27 sec-jammy-amd64 chronyd[1063]: System clock TAI offset set to 37 seconds
Feb 02 03:34:34 sec-jammy-amd64 chronyd[1063]: Selected source 185.125.190.56 (ntp.ubuntu.com)