> # required for pps initialization
> capability dac_read_search,
> capability sys_time,
> /sys/devices/virtual/pps/ r,
> # to submit data to chrony
> ptrace read peer=/usr/sbin/chronyd,
> # for libusb
> /sys/devices/**/usb[0-9]*/** r,
> # triggered on fusercount, not strictly required and unsafe to allow
> # adding a denial rule silences the warnings
> deny ptrace read peer=unconfined,
I believe you said that dac_read_search was due to the /proc accesses that also trigger the ptrace rule. Perhaps it can also be suppressed?
Either way, thanks for all the investigation! +1 for the rules as is. If you aren't blocking dac_read_search, can you add what in the pps initialization needs it? Eg:
# required for pps initialization (foo() from bar.c traverses /proc)
> # required for pps initialization virtual/ pps/ r, sbin/chronyd, **/usb[ 0-9]*/* * r,
> capability dac_read_search,
> capability sys_time,
> /sys/devices/
> # to submit data to chrony
> ptrace read peer=/usr/
> # for libusb
> /sys/devices/
> # triggered on fusercount, not strictly required and unsafe to allow
> # adding a denial rule silences the warnings
> deny ptrace read peer=unconfined,
I believe you said that dac_read_search was due to the /proc accesses that also trigger the ptrace rule. Perhaps it can also be suppressed?
Either way, thanks for all the investigation! +1 for the rules as is. If you aren't blocking dac_read_search, can you add what in the pps initialization needs it? Eg:
# required for pps initialization (foo() from bar.c traverses /proc)
or something?