Thanks for the ping on this @ahresse !
Yes, this should be very similar to thew old fix in bug 1771028
It is essentially yet another "chrony works with something else" use case.
There is a section for that in the chrony apparmor rules and we should indeed add the known default paths (like this) to be allowed.
And this is such a default path, from the man page:
rundir - Specify the directory where should be generated chronyd, ntpd and ptp4l configuration files and sockets. The directory will be created if it doesn't exist. The default value is /var/run/timemaster.
So on this we might even want to allow to read all sub-elements, including the generated config.
But RW for the socket.
But furthermore while touching it, in addition to the one reported I also see in the ptp4l
refclock_sock_address - The address of the UNIX domain socket to be used by the refclock_sock servo. The default is /var/run/refclock.ptp.sock
So we should allow that path as well.
For chrony my proposal that - once agreed - we need to pick up would seem like
diff --git a/debian/usr.sbin.chronyd b/debian/usr.sbin.chronyd
index bc52d4f7..e64edc90 100644
--- a/debian/usr.sbin.chronyd
+++ b/debian/usr.sbin.chronyd
@@ -62,6 +62,13 @@ abi <abi/3.0>,
@{run}/chrony.*.sock rw,
# To sign replies to MS-SNTP clients by the smbd daemon
/var/lib/samba/ntp_signd/socket rw,
+ # default path of the sock to sync with ptp4l
+ @{run}/refclock.ptp.sock rw,
+ # timemaster directory of chronyd, ... configuration files and sockets.
+ # read for all configs
+ @{run}/timemaster/* r,
+ # rw for coodination via the default socket path
+ @{run}/timemaster/chrony.SOCK0 rw,
Thanks for the ping on this @ahresse !
Yes, this should be very similar to thew old fix in bug 1771028
It is essentially yet another "chrony works with something else" use case.
There is a section for that in the chrony apparmor rules and we should indeed add the known default paths (like this) to be allowed.
And this is such a default path, from the man page: timemaster.
rundir - Specify the directory where should be generated chronyd, ntpd and ptp4l configuration files and sockets. The directory will be created if it doesn't exist. The default value is /var/run/
So on this we might even want to allow to read all sub-elements, including the generated config.
But RW for the socket.
But furthermore while touching it, in addition to the one reported I also see in the ptp4l sock_address - The address of the UNIX domain socket to be used by the refclock_sock servo. The default is /var/run/ refclock. ptp.sock
refclock_
So we should allow that path as well.
For chrony my proposal that - once agreed - we need to pick up would seem like
diff --git a/debian/ usr.sbin. chronyd b/debian/ usr.sbin. chronyd usr.sbin. chronyd usr.sbin. chronyd /chrony. *.sock rw, lib/samba/ ntp_signd/ socket rw, refclock. ptp.sock rw, timemaster/ chrony. SOCK0 rw,
index bc52d4f7..e64edc90 100644
--- a/debian/
+++ b/debian/
@@ -62,6 +62,13 @@ abi <abi/3.0>,
@{run}
# To sign replies to MS-SNTP clients by the smbd daemon
/var/
+ # default path of the sock to sync with ptp4l
+ @{run}/
+ # timemaster directory of chronyd, ... configuration files and sockets.
+ # read for all configs
+ @{run}/timemaster/* r,
+ # rw for coodination via the default socket path
+ @{run}/
# rtc
/etc/adjtime r,