Ubuntu
linuxptp package

apparmor blocks using more than one timemaster clock with chrony

Bug #2068526 reported by Kenneth Klette Jonassen
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chrony (Ubuntu)
Status tracked in Oracular
Noble
Fix Committed
Undecided
Unassigned
Oracular
Fix Released
Undecided
Andreas Hasenack
linuxptp (Ubuntu)
Status tracked in Oracular
Noble
Invalid
Undecided
Unassigned
Oracular
Invalid
Undecided
Unassigned

Bug Description

[ Impact ]

The chronyd apparmor profile was changed as a fix for bug #2032805 to allow chronyd to read/write a linuxptp timemaster socket:

  @{run}/timemaster/chrony.SOCK0 rw,

That works, but is limiting, as it allows only one PTP clock/interface to be used. If another one is setup, the other socket will be blocked by apparmor, because its name will be "chrony.SOCK1", and so on.

The fix is to simply expand the apparmor rule to allow for more socket files:

  @{run}/timemaster/chrony.SOCK[0-9]* rw,

[ Test Plan ]

* Launch a VM. For example:

  lxc launch ubuntu-daily:noble n-ptp --vm

* Install chrony and linuxptp in the VM:

  sudo apt update && sudo apt install chrony linuxptp -y

* stop chrony:

  sudo systemctl stop chrony.service

* Create a config file for timemaster, replacing the interface name with the one that exists in the VM:

  /etc/linuxptp/minimal.conf:
  [ptp_domain 0]
  interfaces enp5s0

  [ptp_domain 127]
  interfaces enp5s0

* in one terminal, observe the output of "dmesg -wT | grep timemaster"

* in another terminal, run this command:

  sudo timemaster -m -q -f /etc/linuxptp/minimal.conf

* In a system with the bug, the command will issue a "Fatal error" like this:

  Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1

* At the same time, the system with the bug will also log this line in the "dmesg -wT" terminal:

  [Tue Jul 2 20:08:12 2024] audit: type=1400 audit(1719950892.125:129): apparmor="DENIED" operation="mknod" class="file" profile="/usr/sbin/chronyd" name="/run/timemaster/chrony.SOCK1" pid=1942 comm="chronyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

* In a fixed system, there will be no apparmor log in the "dmesg -wT" terminal, and the "timemaster" command will run without errors, and won't exit.

[ Where problems could occur ]

This is expanding an existing apparmor rule with the globbing rules chrony.SOCK[0-9]* which will match not only the original SOCK0 extension, but many more with a numerical suffix. That is not blocking more patterns, not less, and the original one is included in the globbing.

There is risk in a syntax error in the apparmor profile, which would prevent it from loading at runtime. This should be detected if the test plan is followed.

[ Other Info ]

Not at this time.

[ Original Description ]

The fix for bug #2032805 allows chronyd to use one PTP clock/interface with timemaster, but not more than one.

Steps to reproduce (config must contain valid network interface names):
$ cat > minimal_timemaster.conf
# List two separate interfaces, or two separate domains with the same interface:
# [ptp_domain 0]
# interfaces ens1f0np0
[ptp_domain 127]
interfaces ens1f0np0 ens1f1np1

$ sudo timemaster -m -q -f minimal_timemaster.conf
timemaster[533042.285]: process 2755518 started: chronyd -n -f /var/run/timemaster/chrony.conf
timemaster[533042.285]: process 2755520 started: phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.0.socket -t [127:ens1f0np0] -n 127 -E refclock_sock --refclock_sock_address /var/run/timemaster/chrony.SOCK0
timemaster[533042.286]: process 2755522 started: phc2sys -l 5 -a -r -R 1.00 -z /var/run/timemaster/ptp4l.1.socket -t [127:ens1f1np1] -n 127 -E refclock_sock --refclock_sock_address /var/run/timemaster/chrony.SOCK1
Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1
...

Quickfix:
sudo sed -i 's|@{run}/timemaster/chrony.SOCK0 rw,|@{run}/timemaster/chrony.SOCK[0-9]* rw,|' /etc/apparmor.d/usr.sbin.chronyd
sudo systemctl reload apparmor

Expected output:
The timemaster command continues to run until pressing CTRL+C

$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04

chrony:
  Installed: 4.5-1ubuntu4
  Candidate: 4.5-1ubuntu4

linuxptp:
  Installed: 4.0-1ubuntu1
  Candidate: 4.0-1ubuntu1

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: linuxptp 4.0-1ubuntu1
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
NonfreeKernelModules: tsoffload linkout
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed Jun 5 21:53:26 2024
Dependencies:
 gcc-14-base 14-20240412-0ubuntu1
 libc6 2.39-0ubuntu8.2
 libgcc-s1 14-20240412-0ubuntu1
 libidn2-0 2.3.7-2build1
 libunistring5 1.1-2build1
InstallationDate: Installed on 2024-05-14 (22 days ago)
InstallationMedia: Ubuntu-Server 24.04 LTS "Noble Numbat" - Release amd64 (20240423)
ProcEnviron:
 LANG=en_US.UTF-8
 PATH=(custom, no user)
 SHELL=/bin/bash
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: linuxptp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.linuxptp.timemaster.conf: [modified]
mtime.conffile..etc.linuxptp.timemaster.conf: 2024-06-05T19:08:29.036254

See original description

Related branches

~ahasenack/ubuntu/+source/chrony:oracular-chrony-merge-1
git-ubuntu bot: Approve
Athos Ribeiro (community): Approve
Canonical Server Core Reviewers: Pending requested
Canonical Server Reporter: Pending requested
Diff: 1348 lines (+1095/-6)
11 files modified
debian/README.container (+60/-0)
debian/changelog (+939/-0)
debian/chrony.conf (+17/-2)
debian/chrony.default (+4/-0)
debian/chrony.examples (+1/-0)
debian/chrony.service (+1/-2)
debian/chronyd-starter.sh (+68/-0)
debian/control (+3/-1)
debian/docs (+1/-0)
debian/install (+1/-0)
debian/rules (+0/-1)
~ahasenack/ubuntu/+source/chrony:noble-chrony-timemaster-2068526
git-ubuntu bot: Approve
Athos Ribeiro (community): Approve
Canonical Server Core Reviewers: Pending requested
Canonical Server Reporter: Pending requested
Diff: 30 lines (+9/-2)
2 files modified
debian/changelog (+7/-0)
debian/usr.sbin.chronyd (+2/-2)
Revision history for this message
Kenneth Klette Jonassen (knneth) wrote :
Revision history for this message
Paride Legovini (paride) wrote :

Thanks! I added this to the server team work queues.

Changed in chrony (Ubuntu):
status: New → Triaged
tags: added: server-todo
Revision history for this message
Vincent Blut (vinceb) wrote :

Hi there,

This seems like an appropriate change to me. If nobody object, I'm going to apply this on the Debian side in the next few days.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

That is awesome, thanks Vincent.
We will pick it up in the subsequent merge of chrony then.

tags: removed: server-todo
Andreas Hasenack (ahasenack)
Changed in chrony (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I don't think linuxptp is at fault here, so marking its task as invalid.

Changed in linuxptp (Ubuntu Noble):
status: New → Invalid
Changed in linuxptp (Ubuntu Oracular):
status: New → Invalid
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chrony - 4.5-3ubuntu1

---------------
chrony (4.5-3ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2064393, LP: #2068526). Remaining
    changes:
    - d/chrony.conf: Use ubuntu ntp pool and server.
      (LP #1744664, #1754358)
    - Set -x as default if unable to set time (e.g. in containers) (LP #1589780)
      Chrony is a single service which acts as both NTP client (i.e. syncing the
      local clock) and NTP server (i.e. providing NTP services to the network),
      and that is both desired and expected in the vast majority of cases.
      But in containers syncing the local clock is usually impossible, but this
      shall not break the providing of NTP services to the network.
      To some extent this makes chrony's default config more similar to 'ntpd',
      which complained in syslog but still provided NTP server service in those
      cases.
      + debian/chrony.service: allow the service to run without CAP_SYS_TIME
      + d/control: add new dependency libcap2-bin for capsh (usually
        installed anyway, but make them explicit to be sure).
      + d/chrony.default: new option SYNC_IN_CONTAINER to not fall
        back (Default off)
      + d/chronyd-starter.sh: wrapper to handle special cases in
        containers and if CAP_SYS_TIME is missing. Effectively allows
        running the NTP server in containers on a default installation
        and avoid failing to sync time (or if allowed to sync, avoid
        multiple containers fighting over it by accident).
      + d/install: Make chrony-starter.sh available on install.
      + d/docs, d/README.container: Provide documentation about the
        handling of this case.
    - d/rules, d/chrony.examples: Ship restricted service as an example
      not installed to the system for use. (See LP #2051028)
  * Dropped:
    - d/usr.sbin.chronyd: apparmor fixes (LP: #2032805):
      + Allow the default UNIX domain socket address to be used by the
        reflock_sock service in the Apport configuration.
      + Fix failure to start timemaster due to lack of rw permissions on
        chrony socket.
      [In 4.5-2 and 4.5-3]

 -- Andreas Hasenack <email address hidden> Tue, 02 Jul 2024 15:57:20 -0300

Changed in chrony (Ubuntu Oracular):
status: In Progress → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Kenneth, or anyone else affected,

Accepted chrony into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/chrony/4.5-1ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in chrony (Ubuntu Noble):
status: New → Fix Committed
tags: added: verification-needed verification-needed-noble
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (chrony/4.5-1ubuntu4.1)

All autopkgtests for the newly accepted chrony (4.5-1ubuntu4.1) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

chrony/4.5-1ubuntu4.1 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#chrony

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.