Apparmor profile for NTPd needs to allow read/write access to /dev/ppsX

Bug #1564832 reported by Mark Shuttleworth on 2016-04-01
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Medium
Jamie Strandboge

Bug Description

Am trying to get NTP to work with the kernel PPS subsystem, for high-accuracy GPS-based clocks. On startup of NTPd I see this:

Apr 1 11:18:58 doorway kernel: [ 300.387443] audit: type=1400 audit(1459505938.042:9): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/dev/pps0" pid=1668 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

Adding this to the usr.sbin.ntpd apparmor profile eliminated the error:

  /dev/pps[0-9]* rw,

I'm not sure why ntpd needs *write* access to ppsN though, perhaps that can be improved.

Ryan Harper (raharper) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.
Unfortunately, we cannot work on this bug because your description didn't include enough information.

Which Ubuntu release and ntp version you using?
1. lsb_release -dcr
2. apt-cache policy ntp
3. Any steps and config needed to recreate.

Changed in ntp (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

Actually, I think there is enough information. Marking as Triaged.

Changed in ntp (Ubuntu):
status: Incomplete → Triaged
tags: added: apparmor
Jamie Strandboge (jdstrand) wrote :

Mark, the ntp profile in Ubuntu supports the NTPD_DEVICE tunable and after reading https://www.kernel.org/doc/Documentation/pps/pps.txt it seems like this would be the appropriate place to put this. Eg

$ cat /etc/apparmor.d/tunables/ntpd
...
#Add your ntpd devices here eg. if you have a DCF clock
# @{NTPD_DEVICE}="/dev/ttyS1"
@{NTPD_DEVICE}="/dev/null"

Adjust that to be:
@{NTPD_DEVICE}="/dev/pps[0-9]*"

Then do:
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.ntpd

The above expands to the equivalent line you proposed in the description.

Would this suit your needs?

Hi Jamie - whatever you think is the best approach to have this work out
of the box for other Ubuntu users installing NTP and setting up a PPS
device. All I care about is that they don't have to edit apparmor
profiles themselves.

Mark

Changed in ntp (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu5

---------------
ntp (1:4.2.8p4+dfsg-3ubuntu5) xenial; urgency=medium

  * debian/apparmor-profile: allow 'rw' access to /dev/pps[0-9]* devices.
    Patch thanks to Mark Shuttleworth. (LP: #1564832)

 -- Jamie Strandboge <email address hidden> Thu, 07 Apr 2016 15:12:41 -0500

Changed in ntp (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers