Ubuntu
ntp package

  1. Bug #1598759
  2. Comment #10

Comment 10 for bug 1598759

Revision history for this message
Jon Skarpeteig (jskarpet) wrote : Re: incomplete apparmor definition for ntpd

I am suffering from a similar issue, but with slightly different behavior

<pre>
# journalctl -u ntp
Oct 11 10:23:29 lys-stats ntp[5670]: * Starting NTP server ntpd
Oct 11 10:23:29 lys-stats ntpd[5681]: ntpd 4.2.8p4@1.3265-o Wed Oct 5 12:34:45 UTC 2016 (1): Starting
Oct 11 10:23:29 lys-stats ntp[5670]: ...done.
Oct 11 10:23:29 lys-stats systemd[1]: Started LSB: Start NTP daemon.
Oct 11 10:23:29 lys-stats ntpd[5683]: proto: precision = 0.091 usec (-23)
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict 0.0.0.0: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict ::: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 0 v6wildcard [::]:123
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Oct 11 10:23:29 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:
Oct 11 10:23:29 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
Oct 11 10:23:29 lys-stats ntpd[5683]: unable to open routing socket (Permission denied) - using polled interface up
Oct 11 10:23:31 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:
Oct 11 10:23:31 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
# dmesg -T
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.696:24): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:25): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:26): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
[Tue Oct 11 10:23:31 2016] audit: type=1400 audit(1476174211.356:27): apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"
# apt-cache policy apparmor
apparmor:
  Installed: 2.10.95-0ubuntu2.2
  Candidate: 2.10.95-0ubuntu2.2
  Version table:
 *** 2.10.95-0ubuntu2.2 500
        500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.10.95-0ubuntu2 500
        500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# apt-cache policy ntp
ntp:
  Installed: 1:4.2.8p4+dfsg-3ubuntu5.3
  Candidate: 1:4.2.8p4+dfsg-3ubuntu5.3
  Version table:
 *** 1:4.2.8p4+dfsg-3ubuntu5.3 500
        500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:4.2.8p4+dfsg-3ubuntu5 500
        500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# cat /etc/ntp.conf
tinker panic 0
disable monitor
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server pool.ntp.org iburst
driftfile /var/lib/ntp/drift
# cat /etc/apparmor.d/usr.sbin.ntpd
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <email address hidden>
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability ipc_lock,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,
  capability sys_time,
  capability sys_nice,

  # ntp uses AF_INET, AF_INET6 and AF_UNSPEC
  network dgram,
  network stream,

  @{PROC}/net/if_inet6 r,
  @{PROC}/*/net/if_inet6 r,
  @{NTPD_DEVICE} rw,
  # pps devices are almost exclusively used with NTP
  /dev/pps[0-9]* rw,

  /{,s}bin/ r,
  /usr/{,s}bin/ r,
  /usr/sbin/ntpd rmix,

  /etc/ntp.conf r,
  /etc/ntp.conf.dhcp r,
  /etc/ntpd.conf r,
  /etc/ntpd.conf.tmp r,
  /var/lib/ntp/ntp.conf.dhcp r,

  /etc/ntp.keys r,
  /etc/ntp/** r,

  /etc/ntp.drift rwl,
  /etc/ntp.drift.TEMP rwl,
  /etc/ntp/drift* rwl,
  /var/lib/ntp/*drift rw,
  /var/lib/ntp/*drift.TEMP rw,

  /var/log/ntp w,
  /var/log/ntp.log w,
  /var/log/ntpd w,
  /var/log/ntpstats/clockstats* rwl,
  /var/log/ntpstats/loopstats* rwl,
  /var/log/ntpstats/peerstats* rwl,
  /var/log/ntpstats/protostats* rwl,
  /var/log/ntpstats/rawstats* rwl,
  /var/log/ntpstats/sysstats* rwl,

  /{,var/}run/ntpd.pid w,

  # samba4 ntp signing socket
  /{,var/}run/samba/ntp_signd/socket rw,

  # For use with clocks that report via shared memory (e.g. gpsd),
  # you may need to give ntpd access to all of shared memory, though
  # this can be considered dangerous. See https://launchpad.net/bugs/722815
  # for details. To enable, add this to local/usr.sbin.ntpd:
  # capability ipc_owner,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.ntpd>
}
# uname -rpv
4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64
</pre>