apparmor blocks using more than one timemaster clock with chrony
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
chrony (Ubuntu) | Status tracked in Oracular | |||||
Noble |
Fix Committed
|
Undecided
|
Unassigned | |||
Oracular |
Fix Released
|
Undecided
|
Andreas Hasenack | |||
linuxptp (Ubuntu) | Status tracked in Oracular | |||||
Noble |
Invalid
|
Undecided
|
Unassigned | |||
Oracular |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
The chronyd apparmor profile was changed as a fix for bug #2032805 to allow chronyd to read/write a linuxptp timemaster socket:
@{run}
That works, but is limiting, as it allows only one PTP clock/interface to be used. If another one is setup, the other socket will be blocked by apparmor, because its name will be "chrony.SOCK1", and so on.
The fix is to simply expand the apparmor rule to allow for more socket files:
@{run}
[ Test Plan ]
* Launch a VM. For example:
lxc launch ubuntu-daily:noble n-ptp --vm
* Install chrony and linuxptp in the VM:
sudo apt update && sudo apt install chrony linuxptp -y
* stop chrony:
sudo systemctl stop chrony.service
* Create a config file for timemaster, replacing the interface name with the one that exists in the VM:
/etc/
[ptp_domain 0]
interfaces enp5s0
[ptp_domain 127]
interfaces enp5s0
* in one terminal, observe the output of "dmesg -wT | grep timemaster"
* in another terminal, run this command:
sudo timemaster -m -q -f /etc/linuxptp/
* In a system with the bug, the command will issue a "Fatal error" like this:
Fatal error : Could not open socket /var/run/
* At the same time, the system with the bug will also log this line in the "dmesg -wT" terminal:
[Tue Jul 2 20:08:12 2024] audit: type=1400 audit(171995089
* In a fixed system, there will be no apparmor log in the "dmesg -wT" terminal, and the "timemaster" command will run without errors, and won't exit.
[ Where problems could occur ]
This is expanding an existing apparmor rule with the globbing rules chrony.SOCK[0-9]* which will match not only the original SOCK0 extension, but many more with a numerical suffix. That is not blocking more patterns, not less, and the original one is included in the globbing.
There is risk in a syntax error in the apparmor profile, which would prevent it from loading at runtime. This should be detected if the test plan is followed.
[ Other Info ]
Not at this time.
[ Original Description ]
The fix for bug #2032805 allows chronyd to use one PTP clock/interface with timemaster, but not more than one.
Steps to reproduce (config must contain valid network interface names):
$ cat > minimal_
# List two separate interfaces, or two separate domains with the same interface:
# [ptp_domain 0]
# interfaces ens1f0np0
[ptp_domain 127]
interfaces ens1f0np0 ens1f1np1
$ sudo timemaster -m -q -f minimal_
timemaster[
timemaster[
timemaster[
Fatal error : Could not open socket /var/run/
...
Quickfix:
sudo sed -i 's|@{run}
sudo systemctl reload apparmor
Expected output:
The timemaster command continues to run until pressing CTRL+C
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
chrony:
Installed: 4.5-1ubuntu4
Candidate: 4.5-1ubuntu4
linuxptp:
Installed: 4.0-1ubuntu1
Candidate: 4.0-1ubuntu1
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: linuxptp 4.0-1ubuntu1
ProcVersionSign
Uname: Linux 6.8.0-31-generic x86_64
NonfreeKernelMo
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckR
Date: Wed Jun 5 21:53:26 2024
Dependencies:
gcc-14-base 14-20240412-
libc6 2.39-0ubuntu8.2
libgcc-s1 14-20240412-
libidn2-0 2.3.7-2build1
libunistring5 1.1-2build1
InstallationDate: Installed on 2024-05-14 (22 days ago)
InstallationMedia: Ubuntu-Server 24.04 LTS "Noble Numbat" - Release amd64 (20240423)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-
XDG_RUNTIME_
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: linuxptp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.
Related branches
- git-ubuntu bot: Approve
- Athos Ribeiro (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 1348 lines (+1095/-6)11 files modifieddebian/README.container (+60/-0)
debian/changelog (+939/-0)
debian/chrony.conf (+17/-2)
debian/chrony.default (+4/-0)
debian/chrony.examples (+1/-0)
debian/chrony.service (+1/-2)
debian/chronyd-starter.sh (+68/-0)
debian/control (+3/-1)
debian/docs (+1/-0)
debian/install (+1/-0)
debian/rules (+0/-1)
- git-ubuntu bot: Approve
- Athos Ribeiro (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 30 lines (+9/-2)2 files modifieddebian/changelog (+7/-0)
debian/usr.sbin.chronyd (+2/-2)
Changed in chrony (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Thanks! I added this to the server team work queues.