Your message dated Sun, 28 Jan 2018 21:04:52 +0000
with message-id <[email protected]>
and subject line Bug#888038: fixed in chrony 3.2-2
has caused the Debian Bug report #888038,
regarding chrony: please add AppArmor profile for chronyd
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
888038: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888038
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: chrony
Version: 3.2-1
Severity: wishlist
Tags: patch
User: [email protected]
Usertags: origin-ubuntu bionic ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* add AppArmor profile for /usr/sbin/chronyd:
- add debian/usr.sbin.chronyd AppArmor profile
- debian/control: Build-Depends on dh-apparmor
- debian/dirs: create etc/apparmor.d/force-complain
- debian/install: install debian/usr.sbin.chronyd
- debian/preinst: force-complain on upgrade before this version
- debian/rules: install apparmor profile with dh_apparmor
Thanks for considering the patch. For Debian, you would need to do is update
the version in preinst to the version which ships the AppArmor profile.
-- System Information:
Debian Release: stretch/sid
APT prefers artful-updates
APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-25-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru chrony-3.2/debian/control chrony-3.2/debian/control
--- chrony-3.2/debian/control 2017-11-04 10:47:42.000000000 -0500
+++ chrony-3.2/debian/control 2018-01-22 13:48:29.000000000 -0600
@@ -12,7 +12,8 @@
pps-tools (>= 0.20120406+g0deb9c7e-2) [linux-any],
libseccomp-dev (>= 2.2.3-3~) [amd64 arm64 armel armhf hppa i386 mips mipsel
mips64el powerpc powerpcspe ppc64 ppc64el s390x x32],
pkg-config,
- asciidoctor (>= 1.5.3-1~)
+ asciidoctor (>= 1.5.3-1~),
+ dh-apparmor
Homepage: https://chrony.tuxfamily.org
Vcs-Git: https://anonscm.debian.org/git/collab-maint/chrony.git
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/chrony.git
diff -Nru chrony-3.2/debian/dirs chrony-3.2/debian/dirs
--- chrony-3.2/debian/dirs 2017-11-04 10:47:42.000000000 -0500
+++ chrony-3.2/debian/dirs 2018-01-22 13:25:51.000000000 -0600
@@ -1,3 +1,4 @@
+etc/apparmor.d/force-complain
etc/chrony
etc/logrotate.d
etc/NetworkManager/dispatcher.d
diff -Nru chrony-3.2/debian/install chrony-3.2/debian/install
--- chrony-3.2/debian/install 2017-11-04 10:47:42.000000000 -0500
+++ chrony-3.2/debian/install 2018-01-20 03:20:50.000000000 -0600
@@ -1 +1,2 @@
debian/chrony.conf usr/share/chrony
+debian/usr.sbin.chronyd etc/apparmor.d
diff -Nru chrony-3.2/debian/preinst chrony-3.2/debian/preinst
--- chrony-3.2/debian/preinst 1969-12-31 18:00:00.000000000 -0600
+++ chrony-3.2/debian/preinst 2018-01-22 13:48:21.000000000 -0600
@@ -0,0 +1,31 @@
+#!/bin/sh
+# preinst script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# targets: install|upgrade|abort-upgrade
+
+case "$1" in
+ upgrade)
+ APP_PROFILE="usr.sbin.chronyd"
+ APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+ APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+ # force-complain on upgrade from pre-shipped profile
+ if dpkg --compare-versions "$2" lt "3.2-1ubuntu1" ; then
+ mkdir -p `dirname "$APP_COMPLAIN"` 2>/dev/null || true
+ ln -sf "$APP_CONFFILE" "$APP_COMPLAIN"
+ fi
+ ;;
+
+ install|abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
diff -Nru chrony-3.2/debian/rules chrony-3.2/debian/rules
--- chrony-3.2/debian/rules 2017-11-04 10:47:42.000000000 -0500
+++ chrony-3.2/debian/rules 2018-01-22 13:15:52.000000000 -0600
@@ -27,6 +27,7 @@
install -m 0640 -t $(BASE)/usr/share/chrony/ debian/chrony.keys
install -m 0755 -T examples/chrony.nm-dispatcher
$(BASE)/etc/NetworkManager/dispatcher.d/20-chrony
install -m 0644 -T examples/chrony.logrotate
$(BASE)/etc/logrotate.d/chrony
+ dh_apparmor --profile-name=usr.sbin.chronyd -pchrony
override_dh_fixperms:
dh_fixperms -X usr/share/chrony/chrony.keys
diff -Nru chrony-3.2/debian/usr.sbin.chronyd chrony-3.2/debian/usr.sbin.chronyd
--- chrony-3.2/debian/usr.sbin.chronyd 1969-12-31 18:00:00.000000000 -0600
+++ chrony-3.2/debian/usr.sbin.chronyd 2018-01-20 03:20:00.000000000 -0600
@@ -0,0 +1,39 @@
+# Last Modified: Sat Jan 20 10:45:05 2018
+#include <tunables/global>
+
+/usr/sbin/chronyd (attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability sys_time,
+ capability net_bind_service,
+ capability setuid,
+ capability setgid,
+
+ /usr/sbin/chronyd mr,
+
+ /etc/chrony/{,**} r,
+ /run/chronyd.pid w,
+ /run/chrony/{,*} rw,
+ /var/lib/chrony/{,*} r,
+ /var/lib/chrony/* w,
+ /var/log/chrony/{,*} r,
+ /var/log/chrony/* w,
+
+ # rtc
+ /etc/adjtime r,
+ /dev/rtc{,[0-9]*} r,
+
+ # gps devices
+ /dev/pps[0-9]* r,
+ /dev/ptp[0-9]* r,
+
+ # For use with clocks that report via shared memory (e.g. gpsd),
+ # you may need to give ntpd access to all of shared memory, though
+ # this can be considered dangerous. See https://launchpad.net/bugs/722815
+ # for details. To enable, add this to local/usr.sbin.chronyd:
+ # capability ipc_owner,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.chronyd>
+}
--- End Message ---
--- Begin Message ---
Source: chrony
Source-Version: 3.2-2
We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Blut <[email protected]> (supplier of updated chrony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 28 Jan 2018 19:33:46 +0100
Source: chrony
Binary: chrony
Architecture: source
Version: 3.2-2
Distribution: unstable
Urgency: medium
Maintainer: Vincent Blut <[email protected]>
Changed-By: Vincent Blut <[email protected]>
Description:
chrony - Versatile implementation of the Network Time Protocol
Closes: 888038
Changes:
chrony (3.2-2) unstable; urgency=medium
.
* Initial AppArmor profile for chronyd. Thanks to Jamie
Strandboge <[email protected]>. (Closes: #888038)
.
* debian/compat:
- Bump to debhelper compat 11.
.
* debian/control:
- Bump standard-version to 4.1.3 (no changes required).
- Build depend on debhelper ≥ 11.
- Set “Rules-Requires-Root: no”.
- Move Vcs-* to salsa.debian.org.
.
* debian/copyright:
- Add myself as a copyright holder for 2018.
.
* debian/postinst:
- Don’t force removal of cron file since it doesn’t exist anymore.
.
* debian/preinst:
- Update the chrony version on which to act.
- Add the debhelper token.
.
* debian/usr.sbin.chronyd:
- Improve AppArmor profile to support more chronyd features and ease
portability with other distros.
Checksums-Sha1:
985d1ccc0e3eb2280e764a60fe7eb1cd3223ec07 2105 chrony_3.2-2.dsc
69a10c5deddb2658b61bb22d07e6093aaa254809 27876 chrony_3.2-2.debian.tar.xz
Checksums-Sha256:
20e774eae981a0e8ca6c38ae785d757fc052a4e6491d0c01dbc40aa3bf7e25fe 2105
chrony_3.2-2.dsc
6a8f7ce4dd7f80dddee402d3a30bcc27d3bfe309af059ab3abb339cd549db3c3 27876
chrony_3.2-2.debian.tar.xz
Files:
bf25d840eba86b7266be7ba5f6d616a1 2105 net optional chrony_3.2-2.dsc
10592346cdfe9ddaab08a0ddaa3ae9e8 27876 net optional chrony_3.2-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAlpuNnAACgkQnFyZ6wW9
dQqvEggAgVjMRxvmDUBkKQuP19ZmDjBJia1ql0Cg6yAXWDjxyEnL/nkeagi1W3/G
8KFgFECfsKZipLFG8Tub/kXAq9InRDFdC8qRPrZwJ7zqbnEFAn43BOjXwEr/qu7K
5g61gbyVVHKiPQgg3Xz1GRcitQVj6fAW6UpvdEhVwiNKJ9vRz/9XdB8u+cQwha8y
Z8Hpr3Uak0t7CAlxOsuGxF6kJl+CWEnFtLUiEXb9tZtaDOpnTZRLvhAgUOJJoMWZ
KSJCopGAd1J80pnrJo0Iw//mnvpkBwhdTgDMKpz23/DDsyuYOG3tsRCIw+IxszDR
lpgfZ6QGy+g1eTix9Kn4V93GCxk2bQ==
=EGrB
-----END PGP SIGNATURE-----
--- End Message ---
