Sorry, I didn't receive your original e-mail.
The proposed rule would be fine, but I don't see why /run/chrony*.sock
would be too permissive. The "chrony" prefix would be sufficient to
ensure that it is not possible to maliciously configure chrony to
control a path that "belongs" to another piece of software. The user
may want to use their own device naming scheme, like /dev/serial0
(used on Raspberry Pi OS) or /dev/gps0, which would be prohibited by
the more strict rule.
The only other example from the chrony.conf documentation is
"bindcmdaddress /var/run/chrony/chronyd.sock" (used for the chronyc
tool to issue commands to the daemon) but that's just an example, not
a default.
Ryan
On Fri, Apr 28, 2023 at 5:52 AM Vincent Blut <vincent.deb...@free.fr> wrote:
>
> Le 2023-04-17 20:45, Vincent Blut a écrit :
> > Control: severity -1 important
> > Control: tags -1 moreinfo
> >
> > Hi Ryan,
> >
> > Le 2023-04-17 14:54, Ryan Govostes a écrit :
> > > Package: chrony
> > > Version: 4.3
> > > Severity: normal
> > > X-Debbugs-Cc: rgovos...@gmail.com
> > >
> > > Dear Maintainer,
> > >
> > > gpsd and chronyd can communicate via domain sockets such as
> > > /var/run/chrony.ttyS0.sock. chronyd creates the sockets and gpsd connects
> > > to them.
> > >
> > > However, the AppArmor profile for chronyd is too strict; it only allows
> > > the creation of sockets for tty devices, and not pps devices.
> > >
> > > @{run}/chrony.tty{,*}.sock rw,
> >
> > Indeed, this rule is too restrictive…
> >
> > > The corresponding rules on the gpsd profile are:
> > >
> > > /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
> > > /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
> > >
> > > Could these be relaxed to allow /var/run/chrony.*.sock?
> >
> > …This might be too permissive though. Could you please tell me if changing
> > the
> > rule to "@{run}/chrony{,.clk}.{tty,pps}*.sock rw," meets your need?
>
> Any update on this Ryan?
>
> Cheers,
> Vincent
