Sorry, I didn't receive your original e-mail. The proposed rule would be fine, but I don't see why /run/chrony*.sock would be too permissive. The "chrony" prefix would be sufficient to ensure that it is not possible to maliciously configure chrony to control a path that "belongs" to another piece of software. The user may want to use their own device naming scheme, like /dev/serial0 (used on Raspberry Pi OS) or /dev/gps0, which would be prohibited by the more strict rule.
The only other example from the chrony.conf documentation is "bindcmdaddress /var/run/chrony/chronyd.sock" (used for the chronyc tool to issue commands to the daemon) but that's just an example, not a default. Ryan On Fri, Apr 28, 2023 at 5:52 AM Vincent Blut <vincent.deb...@free.fr> wrote: > > Le 2023-04-17 20:45, Vincent Blut a écrit : > > Control: severity -1 important > > Control: tags -1 moreinfo > > > > Hi Ryan, > > > > Le 2023-04-17 14:54, Ryan Govostes a écrit : > > > Package: chrony > > > Version: 4.3 > > > Severity: normal > > > X-Debbugs-Cc: rgovos...@gmail.com > > > > > > Dear Maintainer, > > > > > > gpsd and chronyd can communicate via domain sockets such as > > > /var/run/chrony.ttyS0.sock. chronyd creates the sockets and gpsd connects > > > to them. > > > > > > However, the AppArmor profile for chronyd is too strict; it only allows > > > the creation of sockets for tty devices, and not pps devices. > > > > > > @{run}/chrony.tty{,*}.sock rw, > > > > Indeed, this rule is too restrictive… > > > > > The corresponding rules on the gpsd profile are: > > > > > > /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw, > > > /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw, > > > > > > Could these be relaxed to allow /var/run/chrony.*.sock? > > > > …This might be too permissive though. Could you please tell me if changing > > the > > rule to "@{run}/chrony{,.clk}.{tty,pps}*.sock rw," meets your need? > > Any update on this Ryan? > > Cheers, > Vincent