Bug#891201: pps, rtc and ptp devices need write permission for now

2018-02-23 Thread Vincent Blut 

Control: tags -1 patch confirmed pending

Hi Christian,

On Fri, Feb 23, 2018 at 12:15:54PM +0100, Christian Ehrhardt wrote:

Package: chrony
Version: 3.2-4
Severity: normal

Hi,
I happened to find in [1] that we need to add w to some apparmor rules
for local PPS devices.
TL;DR I enabled all devices as they are in man chrony.conf and got Denies like:

[ 5756.216096] audit: type=1400 audit(1519379582.153:21):
apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd"
name="/dev/rtc0" pid=4216 comm="chronyd" requested_mask="w"
denied_mask="w" fsuid=0 ouid=0

I'd suggest the following for now:


ACK. The same logic is used in chronyd's SELinux policy, for example:

dev_rw_realtime_clock(chronyd_t)

optional_policy(`
   ptp4l_rw_shm(chronyd_t)
   ')


---

--- chrony-3.2/debian/changelog 2018-02-20 18:27:10.0 +0100
+++ chrony-3.2/debian/changelog 2018-02-23 12:14:57.0 +0100
@@ -1,3 +1,10 @@
+chrony (3.2-5) unstable; urgency=medium
+
+  * debian/usr.sbin.chronyd: allow write access to rtc, pps and ptp devices
+as that is how chrony initializes them (LP: #1751241)
+
+ -- Christian Ehrhardt   Fri, 23
Feb 2018 12:13:57 +0100
+
chrony (3.2-4) unstable; urgency=medium

 * debian/changelog:
diff -Nru chrony-3.2/debian/usr.sbin.chronyd chrony-3.2/debian/usr.sbin.chronyd
--- chrony-3.2/debian/usr.sbin.chronyd  2018-02-08 19:20:27.0 +0100
+++ chrony-3.2/debian/usr.sbin.chronyd  2018-02-23 12:13:48.0 +0100
@@ -32,11 +32,11 @@

 # rtc
 /etc/adjtime r,
-  /dev/rtc{,[0-9]*} r,
+  /dev/rtc{,[0-9]*} rw,

 # gps devices
-  /dev/pps[0-9]* r,
-  /dev/ptp[0-9]* r,
+  /dev/pps[0-9]* rw,
+  /dev/ptp[0-9]* rw,

 # For use with clocks that report via shared memory (e.g. gpsd),
 # you may need to give ntpd access to all of shared memory, though

---

[1]: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1751241

--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd


Cheers,
Vincent


signature.asc
Description: PGP signature

Bug#891201: pps, rtc and ptp devices need write permission for now

2018-02-23 Thread Christian Ehrhardt 
Package: chrony
Version: 3.2-4
Severity: normal

Hi,
I happened to find in [1] that we need to add w to some apparmor rules
for local PPS devices.
TL;DR I enabled all devices as they are in man chrony.conf and got Denies like:

[ 5756.216096] audit: type=1400 audit(1519379582.153:21):
apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd"
name="/dev/rtc0" pid=4216 comm="chronyd" requested_mask="w"
denied_mask="w" fsuid=0 ouid=0

I'd suggest the following for now:

---

--- chrony-3.2/debian/changelog 2018-02-20 18:27:10.0 +0100
+++ chrony-3.2/debian/changelog 2018-02-23 12:14:57.0 +0100
@@ -1,3 +1,10 @@
+chrony (3.2-5) unstable; urgency=medium
+
+  * debian/usr.sbin.chronyd: allow write access to rtc, pps and ptp devices
+as that is how chrony initializes them (LP: #1751241)
+
+ -- Christian Ehrhardt   Fri, 23
Feb 2018 12:13:57 +0100
+
chrony (3.2-4) unstable; urgency=medium

  * debian/changelog:
diff -Nru chrony-3.2/debian/usr.sbin.chronyd chrony-3.2/debian/usr.sbin.chronyd
--- chrony-3.2/debian/usr.sbin.chronyd  2018-02-08 19:20:27.0 +0100
+++ chrony-3.2/debian/usr.sbin.chronyd  2018-02-23 12:13:48.0 +0100
@@ -32,11 +32,11 @@

  # rtc
  /etc/adjtime r,
-  /dev/rtc{,[0-9]*} r,
+  /dev/rtc{,[0-9]*} rw,

  # gps devices
-  /dev/pps[0-9]* r,
-  /dev/ptp[0-9]* r,
+  /dev/pps[0-9]* rw,
+  /dev/ptp[0-9]* rw,

  # For use with clocks that report via shared memory (e.g. gpsd),
  # you may need to give ntpd access to all of shared memory, though

---

[1]: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1751241

-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd