Public bug reported: [Impact]
* Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, ** Affects: ntp (Ubuntu) Importance: Medium Status: Triaged ** Affects: ntp (Ubuntu Xenial) Importance: Medium Status: Triaged ** Affects: ntp (Ubuntu Artful) Importance: Medium Status: Triaged ** Also affects: ntp (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: ntp (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: ntp (Ubuntu Xenial) Status: New => Triaged ** Changed in: ntp (Ubuntu Artful) Status: New => Triaged ** Changed in: ntp (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: ntp (Ubuntu Artful) Importance: Undecided => Medium ** Changed in: ntp (Ubuntu) Importance: Undecided => Medium ** Changed in: ntp (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Triaged Status in ntp source package in Xenial: Triaged Status in ntp source package in Artful: Triaged Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp