Public bug reported:
[Impact]
* Apparmor denies access to lock it shares with ntpdate to ensure no
issues due to concurrent access
[Test Case]
1. get a container of target release
2. install ntp
apt install ntp
3. watch dmesg on container-host
dmesg -w
4. restart ntp in container
systemctl restart ntp
=> see (or no more after fix) apparmor denie:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd"
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w"
denied_mask="w"
[Regression Potential]
* we are only slightly opening up the apparmor profile, but none of the
changes poses a security risk so regression potential on it's own
should be close to zero.
* There is a potential issue if the locking (that now can succeed) would
e.g. no more be freed up or the action behind the locking would cause
issues.
[Other Info]
* n/a
On start/restart nto has an error in apparmor due to the locking it tries to
avoid issues running concurrently with ntpdate.
That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd"
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w"
denied_mask="w"
The rule we need is:
/run/lock/ntpdate wk,
** Affects: ntp (Ubuntu)
Importance: Medium
Status: Triaged
** Affects: ntp (Ubuntu Xenial)
Importance: Medium
Status: Triaged
** Affects: ntp (Ubuntu Artful)
Importance: Medium
Status: Triaged
** Also affects: ntp (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: ntp (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: ntp (Ubuntu Xenial)
Status: New => Triaged
** Changed in: ntp (Ubuntu Artful)
Status: New => Triaged
** Changed in: ntp (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: ntp (Ubuntu Artful)
Importance: Undecided => Medium
** Changed in: ntp (Ubuntu)
Importance: Undecided => Medium
** Changed in: ntp (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1749389
Title:
ntpdate lock apparmor deny
Status in ntp package in Ubuntu:
Triaged
Status in ntp source package in Xenial:
Triaged
Status in ntp source package in Artful:
Triaged
Bug description:
[Impact]
* Apparmor denies access to lock it shares with ntpdate to ensure no
issues due to concurrent access
[Test Case]
1. get a container of target release
2. install ntp
apt install ntp
3. watch dmesg on container-host
dmesg -w
4. restart ntp in container
systemctl restart ntp
=> see (or no more after fix) apparmor denie:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd"
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w"
denied_mask="w"
[Regression Potential]
* we are only slightly opening up the apparmor profile, but none of the
changes poses a security risk so regression potential on it's own
should be close to zero.
* There is a potential issue if the locking (that now can succeed) would
e.g. no more be freed up or the action behind the locking would cause
issues.
[Other Info]
* n/a
On start/restart nto has an error in apparmor due to the locking it tries to
avoid issues running concurrently with ntpdate.
That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd"
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w"
denied_mask="w"
The rule we need is:
/run/lock/ntpdate wk,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
