Note: When we open up a SRU for ntp apparmor we should include the minot (bot on its own not SRu worthy) fix of bug 1741227
** Description changed: - On start/restart nto has an error in apparmor due to the locking it - tries to avoid issues running concurrently with ntpdate. + [Impact] + + * Apparmor denies access to lock it shares with ntpdate to ensure no + issues due to concurrent access + + [Test Case] + + 1. get a container of target release + 2. install ntp + apt install ntp + 3. watch dmesg on container-host + dmesg -w + 4. restart ntp in container + systemctl restart ntp + => see (or no more after fix) apparmor denie: + apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" + + [Regression Potential] + + * we are only slightly opening up the apparmor profile, but none of the + changes poses a security risk so regression potential on it's own + should be close to zero. + + * There is a potential issue if the locking (that now can succeed) would + e.g. no more be freed up or the action behind the locking would cause + issues. + + [Other Info] + + * n/a + + + On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs