Public bug reported:
Summary:
When enabling hwtimestamp capability for chrony apparmor reports a denied
operation for net_admin. hwtimestamp is a nice feature for very fast time
setting on a local network when devices have the capabilities.
Expected Results:
syslog messges stating that hwtimestamping was enabled
Actual Results:
[ 8093.250474] audit: type=1400 audit(1522880521.783:19): apparmor="DENIED"
operation="capable" profile="/usr/sbin/chronyd" pid=4137 comm="chronyd"
capability=12 capname="net_admin"
[ 8514.101791] audit: type=1400 audit(1522880942.637:20): apparmor="DENIED"
operation="capable" profile="/usr/sbin/chronyd" pid=4248 comm="chronyd"
capability=12 capname="net_admin"
Steps to reproduce:
1. sudo apt update; sudo apt install -y chrony
2. echo "hwtimestamp *" | sudo tee -a /etc/chrony/chrony.conf
3. sudo systemctl restart chrony.service
Output from syslog during the service restart:
Apr 4 22:48:30 wind chronyd[1378]: chronyd exiting
Apr 4 22:48:30 wind systemd[1]: Stopping chrony, an NTP client/server...
Apr 4 22:48:30 wind systemd[1]: Stopped chrony, an NTP client/server.
Apr 4 22:48:30 wind systemd[1]: Starting chrony, an NTP client/server...
Apr 4 22:48:30 wind chronyd[1649]: chronyd version 3.2 starting (+CMDMON +NTP
+REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG)
Apr 4 22:48:30 wind chronyd[1649]: Frequency 2.390 +/- 11.697 ppm read from
/var/lib/chrony/chrony.drift
Apr 4 22:48:30 wind kernel: [ 4036.581454] kauditd_printk_skb: 7 callbacks
suppressed
Apr 4 22:48:30 wind kernel: [ 4036.581455] audit: type=1400
audit(1522882110.457:18): apparmor="DENIED" operation="capable"
profile="/usr/sbin/chronyd" pid=1649 comm="chronyd" capability=12
capname="net_admin"
Apr 4 22:48:30 wind systemd[1]: Started chrony, an NTP client/server.
Removing the hwtimestamp line from the configuration file removes the
apparmor denied message.
Fix:
1. Add the net_admin capability to /etc/apparmor.d/usr.sbin.chronyd
2. sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.chronyd
3. sudo systemctl restart chrony.service
Apparmor message no longer occurs and in the syslog the HW timestamping
message appears:
Apr 4 22:52:12 wind chronyd[2066]: Enabled HW timestamping on enp0s25
And eventually `sudo chronyc ntpdata` shows:
TX timestamping : Hardware
RX timestamping : Hardware
instead of:
TX timestamping : Kernel
RX timestamping : Kernel
System Info:
Ubuntu Bionic
chrony 3.2-4ubuntu2
** Affects: chrony (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1761327
Title:
Apparmor denies net_admin for hwtimestamp
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1761327/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
