[Bug 1771028] Re: Apparmor profile for chronyd needs to allow creation of /var/run/chrony.tty*.sock

Sun, 13 May 2018 23:21:12 -0700 

Hi Mark,
thanks for the report - we only discussed with peers about gpsd via shm so far.
The rule for that would be too open which is why it is disabled with a comment 
in the apparmor profile atm.

For gpsd via tty I'd have expected all chrony files in /var/run/chrony/... as 
most of them are in general, which is why we have the rule:
  /{,var/}run/chrony/{,*} rw,
Similar for /var/log and /var/lib

But the path you mention is obviously outside that rule :-/
I realized this is a free-form config entry for the refclock and one "could" 
set /var/run/chrony/..., but I've also seen that the example in man chrony.conf 
is exactly the path that you are reporting, like:
  refclock SOCK /var/run/chrony.ttyS0.sock


After your report of this example being "outside" the usual paths I wanted to 
make sure there are no similar examples we hit in just a few weeks. So I read 
through the man page and found a few more.

Overall I found:
  # Support all paths suggested in the man page (LP: #1771028). Assume these
  # are common use cases; others should be set as local include (see below).
  # Configs using a 'chrony.' prefix like the tempcomp config file example
  /etc/chrony.* r,
  # Example gpsd socket is outside /{,var/}run/chrony/
  /{,var/}run/chrony.tty{,*}.sock rw,
  # To sign replies to MS-SNTP clients by the smbd daemon
  /var/lib/samba/ntp_signd rw,

Lets (try to) combine that with a merge (unless it is complex and would
stall this fix) of the most recent chrony as there was a new release way
into our Feature Freeze and from there SRU to Bionic.

Summary:
- most common cases were covered by generic rules for lib/log/run and device 
paths already
- the suggested new rule is fine (Thanks!)
- the new use case (due to the man page pointing there) is expected to be 
common as well
- now that we spotted this lets look at similar cases to fix all at once


P.S. @Mark - if you find other issues due to using GPSD or other less common 
options please let me know as well.

** Changed in: chrony (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771028

Title:
  Apparmor profile for chronyd needs to allow creation of
  /var/run/chrony.tty*.sock

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1771028/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to