> # required for pps initialization > capability dac_read_search, > capability sys_time, > /sys/devices/virtual/pps/ r, > # to submit data to chrony > ptrace read peer=/usr/sbin/chronyd, > # for libusb > /sys/devices/**/usb[0-9]*/** r, > # triggered on fusercount, not strictly required and unsafe to allow > # adding a denial rule silences the warnings > deny ptrace read peer=unconfined,
I believe you said that dac_read_search was due to the /proc accesses that also trigger the ptrace rule. Perhaps it can also be suppressed? Either way, thanks for all the investigation! +1 for the rules as is. If you aren't blocking dac_read_search, can you add what in the pps initialization needs it? Eg: # required for pps initialization (foo() from bar.c traverses /proc) or something? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1872175 Title: gpsd unable to open chrony PPS socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1872175/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
