In the meantime I also was able to track down that sys_ptrace was for
fusercount.
So no adding that was ok, since it triggers only a few times (even seems to be
only once per reboot) I'm not sure about adding a denial - it is not as
log-filling as the other case was.
I further debugged for the dac_read_search as jdstrand asked for.
Yes it also is from the fusercnt search and can be dropped.
I tried various setups and got cases with up to 3xdac_read_search and
3xsys_ptrace.
Sometimes it also triggers dac_override.
All of that belongs to fusercount and can be blocked without a functional
drawback.
I further found that it will hit two more cap checks on a clean setup after
reboot:
apparmor="DENIED" operation="capable" profile="/usr/sbin/gpsd" pid=8783
comm="gpsd" capability=16 capname="sys_module"
Those two is when gpsd starts and `pps_ldisc` isn't loaded yet.
Interestingly enough it is able to load it despite the denials.
That is because the kernel implicitly loads it on pps creation.
So we can deny the general capability to load/unload modules for gpsd process
and not loose functionality nor get the log filled every time.
Ok so as final result we have the following rules which will have no log
filling denials and allow to work with PPS devices just nicely (until we
find a very special other device that behaves differently).
1. flags
/usr/sbin/gpsd flags=(attach_disconnected) {
2. rules
# required for pps initialization
capability sys_time,
/sys/devices/virtual/pps/ r,
# to submit data to chrony
ptrace read peer=/usr/sbin/chronyd,
# for libusb
/sys/devices/**/usb[0-9]*/** r,
# triggered on fusercount, not strictly required and unsafe to allow
# adding a denial rule silences the warnings
deny ptrace read peer=unconfined,
deny capability sys_ptrace,
deny capability dac_read_search,
deny capability dac_override,
# gpsd tries to load pps_ldisc directly, but gpsd doesn't need
# the general power of sys_module, pps_ldisc is auto-loaded
# by the kernel when gpsd is creating the pps device
deny capability sys_module,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872175
Title:
gpsd unable to open chrony PPS socket
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1872175/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
