** Description changed:
[ Impact ]
- * An explanation of the effects of the bug on users and
+ The chronyd apparmor profile was changed as a fix for bug #2032805 to
+ allow chronyd to read/write a linuxptp timemaster socket:
- * justification for backporting the fix to the stable release.
+ @{run}/timemaster/chrony.SOCK0 rw,
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ That works, but is limiting, as it allows only one PTP clock/interface
+ to be used. If another one is setup, the other socket will be blocked by
+ apparmor, because its name will be "chrony.SOCK1", and so on.
+
+ The fix is to simply expand the apparmor rule to allow for more socket
+ files:
+
+ @{run}/timemaster/chrony.SOCK[0-9]* rw,
[ Test Plan ]
- * detailed instructions how to reproduce the bug
+ * Launch a VM. For example:
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
+ lxc launch ubuntu-daily:oracular o-ptp --vm
- * if other testing is appropriate to perform before landing this update,
- this should also be described here.
+ * Install chrony and linuxptp in the VM:
+
+ sudo apt update && sudo apt install chrony linuxptp -y
+
+ * stop chrony:
+
+ sudo systemctl stop chrony.service
+
+ * Create a config file for timemaster, replacing the interface name with
+ the one that exists in the VM:
+
+ /etc/linuxptp/minimal.conf:
+ [ptp_domain 0]
+ interfaces enp5s0
+
+ [ptp_domain 127]
+ interfaces enp5s0
+
+ * in one terminal, observe the output of "dmesg -wT | grep timemaster"
+
+ * in another terminal, run this command:
+
+ sudo timemaster -m -q -f /etc/linuxptp/minimal.conf
+
+
+ * In a system with the bug, the command will issue a "Fatal error" like this:
+
+ Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1
+
+ * At the same time, the system with the bug will also log this line in
+ the "dmesg -wT" terminal:
+
+ [Tue Jul 2 20:08:12 2024] audit: type=1400 audit(1719950892.125:129):
+ apparmor="DENIED" operation="mknod" class="file"
+ profile="/usr/sbin/chronyd" name="/run/timemaster/chrony.SOCK1" pid=1942
+ comm="chronyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
+
+ * In a fixed system, there will be no apparmor log in the "dmesg -wT"
+ terminal, and the "timemaster" command will run without errors, and
+ won't exit.
+
[ Where problems could occur ]
- * Think about what the upload changes in the software. Imagine the change is
- wrong or breaks something else: how would this show up?
+ * Think about what the upload changes in the software. Imagine the change is
+ wrong or breaks something else: how would this show up?
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ * It is assumed that any SRU candidate patch is well-tested before
+ upload and has a low overall risk of regression, but it's important
+ to make the effort to think about what ''could'' happen in the
+ event of a regression.
- * This must '''never''' be "None" or "Low", or entirely an argument as to why
- your upload is low risk.
+ * This must '''never''' be "None" or "Low", or entirely an argument as to why
+ your upload is low risk.
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
[ Other Info ]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
- * and address these questions in advance
+
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
+ * and address these questions in advance
[ Original Description ]
-
- The fix for bug #2032805 allows chronyd to use one PTP clock/interface with
timemaster, but not more than one.
+ The fix for bug #2032805 allows chronyd to use one PTP clock/interface
+ with timemaster, but not more than one.
Steps to reproduce (config must contain valid network interface names):
$ cat > minimal_timemaster.conf
# List two separate interfaces, or two separate domains with the same
interface:
# [ptp_domain 0]
# interfaces ens1f0np0
[ptp_domain 127]
interfaces ens1f0np0 ens1f1np1
$ sudo timemaster -m -q -f minimal_timemaster.conf
timemaster[533042.285]: process 2755518 started: chronyd -n -f
/var/run/timemaster/chrony.conf
timemaster[533042.285]: process 2755520 started: phc2sys -l 5 -a -r -R 1.00
-z /var/run/timemaster/ptp4l.0.socket -t [127:ens1f0np0] -n 127 -E
refclock_sock --refclock_sock_address /var/run/timemaster/chrony.SOCK0
timemaster[533042.286]: process 2755522 started: phc2sys -l 5 -a -r -R 1.00
-z /var/run/timemaster/ptp4l.1.socket -t [127:ens1f1np1] -n 127 -E
refclock_sock --refclock_sock_address /var/run/timemaster/chrony.SOCK1
Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1
...
Quickfix:
sudo sed -i 's|@{run}/timemaster/chrony.SOCK0
rw,|@{run}/timemaster/chrony.SOCK[0-9]* rw,|' /etc/apparmor.d/usr.sbin.chronyd
sudo systemctl reload apparmor
Expected output:
The timemaster command continues to run until pressing CTRL+C
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
chrony:
Installed: 4.5-1ubuntu4
Candidate: 4.5-1ubuntu4
linuxptp:
Installed: 4.0-1ubuntu1
Candidate: 4.0-1ubuntu1
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: linuxptp 4.0-1ubuntu1
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
NonfreeKernelModules: tsoffload linkout
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed Jun 5 21:53:26 2024
Dependencies:
gcc-14-base 14-20240412-0ubuntu1
libc6 2.39-0ubuntu8.2
libgcc-s1 14-20240412-0ubuntu1
libidn2-0 2.3.7-2build1
libunistring5 1.1-2build1
InstallationDate: Installed on 2024-05-14 (22 days ago)
InstallationMedia: Ubuntu-Server 24.04 LTS "Noble Numbat" - Release amd64
(20240423)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: linuxptp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.linuxptp.timemaster.conf: [modified]
mtime.conffile..etc.linuxptp.timemaster.conf: 2024-06-05T19:08:29.036254
** Description changed:
[ Impact ]
The chronyd apparmor profile was changed as a fix for bug #2032805 to
allow chronyd to read/write a linuxptp timemaster socket:
- @{run}/timemaster/chrony.SOCK0 rw,
+ @{run}/timemaster/chrony.SOCK0 rw,
That works, but is limiting, as it allows only one PTP clock/interface
to be used. If another one is setup, the other socket will be blocked by
apparmor, because its name will be "chrony.SOCK1", and so on.
The fix is to simply expand the apparmor rule to allow for more socket
files:
- @{run}/timemaster/chrony.SOCK[0-9]* rw,
+ @{run}/timemaster/chrony.SOCK[0-9]* rw,
[ Test Plan ]
* Launch a VM. For example:
- lxc launch ubuntu-daily:oracular o-ptp --vm
+ lxc launch ubuntu-daily:oracular o-ptp --vm
* Install chrony and linuxptp in the VM:
- sudo apt update && sudo apt install chrony linuxptp -y
+ sudo apt update && sudo apt install chrony linuxptp -y
* stop chrony:
- sudo systemctl stop chrony.service
+ sudo systemctl stop chrony.service
* Create a config file for timemaster, replacing the interface name with
the one that exists in the VM:
- /etc/linuxptp/minimal.conf:
- [ptp_domain 0]
- interfaces enp5s0
+ /etc/linuxptp/minimal.conf:
+ [ptp_domain 0]
+ interfaces enp5s0
- [ptp_domain 127]
- interfaces enp5s0
+ [ptp_domain 127]
+ interfaces enp5s0
* in one terminal, observe the output of "dmesg -wT | grep timemaster"
* in another terminal, run this command:
- sudo timemaster -m -q -f /etc/linuxptp/minimal.conf
+ sudo timemaster -m -q -f /etc/linuxptp/minimal.conf
+ * In a system with the bug, the command will issue a "Fatal error" like
+ this:
- * In a system with the bug, the command will issue a "Fatal error" like this:
-
- Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1
+ Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1
* At the same time, the system with the bug will also log this line in
the "dmesg -wT" terminal:
- [Tue Jul 2 20:08:12 2024] audit: type=1400 audit(1719950892.125:129):
+ [Tue Jul 2 20:08:12 2024] audit: type=1400 audit(1719950892.125:129):
apparmor="DENIED" operation="mknod" class="file"
profile="/usr/sbin/chronyd" name="/run/timemaster/chrony.SOCK1" pid=1942
comm="chronyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
* In a fixed system, there will be no apparmor log in the "dmesg -wT"
terminal, and the "timemaster" command will run without errors, and
won't exit.
-
[ Where problems could occur ]
- * Think about what the upload changes in the software. Imagine the change is
- wrong or breaks something else: how would this show up?
+ This is expanding an existing apparmor rule with the globbing rules
+ chrony.SOCK[0-9]* which will match not only the original SOCK0
+ extension, but many more with a numerical suffix. That is not blocking
+ more patterns, not less, and the original one is included in the
+ globbing.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
-
- * This must '''never''' be "None" or "Low", or entirely an argument as to why
- your upload is low risk.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ There is risk in a syntax error in the apparmor profile, which would
+ prevent it from loading at runtime. This should be detected if the test
+ plan is followed.
[ Other Info ]
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
- * and address these questions in advance
+ Not at this time.
+
[ Original Description ]
The fix for bug #2032805 allows chronyd to use one PTP clock/interface
with timemaster, but not more than one.
Steps to reproduce (config must contain valid network interface names):
$ cat > minimal_timemaster.conf
# List two separate interfaces, or two separate domains with the same
interface:
# [ptp_domain 0]
# interfaces ens1f0np0
[ptp_domain 127]
interfaces ens1f0np0 ens1f1np1
$ sudo timemaster -m -q -f minimal_timemaster.conf
timemaster[533042.285]: process 2755518 started: chronyd -n -f
/var/run/timemaster/chrony.conf
timemaster[533042.285]: process 2755520 started: phc2sys -l 5 -a -r -R 1.00
-z /var/run/timemaster/ptp4l.0.socket -t [127:ens1f0np0] -n 127 -E
refclock_sock --refclock_sock_address /var/run/timemaster/chrony.SOCK0
timemaster[533042.286]: process 2755522 started: phc2sys -l 5 -a -r -R 1.00
-z /var/run/timemaster/ptp4l.1.socket -t [127:ens1f1np1] -n 127 -E
refclock_sock --refclock_sock_address /var/run/timemaster/chrony.SOCK1
Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1
...
Quickfix:
sudo sed -i 's|@{run}/timemaster/chrony.SOCK0
rw,|@{run}/timemaster/chrony.SOCK[0-9]* rw,|' /etc/apparmor.d/usr.sbin.chronyd
sudo systemctl reload apparmor
Expected output:
The timemaster command continues to run until pressing CTRL+C
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
chrony:
Installed: 4.5-1ubuntu4
Candidate: 4.5-1ubuntu4
linuxptp:
Installed: 4.0-1ubuntu1
Candidate: 4.0-1ubuntu1
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: linuxptp 4.0-1ubuntu1
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
NonfreeKernelModules: tsoffload linkout
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed Jun 5 21:53:26 2024
Dependencies:
gcc-14-base 14-20240412-0ubuntu1
libc6 2.39-0ubuntu8.2
libgcc-s1 14-20240412-0ubuntu1
libidn2-0 2.3.7-2build1
libunistring5 1.1-2build1
InstallationDate: Installed on 2024-05-14 (22 days ago)
InstallationMedia: Ubuntu-Server 24.04 LTS "Noble Numbat" - Release amd64
(20240423)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: linuxptp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.linuxptp.timemaster.conf: [modified]
mtime.conffile..etc.linuxptp.timemaster.conf: 2024-06-05T19:08:29.036254
** Description changed:
[ Impact ]
The chronyd apparmor profile was changed as a fix for bug #2032805 to
allow chronyd to read/write a linuxptp timemaster socket:
@{run}/timemaster/chrony.SOCK0 rw,
That works, but is limiting, as it allows only one PTP clock/interface
to be used. If another one is setup, the other socket will be blocked by
apparmor, because its name will be "chrony.SOCK1", and so on.
The fix is to simply expand the apparmor rule to allow for more socket
files:
@{run}/timemaster/chrony.SOCK[0-9]* rw,
[ Test Plan ]
* Launch a VM. For example:
- lxc launch ubuntu-daily:oracular o-ptp --vm
+ lxc launch ubuntu-daily:noble n-ptp --vm
* Install chrony and linuxptp in the VM:
sudo apt update && sudo apt install chrony linuxptp -y
* stop chrony:
sudo systemctl stop chrony.service
* Create a config file for timemaster, replacing the interface name with
the one that exists in the VM:
/etc/linuxptp/minimal.conf:
[ptp_domain 0]
interfaces enp5s0
[ptp_domain 127]
interfaces enp5s0
* in one terminal, observe the output of "dmesg -wT | grep timemaster"
* in another terminal, run this command:
sudo timemaster -m -q -f /etc/linuxptp/minimal.conf
* In a system with the bug, the command will issue a "Fatal error" like
this:
Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1
* At the same time, the system with the bug will also log this line in
the "dmesg -wT" terminal:
[Tue Jul 2 20:08:12 2024] audit: type=1400 audit(1719950892.125:129):
apparmor="DENIED" operation="mknod" class="file"
profile="/usr/sbin/chronyd" name="/run/timemaster/chrony.SOCK1" pid=1942
comm="chronyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
* In a fixed system, there will be no apparmor log in the "dmesg -wT"
terminal, and the "timemaster" command will run without errors, and
won't exit.
[ Where problems could occur ]
This is expanding an existing apparmor rule with the globbing rules
chrony.SOCK[0-9]* which will match not only the original SOCK0
extension, but many more with a numerical suffix. That is not blocking
more patterns, not less, and the original one is included in the
globbing.
There is risk in a syntax error in the apparmor profile, which would
prevent it from loading at runtime. This should be detected if the test
plan is followed.
[ Other Info ]
Not at this time.
-
[ Original Description ]
The fix for bug #2032805 allows chronyd to use one PTP clock/interface
with timemaster, but not more than one.
Steps to reproduce (config must contain valid network interface names):
$ cat > minimal_timemaster.conf
# List two separate interfaces, or two separate domains with the same
interface:
# [ptp_domain 0]
# interfaces ens1f0np0
[ptp_domain 127]
interfaces ens1f0np0 ens1f1np1
$ sudo timemaster -m -q -f minimal_timemaster.conf
timemaster[533042.285]: process 2755518 started: chronyd -n -f
/var/run/timemaster/chrony.conf
timemaster[533042.285]: process 2755520 started: phc2sys -l 5 -a -r -R 1.00
-z /var/run/timemaster/ptp4l.0.socket -t [127:ens1f0np0] -n 127 -E
refclock_sock --refclock_sock_address /var/run/timemaster/chrony.SOCK0
timemaster[533042.286]: process 2755522 started: phc2sys -l 5 -a -r -R 1.00
-z /var/run/timemaster/ptp4l.1.socket -t [127:ens1f1np1] -n 127 -E
refclock_sock --refclock_sock_address /var/run/timemaster/chrony.SOCK1
Fatal error : Could not open socket /var/run/timemaster/chrony.SOCK1
...
Quickfix:
sudo sed -i 's|@{run}/timemaster/chrony.SOCK0
rw,|@{run}/timemaster/chrony.SOCK[0-9]* rw,|' /etc/apparmor.d/usr.sbin.chronyd
sudo systemctl reload apparmor
Expected output:
The timemaster command continues to run until pressing CTRL+C
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04
chrony:
Installed: 4.5-1ubuntu4
Candidate: 4.5-1ubuntu4
linuxptp:
Installed: 4.0-1ubuntu1
Candidate: 4.0-1ubuntu1
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: linuxptp 4.0-1ubuntu1
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
NonfreeKernelModules: tsoffload linkout
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed Jun 5 21:53:26 2024
Dependencies:
gcc-14-base 14-20240412-0ubuntu1
libc6 2.39-0ubuntu8.2
libgcc-s1 14-20240412-0ubuntu1
libidn2-0 2.3.7-2build1
libunistring5 1.1-2build1
InstallationDate: Installed on 2024-05-14 (22 days ago)
InstallationMedia: Ubuntu-Server 24.04 LTS "Noble Numbat" - Release amd64
(20240423)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: linuxptp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.linuxptp.timemaster.conf: [modified]
mtime.conffile..etc.linuxptp.timemaster.conf: 2024-06-05T19:08:29.036254
** Merge proposal linked:
https://code.launchpad.net/~git-ubuntu-import/ubuntu/+source/chrony/+git/chrony/+merge/468625
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2068526
Title:
apparmor blocks using more than one timemaster clock with chrony
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2068526/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
