Hi Jamie, On Mon, Jan 22, 2018 at 02:17:26PM -0600, Jamie Strandboge wrote:
Package: chrony Version: 3.2-1 Severity: wishlist Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu bionic ubuntu-patchDear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * add AppArmor profile for /usr/sbin/chronyd: - add debian/usr.sbin.chronyd AppArmor profile - debian/control: Build-Depends on dh-apparmor - debian/dirs: create etc/apparmor.d/force-complain - debian/install: install debian/usr.sbin.chronyd - debian/preinst: force-complain on upgrade before this version - debian/rules: install apparmor profile with dh_apparmor Thanks for considering the patch. For Debian, you would need to do is update the version in preinst to the version which ships the AppArmor profile.
Awesome!Note that I was working on a chronyd Apparmor profile for Debian, so please see my review below.
diff -Nru chrony-3.2/debian/usr.sbin.chronyd chrony-3.2/debian/usr.sbin.chronyd --- chrony-3.2/debian/usr.sbin.chronyd 1969-12-31 18:00:00.000000000 -0600+++ chrony-3.2/debian/usr.sbin.chronyd 2018-01-20 03:20:00.000000000 -0600 @@ -0,0 +1,39 @@ +# Last Modified: Sat Jan 20 10:45:05 2018 +#include <tunables/global>
+#include <tunables/sys>We will need this until #871441¹ and #1728551² are fixed to support the “tempcomp” directive. See the attached diff for details.
+ +/usr/sbin/chronyd (attach_disconnected) { + #include <abstractions/base> + #include <abstractions/nameservice> + + capability sys_time, + capability net_bind_service, + capability setuid, + capability setgid,
+ capability sys_nice, + capability sys_resource,The first one is needed to support chronyd's “-P” option; The second one is needed to have the ability to lock chronyd into RAM.
+ + /usr/sbin/chronyd mr, + + /etc/chrony/{,**} r, + /run/chronyd.pid w, + /run/chrony/{,*} rw,
I think we should prefix /run/* paths by /{,var/} to make our profile easier to port to other distros as some of them have yet to migrate from /var/run to /run.
+ /var/lib/chrony/{,*} r, + /var/lib/chrony/* w, + /var/log/chrony/{,*} r, + /var/log/chrony/* w, + + # rtc + /etc/adjtime r, + /dev/rtc{,[0-9]*} r, + + # gps devices + /dev/pps[0-9]* r, + /dev/ptp[0-9]* r, + + # For use with clocks that report via shared memory (e.g. gpsd), + # you may need to give ntpd access to all of shared memory, though + # this can be considered dangerous. See https://launchpad.net/bugs/722815 + # for details. To enable, add this to local/usr.sbin.chronyd: + # capability ipc_owner, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.sbin.chronyd> +}
Thanks again, Vincent ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871441 ² https://bugs.launchpad.net/apparmor/+bug/1728551
--- apparmor_profile_ubuntu 2018-01-22 22:10:51.389465887 +0100 +++ apparmor_profile_debian 2018-01-22 22:21:06.988700530 +0100 @@ -1,5 +1,6 @@ # Last Modified: Sat Jan 20 10:45:05 2018 #include <tunables/global> +#include <tunables/sys> /usr/sbin/chronyd (attach_disconnected) { #include <abstractions/base> @@ -9,17 +10,24 @@ capability net_bind_service, capability setuid, capability setgid, + capability sys_nice, + capability sys_resource, /usr/sbin/chronyd mr, /etc/chrony/{,**} r, - /run/chronyd.pid w, - /run/chrony/{,*} rw, + /{,var/}/run/chronyd.pid w, + /{,var/}/run/chrony/{,*} rw, /var/lib/chrony/{,*} r, /var/lib/chrony/* w, /var/log/chrony/{,*} r, /var/log/chrony/* w, + # Using the “tempcomp” directive gives chronyd the ability to improve + # the stability and accuracy of the clock by compensating the temperature + # changes measured by a sensor close to the oscillator. + @{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r, + # rtc /etc/adjtime r, /dev/rtc{,[0-9]*} r,
signature.asc
Description: PGP signature