Hi Jamie, On Mon, Jan 22, 2018 at 02:17:26PM -0600, Jamie Strandboge wrote:
Package: chrony Version: 3.2-1 Severity: wishlist Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu bionic ubuntu-patchDear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * add AppArmor profile for /usr/sbin/chronyd: - add debian/usr.sbin.chronyd AppArmor profile - debian/control: Build-Depends on dh-apparmor - debian/dirs: create etc/apparmor.d/force-complain - debian/install: install debian/usr.sbin.chronyd - debian/preinst: force-complain on upgrade before this version - debian/rules: install apparmor profile with dh_apparmor Thanks for considering the patch. For Debian, you would need to do is update the version in preinst to the version which ships the AppArmor profile.
Awesome!Note that I was working on a chronyd Apparmor profile for Debian, so please see my review below.
diff -Nru chrony-3.2/debian/usr.sbin.chronyd chrony-3.2/debian/usr.sbin.chronyd --- chrony-3.2/debian/usr.sbin.chronyd 1969-12-31 18:00:00.000000000 -0600+++ chrony-3.2/debian/usr.sbin.chronyd 2018-01-20 03:20:00.000000000 -0600 @@ -0,0 +1,39 @@ +# Last Modified: Sat Jan 20 10:45:05 2018 +#include <tunables/global>
+#include <tunables/sys>We will need this until #871441¹ and #1728551² are fixed to support the “tempcomp” directive. See the attached diff for details.
+
+/usr/sbin/chronyd (attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability sys_time,
+ capability net_bind_service,
+ capability setuid,
+ capability setgid,
+ capability sys_nice, + capability sys_resource,The first one is needed to support chronyd's “-P” option; The second one is needed to have the ability to lock chronyd into RAM.
+
+ /usr/sbin/chronyd mr,
+
+ /etc/chrony/{,**} r,
+ /run/chronyd.pid w,
+ /run/chrony/{,*} rw,
I think we should prefix /run/* paths by /{,var/} to make our profile easier to port to other distros as some of them have yet to migrate from /var/run to /run.
+ /var/lib/chrony/{,*} r,
+ /var/lib/chrony/* w,
+ /var/log/chrony/{,*} r,
+ /var/log/chrony/* w,
+
+ # rtc
+ /etc/adjtime r,
+ /dev/rtc{,[0-9]*} r,
+
+ # gps devices
+ /dev/pps[0-9]* r,
+ /dev/ptp[0-9]* r,
+
+ # For use with clocks that report via shared memory (e.g. gpsd),
+ # you may need to give ntpd access to all of shared memory, though
+ # this can be considered dangerous. See https://launchpad.net/bugs/722815
+ # for details. To enable, add this to local/usr.sbin.chronyd:
+ # capability ipc_owner,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.chronyd>
+}
Thanks again, Vincent ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871441 ² https://bugs.launchpad.net/apparmor/+bug/1728551
--- apparmor_profile_ubuntu 2018-01-22 22:10:51.389465887 +0100
+++ apparmor_profile_debian 2018-01-22 22:21:06.988700530 +0100
@@ -1,5 +1,6 @@
# Last Modified: Sat Jan 20 10:45:05 2018
#include <tunables/global>
+#include <tunables/sys>
/usr/sbin/chronyd (attach_disconnected) {
#include <abstractions/base>
@@ -9,17 +10,24 @@
capability net_bind_service,
capability setuid,
capability setgid,
+ capability sys_nice,
+ capability sys_resource,
/usr/sbin/chronyd mr,
/etc/chrony/{,**} r,
- /run/chronyd.pid w,
- /run/chrony/{,*} rw,
+ /{,var/}/run/chronyd.pid w,
+ /{,var/}/run/chrony/{,*} rw,
/var/lib/chrony/{,*} r,
/var/lib/chrony/* w,
/var/log/chrony/{,*} r,
/var/log/chrony/* w,
+ # Using the “tempcomp” directive gives chronyd the ability to improve
+ # the stability and accuracy of the clock by compensating the temperature
+ # changes measured by a sensor close to the oscillator.
+ @{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r,
+
# rtc
/etc/adjtime r,
/dev/rtc{,[0-9]*} r,
signature.asc
Description: PGP signature
