Hello Matt, On 2020-09-15T23:11-0400, Matt Corallo wrote:
Package: chrony Version: 3.4-4Current apparmor profile for chrony lists @{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r, which is great (and even how I have mine configured - tempcomp /sys/class/hwmon/hwmon0/temp1_input 1 0 0 0 0) but it doesn't actually work. It results in lots of log lines likeSep 15 23:06:37 gw.as397444.net audit[24397]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input" pid=24397 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0Sep 15 23:06:37 gw.as397444.net chronyd[24397]: Could not read temperature from /sys/class/hwmon/hwmon0/temp1_inputSep 15 23:06:37 gw.as397444.net kernel: audit: type=1400 audit(1600225597.313:127): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input" pid=24397 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0
Indeed, same behaviour here. AFAIR, when I wrote the aforementioned rule, it was sufficient for the proper functioning of the “tempcomp” directive, so this might be related to some changes in the kernel.
Looks like somehow apparmor is resolving the file to a different path, checking, and then failing it.An extra line like the following fixes it: @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/temp[0-9]*_input r,
Looks good!
Matt
Cheers, Vincent
signature.asc
Description: PGP signature