Hello Matt,
On 2020-09-15T23:11-0400, Matt Corallo wrote:
Package: chrony
Version: 3.4-4
Current apparmor profile for chrony lists
@{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r,
which is great (and even how I have mine configured -
tempcomp /sys/class/hwmon/hwmon0/temp1_input 1 0 0 0 0) but it doesn't actually
work. It results in lots of log lines like
Sep 15 23:06:37 gw.as397444.net audit[24397]: AVC apparmor="DENIED"
operation="open" profile="/usr/sbin/chronyd"
name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input"
pid=24397 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=112
ouid=0
Sep 15 23:06:37 gw.as397444.net chronyd[24397]: Could not read temperature from
/sys/class/hwmon/hwmon0/temp1_input
Sep 15 23:06:37 gw.as397444.net kernel: audit: type=1400
audit(1600225597.313:127): apparmor="DENIED" operation="open"
profile="/usr/sbin/chronyd"
name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input"
pid=24397 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=112
ouid=0
Indeed, same behaviour here. AFAIR, when I wrote the aforementioned
rule, it was sufficient for the proper functioning of the “tempcomp”
directive, so this might be related to some changes in the kernel.
Looks like somehow apparmor is resolving the file to a different path,
checking, and then failing it.
An extra line like the following fixes it:
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/temp[0-9]*_input
r,
Looks good!
Matt
Cheers,
Vincent
signature.asc
Description: PGP signature
