Public bug reported: [Impact]
* Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, ** Affects: ntp (Ubuntu) Importance: Medium Status: Triaged ** Affects: ntp (Ubuntu Xenial) Importance: Medium Status: Triaged ** Affects: ntp (Ubuntu Artful) Importance: Medium Status: Triaged ** Also affects: ntp (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: ntp (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: ntp (Ubuntu Xenial) Status: New => Triaged ** Changed in: ntp (Ubuntu Artful) Status: New => Triaged ** Changed in: ntp (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: ntp (Ubuntu Artful) Importance: Undecided => Medium ** Changed in: ntp (Ubuntu) Importance: Undecided => Medium ** Changed in: ntp (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs