[Bug 1749389] [NEW] ntpdate lock apparmor deny

Wed, 14 Feb 2018 00:31:20 -0800 

Public bug reported:

[Impact]

 * Apparmor denies access to lock it shares with ntpdate to ensure no 
   issues due to concurrent access

[Test Case]

 1. get a container of target release
 2. install ntp
    apt install ntp
 3. watch dmesg on container-host
    dmesg -w 
 4. restart ntp in container
    systemctl restart ntp
 => see (or no more after fix) apparmor denie:
    apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

[Regression Potential]

 * we are only slightly opening up the apparmor profile, but none of the 
   changes poses a security risk so regression potential on it's own 
   should be close to zero.

 * There is a potential issue if the locking (that now can succeed) would 
   e.g. no more be freed up or the action behind the locking would cause 
   issues.

[Other Info]
 
 * n/a


On start/restart nto has an error in apparmor due to the locking it tries to 
avoid issues running concurrently with ntpdate.

That looks like:
apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" 
name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" 
denied_mask="w"

The rule we need is:
/run/lock/ntpdate wk,

** Affects: ntp (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: ntp (Ubuntu Xenial)
     Importance: Medium
         Status: Triaged

** Affects: ntp (Ubuntu Artful)
     Importance: Medium
         Status: Triaged

** Also affects: ntp (Ubuntu Artful)
   Importance: Undecided
       Status: New

** Also affects: ntp (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: ntp (Ubuntu Xenial)
       Status: New => Triaged

** Changed in: ntp (Ubuntu Artful)
       Status: New => Triaged

** Changed in: ntp (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu Artful)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1749389

Title:
  ntpdate lock apparmor deny

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to