Ubuntu
ntp package

Apparmor profile for NTPd needs to allow read/write access to /dev/ppsX

Bug #1564832 reported by Mark Shuttleworth
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Fix Released
Medium
Jamie Strandboge

Bug Description

Am trying to get NTP to work with the kernel PPS subsystem, for high-accuracy GPS-based clocks. On startup of NTPd I see this:

Apr 1 11:18:58 doorway kernel: [ 300.387443] audit: type=1400 audit(1459505938.042:9): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/dev/pps0" pid=1668 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

Adding this to the usr.sbin.ntpd apparmor profile eliminated the error:

  /dev/pps[0-9]* rw,

I'm not sure why ntpd needs *write* access to ppsN though, perhaps that can be improved.

Tags: apparmor
Revision history for this message
Ryan Harper (raharper) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.
Unfortunately, we cannot work on this bug because your description didn't include enough information.

Which Ubuntu release and ntp version you using?
1. lsb_release -dcr
2. apt-cache policy ntp
3. Any steps and config needed to recreate.

Changed in ntp (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, I think there is enough information. Marking as Triaged.

Changed in ntp (Ubuntu):
status: Incomplete → Triaged
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Mark, the ntp profile in Ubuntu supports the NTPD_DEVICE tunable and after reading https://www.kernel.org/doc/Documentation/pps/pps.txt it seems like this would be the appropriate place to put this. Eg

$ cat /etc/apparmor.d/tunables/ntpd
...
#Add your ntpd devices here eg. if you have a DCF clock
# @{NTPD_DEVICE}="/dev/ttyS1"
@{NTPD_DEVICE}="/dev/null"

Adjust that to be:
@{NTPD_DEVICE}="/dev/pps[0-9]*"

Then do:
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.ntpd

The above expands to the equivalent line you proposed in the description.

Would this suit your needs?

Revision history for this message
Mark Shuttleworth (sabdfl) wrote : Re: [Bug 1564832] Re: Apparmor profile for NTPd needs to allow read/write access to /dev/ppsX

Hi Jamie - whatever you think is the best approach to have this work out
of the box for other Ubuntu users installing NTP and setting up a PPS
device. All I care about is that they don't have to edit apparmor
profiles themselves.

Mark

Jamie Strandboge (jdstrand)
Changed in ntp (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu5

---------------
ntp (1:4.2.8p4+dfsg-3ubuntu5) xenial; urgency=medium

  * debian/apparmor-profile: allow 'rw' access to /dev/pps[0-9]* devices.
    Patch thanks to Mark Shuttleworth. (LP: #1564832)

 -- Jamie Strandboge <email address hidden> Thu, 07 Apr 2016 15:12:41 -0500

Changed in ntp (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.