Merge ~locnnil/ubuntu/+source/linuxptp:oracular-linuxptp-add-apparmor into ubuntu/+source/linuxptp:ubuntu/devel

Proposed by Lincoln Wallace
Status: Needs review
Proposed branch: ~locnnil/ubuntu/+source/linuxptp:oracular-linuxptp-add-apparmor
Merge into: ubuntu/+source/linuxptp:ubuntu/devel
Diff against target: 295 lines (+213/-1)
9 files modified
debian/changelog (+24/-0)
debian/control (+1/-0)
debian/linuxptp.install (+3/-0)
debian/rules (+5/-0)
debian/tests/control (+1/-1)
debian/tests/simulation-test-suite (+25/-0)
debian/usr.sbin.phc2sys (+44/-0)
debian/usr.sbin.ptp4l (+63/-0)
debian/usr.sbin.timemaster (+47/-0)
Reviewer Review Type Date Requested Status
Alex Murray (community) Approve
Farshid Tavakolizadeh (community) Abstain
Andreas Hasenack Needs Fixing
Review via email: mp+473653@code.launchpad.net

Commit message

Add AppArmor rules for linuxptp services (ptp4l, timemaster and phc2sys).

Related to LP: #2083458

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Comments inline, and here.

Commit db64e3ff9c7a60b8164b2dab035add4587d6f177 is also changing d/usr.sbin.ptp4l, which is not mentioned in the commit message. This of course does not change the final outcome, but since you have split commits, maybe you would prefer to move that ptp4l change to commit f1788a09e84df88d2c142a34ab6b5ad110ddb050 which is the one adding that apparmor profile.

review: Needs Fixing
Revision history for this message
Lincoln Wallace (locnnil) wrote :

Addressed review! Awaiting the next review.

Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Lincoln Wallace (locnnil) wrote (last edit ):

Addressed review! I've put back the comment about failure on armhf. Awaiting the next review.

Revision history for this message
Andreas Hasenack (ahasenack) :
review: Needs Fixing
Revision history for this message
Lincoln Wallace (locnnil) wrote :

Added 'needs-sudo' capability! Ready for review.

Revision history for this message
Farshid Tavakolizadeh (farshidtz) wrote (last edit ):

This change isn't needed for Oracular. I suggest we hold until we perform more testing. LinuxPTP is used in a wide range of applications (incl. TSN), some of which aren't covered by the autopkgtests and the simulated environment.

review: Abstain
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

For plucky, we could put this profile in complain mode, but how would we be getting the apparmor logs showing what would have been denied...

I agree a lot of testing is required. We can upload this to plucky, and keep a watchful eye out for bugs while it's in the devel release. That sounds like a good approach to me, if we can react quickly to breakages while in the devel release.

I'll run the dep8 tests of this branch in the meantime in the real infrastructure. If you want to proceed with the plucky upload, and assuming all tests pass as is, then the only change needed is the ubuntu release name in d/changelog.

Revision history for this message
Alex Murray (alexmurray) wrote :

From a security team perspective, these profiles look quite good - just a few minor nitpicks and stylistic things that need addressing. Thanks :)

review: Needs Fixing
a7bdc8c... by Lincoln Wallace

changelog

Signed-off-by: Lincoln Wallace <email address hidden>

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks Lincoln - apologies I just noticed a couple other minor issues.

review: Needs Fixing
Revision history for this message
Lincoln Wallace (locnnil) wrote :

> Thanks Lincoln - apologies I just noticed a couple other minor issues.

No problem at all! Fixed!

Let me know if you find some other improvement that I could do, and I will be happy to help! Thank you very much, and have a great day!

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks again - LGTM!

review: Approve

Unmerged commits

a7bdc8c... by Lincoln Wallace

changelog

Signed-off-by: Lincoln Wallace <email address hidden>

9853a0c... by Lincoln Wallace

* Add AppArmor rules for phc2sys (ref LP #2083458)

  - d/linuxptp.install: Add aa rules destdir for phc2sys
  - d/rules: Add phc2sys aa profile entry
  - d/tests/simulation-test-suite: Insert rule on aa profile for autopkgtest
  - d/usr.sbin.phc2sys: aa profile for phc2sys service

Signed-off-by: Lincoln Wallace <email address hidden>

af3bf4c... by Lincoln Wallace

* Add AppArmor rules for timemaster (ref LP #2083458)

  - d/linuxptp.install: Add aa rules destdir for timemaster
  - d/rules: Add timemaster aa profile entry
  - d/usr.sbin.timemaster: aa profile for timemaster service

Signed-off-by: Lincoln Wallace <email address hidden>

89b1525... by Lincoln Wallace

* Add AppArmor rules for ptp4l (LP: #2083458)

  - d/control: Add dh-apparmor dependency
  - d/linuxptp.install: Add aa rules destdir
  - d/rules: Add section for aa profile adition
  - d/tests/simulation-test-suite: Add script function to inject additional local
      aa rules needed for autopkgtest
  - d/tests/control: Add needs-sudo capability
  - d/usr.sbin.ptp4l: aa profile for ptp4l application

Signed-off-by: Lincoln Wallace <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 6de9fd8..920f51a 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,27 @@
6+linuxptp (4.2-1ubuntu2) plucky; urgency=medium
7+
8+ * Add AppArmor rules for ptp4l (LP: #2083458)
9+ - d/control: Add dh-apparmor dependency
10+ - d/linuxptp.install: Add aa rules destdir
11+ - d/rules: Add section for aa profile adition
12+ - d/tests/simulation-test-suite: Add script function to inject additional local
13+ aa rules needed for autopkgtest
14+ - d/tests/control: Add needs-sudo capability
15+ - d/usr.sbin.ptp4l: aa profile for ptp4l application
16+
17+ * Add AppArmor rules for timemaster (ref LP #2083458)
18+ - d/linuxptp.install: Add aa rules destdir for timemaster
19+ - d/rules: Add timemaster aa profile entry
20+ - d/usr.sbin.timemaster: aa profile for timemaster service
21+
22+ * Add AppArmor rules for phc2sys (ref LP #2083458)
23+ - d/linuxptp.install: Add aa rules destdir for phc2sys
24+ - d/rules: Add phc2sys aa profile entry
25+ - d/tests/simulation-test-suite: Insert rule on aa profile for autopkgtest
26+ - d/usr.sbin.phc2sys: aa profile for phc2sys service
27+
28+ -- Lincoln Wallace <lincoln.wallace@canonical.com> Wed, 02 Oct 2024 15:50:17 -0300
29+
30 linuxptp (4.2-1ubuntu1) oracular; urgency=medium
31
32 * Merge with Debian unstable (LP: #2073737). Remaining changes:
33diff --git a/debian/control b/debian/control
34index efefa1f..74e587c 100644
35--- a/debian/control
36+++ b/debian/control
37@@ -9,6 +9,7 @@ Uploaders:
38 Build-Depends:
39 debhelper-compat (= 13),
40 dh-exec,
41+ dh-apparmor,
42 Standards-Version: 4.6.2
43 Rules-Requires-Root: no
44 Homepage: http://linuxptp.sourceforge.net/
45diff --git a/debian/linuxptp.install b/debian/linuxptp.install
46index ad008d9..f0706a0 100755
47--- a/debian/linuxptp.install
48+++ b/debian/linuxptp.install
49@@ -1,3 +1,6 @@
50 #!/usr/bin/dh-exec
51 configs/default.cfg => /etc/linuxptp/ptp4l.conf
52 debian/timemaster.conf /etc/linuxptp/
53+debian/usr.sbin.ptp4l etc/apparmor.d
54+debian/usr.sbin.timemaster etc/apparmor.d
55+debian/usr.sbin.phc2sys etc/apparmor.d
56diff --git a/debian/rules b/debian/rules
57index 38cfc04..01e297f 100755
58--- a/debian/rules
59+++ b/debian/rules
60@@ -12,6 +12,11 @@ export DH_VERBOSE = 1
61 override_dh_auto_install:
62 dh_auto_install -- prefix=/usr mandir=/usr/share/man
63
64+execute_after_dh_install:
65+ dh_apparmor --profile-name=usr.sbin.ptp4l -plinuxptp
66+ dh_apparmor --profile-name=usr.sbin.timemaster -plinuxptp
67+ dh_apparmor --profile-name=usr.sbin.phc2sys -plinuxptp
68+
69 override_dh_installsystemd:
70 dh_installsystemd --no-enable --no-start --name=ptp4l@
71 dh_installsystemd --no-enable --no-start --name=phc2sys@
72diff --git a/debian/tests/control b/debian/tests/control
73index c367202..147f518 100644
74--- a/debian/tests/control
75+++ b/debian/tests/control
76@@ -1,3 +1,3 @@
77 Tests: simulation-test-suite
78 Depends: wget, g++, make, linuxptp
79-Restrictions: allow-stderr, isolation-container, build-needed, skippable, needs-internet
80+Restrictions: allow-stderr, isolation-container, build-needed, skippable, needs-internet, needs-sudo
81diff --git a/debian/tests/simulation-test-suite b/debian/tests/simulation-test-suite
82index 1abb4bd..0649aa0 100755
83--- a/debian/tests/simulation-test-suite
84+++ b/debian/tests/simulation-test-suite
85@@ -5,6 +5,28 @@ clknetsim_ver=0a11a35
86 clknetsim_src=https://github.com/mlichvar/clknetsim/archive/"$clknetsim_ver"/clknetsim-"$clknetsim_ver".tar.gz
87 clknetsim_archive=$(basename "$clknetsim_src")
88
89+inject_local_aa() {
90+ app="$1"
91+ apparmor_profile=/etc/apparmor.d/usr.sbin.${app}
92+ echo "-- Injecting complementary AppArmor rules for $app"
93+
94+ sudo -E bash -c "
95+ if [ -f '$apparmor_profile' ]; then
96+ if aa-status --enabled 2>/dev/null; then
97+ cat <<EOF >>/etc/apparmor.d/local/usr.sbin.'${app}'
98+/tmp/autopkgtest*/** rwm,
99+/proc/[0-9]*/comm r,
100+EOF
101+ apparmor_parser -r -W -T '${apparmor_profile}' || {
102+ echo 'Failed to reload the ${apparmor_profile} AppArmor profile, continuing anyway.'
103+ }
104+ fi
105+ else
106+ echo 'AppArmor profile for $app does not exist, skipping.'
107+ fi
108+ "
109+}
110+
111 # Always use the same seed to get deterministic results
112 export CLKNETSIM_RANDOM_SEED=24508
113
114@@ -25,6 +47,9 @@ echo "-- Building clknetsim"
115 make
116 echo ""
117
118+inject_local_aa "ptp4l"
119+inject_local_aa "phc2sys"
120+
121 echo "-- Running test-suite"
122 cd "$testdir"
123 ./run
124diff --git a/debian/usr.sbin.phc2sys b/debian/usr.sbin.phc2sys
125new file mode 100644
126index 0000000..05d30e3
127--- /dev/null
128+++ b/debian/usr.sbin.phc2sys
129@@ -0,0 +1,44 @@
130+
131+# vim:syntax=apparmor
132+# Last Modified: Sun Sep 05 16:48:05 2021
133+
134+abi <abi/4.0>,
135+include <tunables/global>
136+
137+profile phc2sys /usr/sbin/phc2sys {
138+ include <abstractions/base>
139+
140+ # Needed phc2sys capabilities
141+ capability dac_read_search,
142+ capability dac_override,
143+ capability sys_time,
144+ capability sys_module,
145+ capability net_admin,
146+
147+ # Allow dgram type for all net domains
148+ network dgram,
149+
150+ # The phc2sys application it's own
151+ /{usr/,}sbin/phc2sys mr,
152+
153+ # phc2sys runtime data
154+ @{run}/phc2sys.[0-9]* rw,
155+
156+ # To be able to comunicate with ptp4l
157+ @{run}/ptp4lro rw,
158+
159+ # Needed signals in case of being executed by other application
160+ signal (receive) set=(term),
161+
162+ # Needed when being executed by timemaster
163+ @{run}/timemaster/ptp4l.[0-9]*.socket rw,
164+
165+ # PTP devices
166+ /dev/ptp[0-9]* rw,
167+
168+ # PPS devices
169+ /dev/pps[0-9]* r,
170+
171+ # Site-specific additions and overrides. See local/README for details.
172+ include if exists <local/usr.sbin.ptp4l>
173+}
174diff --git a/debian/usr.sbin.ptp4l b/debian/usr.sbin.ptp4l
175new file mode 100644
176index 0000000..fd74494
177--- /dev/null
178+++ b/debian/usr.sbin.ptp4l
179@@ -0,0 +1,63 @@
180+# vim:syntax=apparmor
181+# Last Modified: Sun Sep 05 16:48:05 2021
182+
183+abi <abi/4.0>,
184+include <tunables/global>
185+
186+profile ptp4l /usr/sbin/ptp4l {
187+ include <abstractions/base>
188+
189+ # The ptp4l application it's own
190+ /{usr/,}sbin/ptp4l mr,
191+
192+ # Needed signals in case of being executed by other application
193+ signal (receive) set=(term),
194+
195+ # Needed capabilities
196+ capability net_admin,
197+ capability sys_module,
198+ capability net_bind_service,
199+
200+ # Needed Network domains
201+ network netlink,
202+ network packet,
203+ network inet,
204+ network inet6,
205+ network unix,
206+ network unspec,
207+
208+ # Needed to define mac address for
209+ # a network interface
210+ /sys/class/net/*/address r,
211+
212+ # ptp devices
213+ /dev/ptp[0-9]* rw,
214+
215+ # serial devices
216+ /dev/ttyS[0-9]* rw,
217+ /dev/ttyACM[0-9]* rw,
218+
219+ # Needed for ipc and runtime status
220+ @{run}/cmlds_client rw,
221+ @{run}/cmlds_server rw,
222+ @{run}/refclock.ptp.sock rw,
223+ @{run}/run/ptp4l rw,
224+ @{run}/ptp4lro rw,
225+ @{run}/ptp4l rw,
226+ @{run}/ptp4lro rw,
227+ @{run}/phc2sys.[0-9]+ r,
228+
229+ # When being runned by timemaster
230+ @{run}/timemaster/chrony.SOCK* rw,
231+ @{run}/timemaster/ptp4l.*.conf r,
232+ @{run}/timemaster/ptp4l.*.socket rw,
233+ @{run}/timemaster/ptp4lro.*.socket rw,
234+ @{run}/phc2sys.* rw,
235+
236+ # ptp4l config files
237+ @{etc_ro}/linuxptp/** r,
238+
239+ # Site-specific additions and overrides. See local/README for details.
240+ include if exists <local/usr.sbin.ptp4l>
241+}
242+
243diff --git a/debian/usr.sbin.timemaster b/debian/usr.sbin.timemaster
244new file mode 100644
245index 0000000..aaba051
246--- /dev/null
247+++ b/debian/usr.sbin.timemaster
248@@ -0,0 +1,47 @@
249+
250+# vim:syntax=apparmor
251+# Last Modified: Mon Sep 15 14:48:05 2024
252+
253+abi <abi/4.0>,
254+include <tunables/global>
255+
256+profile timemaster /usr/sbin/timemaster {
257+ include <abstractions/base>
258+ include <abstractions/nameservice>
259+
260+ # To be able to kill child processes
261+ capability kill,
262+
263+ # To be able to send the term signal
264+ signal (send) set=(term),
265+
266+ # Runtime config files for timemaster
267+ @{run}/timemaster/*.conf rw,
268+ @{run}/timemaster/ rwk,
269+
270+ ## system files access
271+
272+ # RPi4 and RPi5 specific
273+ @{sys}/devices/platform/axi/[0-9a-f]*.pcie/[0-9a-f]*.ethernet/net/*/ptp[0-9]*/ r,
274+ @{sys}/devices/platform/axi/[0-9a-f]*.pcie/[0-9a-f]*.ethernet/net/*/ptp[0-9]*/n_vclocks rw,
275+
276+ # Generic arch's
277+ @{sys}/ptp[0-9]+/ptp[0-9]* rw,
278+ @{sys}/ptp[0-9]+/n_vclocks rw,
279+ @{sys}/net/*/ptp[0-9]*/n_vclocks rw,
280+
281+ # Default location for config files
282+ @{etc_ro}/linuxptp/** r,
283+ @{etc_ro}/chrony/** r,
284+ @{etc_ro}/ntpsec/** r,
285+
286+ # Backend applications
287+ # Px = exec to apparmor profile that matches executable name, with environment variable scrubbing
288+ /usr/sbin/chronyd Px,
289+ /usr/sbin/ntpd Px,
290+ /usr/sbin/ptp4l Px,
291+ /usr/sbin/phc2sys Px,
292+
293+ # Site-specific additions and overrides. See local/README for details.
294+ include if exists <local/usr.sbin.timemaster>
295+}

Subscribers

People subscribed via source and target branches