Merge ~locnnil/ubuntu/+source/linuxptp:oracular-linuxptp-add-apparmor into ubuntu/+source/linuxptp:ubuntu/devel

Proposed by Lincoln Wallace
Status: Work in progress
Proposed branch: ~locnnil/ubuntu/+source/linuxptp:oracular-linuxptp-add-apparmor
Merge into: ubuntu/+source/linuxptp:ubuntu/devel
Diff against target: 293 lines (+211/-1)
9 files modified
debian/changelog (+24/-0)
debian/control (+1/-0)
debian/linuxptp.install (+3/-0)
debian/rules (+5/-0)
debian/tests/control (+1/-1)
debian/tests/simulation-test-suite (+25/-0)
debian/usr.sbin.phc2sys (+44/-0)
debian/usr.sbin.ptp4l (+63/-0)
debian/usr.sbin.timemaster (+45/-0)
Reviewer Review Type Date Requested Status
Farshid Tavakolizadeh (community) Abstain
Andreas Hasenack Needs Fixing
Ubuntu Sponsors Pending
Review via email: mp+473653@code.launchpad.net

Commit message

Add AppArmor rules for linuxptp services (ptp4l, timemaster and phc2sys).

Related to LP: #2083458

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Comments inline, and here.

Commit db64e3ff9c7a60b8164b2dab035add4587d6f177 is also changing d/usr.sbin.ptp4l, which is not mentioned in the commit message. This of course does not change the final outcome, but since you have split commits, maybe you would prefer to move that ptp4l change to commit f1788a09e84df88d2c142a34ab6b5ad110ddb050 which is the one adding that apparmor profile.

review: Needs Fixing
Revision history for this message
Lincoln Wallace (locnnil) wrote :

Addressed review! Awaiting the next review.

Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Lincoln Wallace (locnnil) wrote (last edit ):

Addressed review! I've put back the comment about failure on armhf. Awaiting the next review.

Revision history for this message
Andreas Hasenack (ahasenack) :
review: Needs Fixing
4e2dd19... by Lincoln Wallace

changelog

Signed-off-by: Lincoln Wallace <email address hidden>

Revision history for this message
Lincoln Wallace (locnnil) wrote :

Added 'needs-sudo' capability! Ready for review.

Revision history for this message
Farshid Tavakolizadeh (farshidtz) wrote (last edit ):

This change isn't needed for Oracular. I suggest we hold until we perform more testing. LinuxPTP is used in a wide range of applications (incl. TSN), some of which aren't covered by the autopkgtests and the simulated environment.

review: Abstain
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

For plucky, we could put this profile in complain mode, but how would we be getting the apparmor logs showing what would have been denied...

I agree a lot of testing is required. We can upload this to plucky, and keep a watchful eye out for bugs while it's in the devel release. That sounds like a good approach to me, if we can react quickly to breakages while in the devel release.

I'll run the dep8 tests of this branch in the meantime in the real infrastructure. If you want to proceed with the plucky upload, and assuming all tests pass as is, then the only change needed is the ubuntu release name in d/changelog.

Unmerged commits

4e2dd19... by Lincoln Wallace

changelog

Signed-off-by: Lincoln Wallace <email address hidden>

6ac11dd... by Lincoln Wallace

* Add AppArmor rules for phc2sys (ref LP #2083458)

  - d/linuxptp.install: Add aa rules destdir for phc2sys
  - d/rules: Add phc2sys aa profile entry
  - d/tests/simulation-test-suite: Insert rule on aa profile for autopkgtest
  - d/usr.sbin.phc2sys: aa profile for phc2sys service

Signed-off-by: Lincoln Wallace <email address hidden>

d9f9c26... by Lincoln Wallace

* Add AppArmor rules for timemaster (ref LP #2083458)

  - d/linuxptp.install: Add aa rules destdir for timemaster
  - d/rules: Add timemaster aa profile entry
  - d/usr.sbin.timemaster: aa profile for timemaster service

Signed-off-by: Lincoln Wallace <email address hidden>

d04538b... by Lincoln Wallace

* Add AppArmor rules for ptp4l (LP: #2083458)

  - d/control: Add dh-apparmor dependency
  - d/linuxptp.install: Add aa rules destdir
  - d/rules: Add section for aa profile adition
  - d/tests/simulation-test-suite: Add script function to inject additional local
      aa rules needed for autopkgtest
  - d/tests/control: Add needs-sudo capability
  - d/usr.sbin.ptp4l: aa profile for ptp4l application

Signed-off-by: Lincoln Wallace <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 6de9fd8..9c806c8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
1linuxptp (4.2-1ubuntu2) oracular; urgency=medium
2
3 * Add AppArmor rules for ptp4l (LP: #2083458)
4 - d/control: Add dh-apparmor dependency
5 - d/linuxptp.install: Add aa rules destdir
6 - d/rules: Add section for aa profile adition
7 - d/tests/simulation-test-suite: Add script function to inject additional local
8 aa rules needed for autopkgtest
9 - d/tests/control: Add needs-sudo capability
10 - d/usr.sbin.ptp4l: aa profile for ptp4l application
11
12 * Add AppArmor rules for timemaster (ref LP #2083458)
13 - d/linuxptp.install: Add aa rules destdir for timemaster
14 - d/rules: Add timemaster aa profile entry
15 - d/usr.sbin.timemaster: aa profile for timemaster service
16
17 * Add AppArmor rules for phc2sys (ref LP #2083458)
18 - d/linuxptp.install: Add aa rules destdir for phc2sys
19 - d/rules: Add phc2sys aa profile entry
20 - d/tests/simulation-test-suite: Insert rule on aa profile for autopkgtest
21 - d/usr.sbin.phc2sys: aa profile for phc2sys service
22
23 -- Lincoln Wallace <lincoln.wallace@canonical.com> Wed, 02 Oct 2024 15:50:17 -0300
24
1linuxptp (4.2-1ubuntu1) oracular; urgency=medium25linuxptp (4.2-1ubuntu1) oracular; urgency=medium
226
3 * Merge with Debian unstable (LP: #2073737). Remaining changes:27 * Merge with Debian unstable (LP: #2073737). Remaining changes:
diff --git a/debian/control b/debian/control
index efefa1f..74e587c 100644
--- a/debian/control
+++ b/debian/control
@@ -9,6 +9,7 @@ Uploaders:
9Build-Depends:9Build-Depends:
10 debhelper-compat (= 13),10 debhelper-compat (= 13),
11 dh-exec,11 dh-exec,
12 dh-apparmor,
12Standards-Version: 4.6.213Standards-Version: 4.6.2
13Rules-Requires-Root: no14Rules-Requires-Root: no
14Homepage: http://linuxptp.sourceforge.net/15Homepage: http://linuxptp.sourceforge.net/
diff --git a/debian/linuxptp.install b/debian/linuxptp.install
index ad008d9..f0706a0 100755
--- a/debian/linuxptp.install
+++ b/debian/linuxptp.install
@@ -1,3 +1,6 @@
1#!/usr/bin/dh-exec1#!/usr/bin/dh-exec
2configs/default.cfg => /etc/linuxptp/ptp4l.conf2configs/default.cfg => /etc/linuxptp/ptp4l.conf
3debian/timemaster.conf /etc/linuxptp/3debian/timemaster.conf /etc/linuxptp/
4debian/usr.sbin.ptp4l etc/apparmor.d
5debian/usr.sbin.timemaster etc/apparmor.d
6debian/usr.sbin.phc2sys etc/apparmor.d
diff --git a/debian/rules b/debian/rules
index 38cfc04..01e297f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,6 +12,11 @@ export DH_VERBOSE = 1
12override_dh_auto_install:12override_dh_auto_install:
13 dh_auto_install -- prefix=/usr mandir=/usr/share/man13 dh_auto_install -- prefix=/usr mandir=/usr/share/man
1414
15execute_after_dh_install:
16 dh_apparmor --profile-name=usr.sbin.ptp4l -plinuxptp
17 dh_apparmor --profile-name=usr.sbin.timemaster -plinuxptp
18 dh_apparmor --profile-name=usr.sbin.phc2sys -plinuxptp
19
15override_dh_installsystemd:20override_dh_installsystemd:
16 dh_installsystemd --no-enable --no-start --name=ptp4l@21 dh_installsystemd --no-enable --no-start --name=ptp4l@
17 dh_installsystemd --no-enable --no-start --name=phc2sys@22 dh_installsystemd --no-enable --no-start --name=phc2sys@
diff --git a/debian/tests/control b/debian/tests/control
index c367202..147f518 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,3 +1,3 @@
1Tests: simulation-test-suite1Tests: simulation-test-suite
2Depends: wget, g++, make, linuxptp2Depends: wget, g++, make, linuxptp
3Restrictions: allow-stderr, isolation-container, build-needed, skippable, needs-internet3Restrictions: allow-stderr, isolation-container, build-needed, skippable, needs-internet, needs-sudo
diff --git a/debian/tests/simulation-test-suite b/debian/tests/simulation-test-suite
index 1abb4bd..0649aa0 100755
--- a/debian/tests/simulation-test-suite
+++ b/debian/tests/simulation-test-suite
@@ -5,6 +5,28 @@ clknetsim_ver=0a11a35
5clknetsim_src=https://github.com/mlichvar/clknetsim/archive/"$clknetsim_ver"/clknetsim-"$clknetsim_ver".tar.gz5clknetsim_src=https://github.com/mlichvar/clknetsim/archive/"$clknetsim_ver"/clknetsim-"$clknetsim_ver".tar.gz
6clknetsim_archive=$(basename "$clknetsim_src")6clknetsim_archive=$(basename "$clknetsim_src")
77
8inject_local_aa() {
9 app="$1"
10 apparmor_profile=/etc/apparmor.d/usr.sbin.${app}
11 echo "-- Injecting complementary AppArmor rules for $app"
12
13 sudo -E bash -c "
14 if [ -f '$apparmor_profile' ]; then
15 if aa-status --enabled 2>/dev/null; then
16 cat <<EOF >>/etc/apparmor.d/local/usr.sbin.'${app}'
17/tmp/autopkgtest*/** rwm,
18/proc/[0-9]*/comm r,
19EOF
20 apparmor_parser -r -W -T '${apparmor_profile}' || {
21 echo 'Failed to reload the ${apparmor_profile} AppArmor profile, continuing anyway.'
22 }
23 fi
24 else
25 echo 'AppArmor profile for $app does not exist, skipping.'
26 fi
27 "
28}
29
8# Always use the same seed to get deterministic results30# Always use the same seed to get deterministic results
9export CLKNETSIM_RANDOM_SEED=2450831export CLKNETSIM_RANDOM_SEED=24508
1032
@@ -25,6 +47,9 @@ echo "-- Building clknetsim"
25make47make
26echo ""48echo ""
2749
50inject_local_aa "ptp4l"
51inject_local_aa "phc2sys"
52
28echo "-- Running test-suite"53echo "-- Running test-suite"
29cd "$testdir"54cd "$testdir"
30./run55./run
diff --git a/debian/usr.sbin.phc2sys b/debian/usr.sbin.phc2sys
31new file mode 10064456new file mode 100644
index 0000000..9f38458
--- /dev/null
+++ b/debian/usr.sbin.phc2sys
@@ -0,0 +1,44 @@
1
2# vim:syntax=apparmor
3# Last Modified: Sun Sep 05 16:48:05 2021
4
5abi <abi/4.0>,
6include <tunables/global>
7
8profile phc2sys /usr/sbin/phc2sys {
9 #include <abstractions/base>
10
11 # Needed phc2sys capabilities
12 capability dac_read_search,
13 capability dac_override,
14 capability sys_time,
15 capability sys_module,
16 capability net_admin,
17
18 # Allow dgram type for all net domains
19 network dgram,
20
21 # The phc2sys application it's own
22 /usr/sbin/phc2sys mr,
23
24 # phc2sys runtime data
25 /run/phc2sys.[0-9]* rw,
26
27 # To be able to comunicate with ptp4l
28 /run/ptp4lro rw,
29
30 # Needed signals in case of being executed by other application
31 signal (receive) set=(term),
32
33 # Needed when being executed by timemaster
34 /run/timemaster/ptp4l.[0-9]*.socket rw,
35
36 # PTP devices
37 /dev/ptp[0-9]* rw,
38
39 # PPS devices
40 /dev/pps[0-9]* r,
41
42 # Site-specific additions and overrides. See local/README for details.
43 #include <local/usr.sbin.ptp4l>
44}
diff --git a/debian/usr.sbin.ptp4l b/debian/usr.sbin.ptp4l
0new file mode 10064445new file mode 100644
index 0000000..779c1c4
--- /dev/null
+++ b/debian/usr.sbin.ptp4l
@@ -0,0 +1,63 @@
1# vim:syntax=apparmor
2# Last Modified: Sun Sep 05 16:48:05 2021
3
4abi <abi/4.0>,
5include <tunables/global>
6
7profile ptp4l /usr/sbin/ptp4l {
8#include <abstractions/base>
9
10# The ptp4l application it's own
11/usr/sbin/ptp4l mr,
12
13# Needed signals in case of being executed by other application
14signal (receive) set=(term),
15
16# Needed capabilities
17capability net_admin,
18capability sys_module,
19capability net_bind_service,
20
21# Needed Network domains
22network netlink,
23network packet,
24network inet,
25network inet6,
26network unix,
27network unspec,
28
29# Needed to define mac address for
30# a network interface
31/sys/class/net/*/address r,
32
33# ptp devices
34/dev/ptp[0-9]* rw,
35
36# serial devices
37/dev/ttyS[0-9]* rw,
38/dev/ttyACM[0-9]* rw,
39
40# Needed for ipc and runtime status
41@{run}/cmlds_client rw,
42@{run}/cmlds_server rw,
43@{run}/refclock.ptp.sock rw,
44@{run}/run/ptp4l rw,
45@{run}/ptp4lro rw,
46@{run}/ptp4l rw,
47@{run}/ptp4lro rw,
48@{run}/phc2sys.[0-9]+ r,
49
50# When being runned by timemaster
51@{run}/timemaster/chrony.SOCK* rw,
52@{run}/timemaster/ptp4l.*.conf r,
53@{run}/timemaster/ptp4l.*.socket rw,
54@{run}/timemaster/ptp4lro.*.socket rw,
55@{run}/phc2sys.* rw,
56
57# ptp4l config files
58/etc/linuxptp/** r,
59
60# Site-specific additions and overrides. See local/README for details.
61#include <local/usr.sbin.ptp4l>
62}
63
diff --git a/debian/usr.sbin.timemaster b/debian/usr.sbin.timemaster
0new file mode 10064464new file mode 100644
index 0000000..b36fde0
--- /dev/null
+++ b/debian/usr.sbin.timemaster
@@ -0,0 +1,45 @@
1
2# vim:syntax=apparmor
3# Last Modified: Mon Sep 15 14:48:05 2024
4
5abi <abi/4.0>,
6include <tunables/global>
7
8profile timemaster /usr/sbin/timemaster {
9 #include <abstractions/base>
10 #include <abstractions/nameservice>
11
12 # To be able to kill child processes
13 capability kill,
14
15 # To be able to send the term signal
16 signal (send) set=(term),
17
18 # Runtime config files for timemaster
19 @{run}/timemaster/*.conf rw,
20 @{run}/timemaster/ rwk,
21
22 ## system files access
23
24 # RPi4 and RPi5 specific
25 @{sys}/devices/platform/axi/[0-9a-f]*.pcie/[0-9a-f]*.ethernet/net/*/ptp[0-9]*/ r,
26 @{sys}/devices/platform/axi/[0-9a-f]*.pcie/[0-9a-f]*.ethernet/net/*/ptp[0-9]*/n_vclocks rw,
27
28 # Generic arch's
29 @{sys}/ptp[0-9]+/ptp[0-9]* rw,
30 @{sys}/ptp[0-9]+/n_vclocks rw,
31 @{sys}/net/*/ptp[0-9]*/n_vclocks rw,
32
33 # Default location for config files
34 /etc/linuxptp/** r,
35 /etc/chrony/** r,
36 /etc/ntpsec/** r,
37
38 # Backend applications
39 # Px = exec to apparmor profile that matches executable name, with environment variable scrubbing
40 /usr/sbin/chronyd Px,
41 /usr/sbin/ntpd Px,
42 /usr/sbin/ptp4l Px,
43 /usr/sbin/phc2sys Px,
44
45}

Subscribers

People subscribed via source and target branches