[apparmor] AppArmor and ntpd

Jamie Strandboge jamie at canonical.com
Fri Dec 3 17:52:11 GMT 2010

On Fri, 2010-12-03 at 13:23 +0100, Martin Burnicki wrote:
> Hi all,
> I've just subscribed to the list because of a bug report on openSUSE's
> bugzilla:
> https://bugzilla.novell.com/show_bug.cgi?id=230700
> I'd just like to bring to your mind (or remind you) that an NTP daemon
> running as stratum-1 time server usually needs to access a hardware
> device it uses as reference time source. If a refclock is connected via
> a serial port then the device node can be something like /dev/ttyS*, but
> there are also PCI cards which come with an own driver providing special
> device nodes to let ntpd read the ref time directly from the PCI card.
> For examples, the PCI cards manufactured by the company I'm working for
> come with a driver which implements device nodes /dev/mbgclock*.
> So It would be great if the names of such devices could easily be
> specified in an AppArmor profile for ntpd. AFAIK this is the case in the
> current implementation, but as said above, I just wanted to be sure this
> is kept in mind ... ;-)

This sounds like a possible deficiency in the profile on OpenSUSE. The
AppArmor profile in trunk has:
#include <tunables/ntpd>
/usr/sbin/ntpd {
  @{NTPD_DEVICE} rw,

This allows you to use /etc/apparmor.d/tunables/ntpd to adjust to the
device of your choosing.

Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20101203/e1578001/attachment.pgp 

More information about the AppArmor mailing list