[apparmor] AppArmor and ntpd

Fri Dec 3 18:26:21 GMT 2010

On Fri, Dec 03, 2010 at 11:52:11AM -0600, Jamie Strandboge wrote:
> On Fri, 2010-12-03 at 13:23 +0100, Martin Burnicki wrote:
> > Hi all,

Hi Martin, welcome to the list. Thanks for raising the issue.

> > I've just subscribed to the list because of a bug report on openSUSE's
> > bugzilla:
> > https://bugzilla.novell.com/show_bug.cgi?id=230700
> > 
> > I'd just like to bring to your mind (or remind you) that an NTP daemon
> > running as stratum-1 time server usually needs to access a hardware
> > device it uses as reference time source. If a refclock is connected via
> > a serial port then the device node can be something like /dev/ttyS*, but
> > there are also PCI cards which come with an own driver providing special
> > device nodes to let ntpd read the ref time directly from the PCI card.
> > 
> > For examples, the PCI cards manufactured by the company I'm working for
> > come with a driver which implements device nodes /dev/mbgclock*.
> > 
> > So It would be great if the names of such devices could easily be
> > specified in an AppArmor profile for ntpd. AFAIK this is the case in the
> > current implementation, but as said above, I just wanted to be sure this
> > is kept in mind ... ;-)
> 
> This sounds like a possible deficiency in the profile on OpenSUSE. The
> AppArmor profile in trunk has:
> #include <tunables/ntpd>
> /usr/sbin/ntpd {
> ...
>   @{NTPD_DEVICE} rw,
> ...
> 
> This allows you to use /etc/apparmor.d/tunables/ntpd to adjust to the
> device of your choosing.

Right, as was pointed out in
https://bugzilla.novell.com/show_bug.cgi?id=230700#c12 To expand on
the comment, though, the tunable variables can hold multiple values,
such that defining:

  @{NTPD_DEVICE}="/dev/tty10" /dev/mbgclock* /dev/some_other_mfctr_devices*

will cause

  @{NTPD_DEVICE} rw,

to allow read and write access to all three sets of devices.

I think the important question that Martin is asking whether we
think it's appropriate to include /dev/mbgclock* in the default
tunable field in the distributed profile set. IMO, considering that
it's a much more specialized device path than /dev/ttyS*, which the
original referenced bugzilla report was asking about, I think it's
a reasonable thing to include, as well as documentation explaining
how to add additional devices to the tunable.

As an aside, looking at what our existing ntpd tunable has, we already
allow /dev/tty10. It looks like it got added in response to novell
bugzilla bugs 433368 or 402693, which I'm not privileged enough
to view.  Christian, do you have access to those bugs to clarify the
justification for it? I really don't like it as a default, though I'll
admit it's far less likely that /dev/tty10 will be used by anything
else, unlike /dev/ttyS*.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20101203/17016615/attachment.pgp 