[apparmor] [patch] Allow ntpd to read directory listings of $PATH

Christian Boltz apparmor at cboltz.de
Tue Aug 25 12:16:14 UTC 2015


for some (unclear) reason, ntpd reads the directory listings of
directories in $PATH (/bin/, /sbin, /usr/bin, ...).

Note that I have no idea why it does that - insights welcome ;-)
Also, ntpd seems to work without those permissions, so we might want
to change the added rule to "deny".

[ profiles-ntpd-path-dirlist.diff ]

=== modified file 'profiles/apparmor.d/usr.sbin.ntpd'
--- profiles/apparmor.d/usr.sbin.ntpd   2015-05-18 23:20:49 +0000
+++ profiles/apparmor.d/usr.sbin.ntpd   2015-08-25 12:02:18 +0000
@@ -37,6 +37,7 @@
   /etc/ntpd.conf.tmp r,
   /tmp/ntp* rwl,
+  /{usr/,usr/local/,}{s,}bin/ r,
   /usr/sbin/ntpd rmix,
   /var/lib/ntp/drift rwl,
   /var/lib/ntp/drift.TEMP rwl,


Christian Boltz
> Be aware that a s390x / and most ppc64 are not a smart phones
> nor net books.
They just don't fit into the pocket. :)
[> Dr. Werner Fink and Kay Sievers in opensuse-factory]

More information about the AppArmor mailing list