Bug#888038: chrony: please add AppArmor profile for chronyd

Jamie Strandboge Mon, 22 Jan 2018 12:22:05 -0800

Package: chrony
Version: 3.2-1
Severity: wishlist
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu bionic ubuntu-patch


Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:

  * add AppArmor profile for /usr/sbin/chronyd:
    - add debian/usr.sbin.chronyd AppArmor profile
    - debian/control: Build-Depends on dh-apparmor
    - debian/dirs: create etc/apparmor.d/force-complain
    - debian/install: install debian/usr.sbin.chronyd
    - debian/preinst: force-complain on upgrade before this version
    - debian/rules: install apparmor profile with dh_apparmor

Thanks for considering the patch. For Debian, you would need to do is update
the version in preinst to the version which ships the AppArmor profile.

-- System Information:
Debian Release: stretch/sid
  APT prefers artful-updates
  APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-25-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru chrony-3.2/debian/control chrony-3.2/debian/control
--- chrony-3.2/debian/control   2017-11-04 10:47:42.000000000 -0500
+++ chrony-3.2/debian/control   2018-01-22 13:48:29.000000000 -0600
@@ -12,7 +12,8 @@
  pps-tools (>= 0.20120406+g0deb9c7e-2) [linux-any],
  libseccomp-dev (>= 2.2.3-3~) [amd64 arm64 armel armhf hppa i386 mips mipsel 
mips64el powerpc powerpcspe ppc64 ppc64el s390x x32],
  pkg-config,
- asciidoctor (>= 1.5.3-1~)
+ asciidoctor (>= 1.5.3-1~),
+ dh-apparmor
 Homepage: https://chrony.tuxfamily.org
 Vcs-Git: https://anonscm.debian.org/git/collab-maint/chrony.git
 Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/chrony.git
diff -Nru chrony-3.2/debian/dirs chrony-3.2/debian/dirs
--- chrony-3.2/debian/dirs      2017-11-04 10:47:42.000000000 -0500
+++ chrony-3.2/debian/dirs      2018-01-22 13:25:51.000000000 -0600
@@ -1,3 +1,4 @@
+etc/apparmor.d/force-complain
 etc/chrony
 etc/logrotate.d
 etc/NetworkManager/dispatcher.d
diff -Nru chrony-3.2/debian/install chrony-3.2/debian/install
--- chrony-3.2/debian/install   2017-11-04 10:47:42.000000000 -0500
+++ chrony-3.2/debian/install   2018-01-20 03:20:50.000000000 -0600
@@ -1 +1,2 @@
 debian/chrony.conf    usr/share/chrony
+debian/usr.sbin.chronyd etc/apparmor.d
diff -Nru chrony-3.2/debian/preinst chrony-3.2/debian/preinst
--- chrony-3.2/debian/preinst   1969-12-31 18:00:00.000000000 -0600
+++ chrony-3.2/debian/preinst   2018-01-22 13:48:21.000000000 -0600
@@ -0,0 +1,31 @@
+#!/bin/sh
+# preinst script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# targets: install|upgrade|abort-upgrade
+
+case "$1" in
+    upgrade)
+        APP_PROFILE="usr.sbin.chronyd"
+        APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+        APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+        # force-complain on upgrade from pre-shipped profile
+        if dpkg --compare-versions "$2" lt "3.2-1ubuntu1" ; then
+            mkdir -p `dirname "$APP_COMPLAIN"` 2>/dev/null || true
+            ln -sf "$APP_CONFFILE" "$APP_COMPLAIN"
+        fi
+    ;;
+
+    install|abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+exit 0
diff -Nru chrony-3.2/debian/rules chrony-3.2/debian/rules
--- chrony-3.2/debian/rules     2017-11-04 10:47:42.000000000 -0500
+++ chrony-3.2/debian/rules     2018-01-22 13:15:52.000000000 -0600
@@ -27,6 +27,7 @@
        install -m 0640 -t $(BASE)/usr/share/chrony/ debian/chrony.keys
        install -m 0755 -T examples/chrony.nm-dispatcher 
$(BASE)/etc/NetworkManager/dispatcher.d/20-chrony
        install -m 0644 -T examples/chrony.logrotate 
$(BASE)/etc/logrotate.d/chrony
+       dh_apparmor --profile-name=usr.sbin.chronyd -pchrony
 
 override_dh_fixperms:
        dh_fixperms -X usr/share/chrony/chrony.keys
diff -Nru chrony-3.2/debian/usr.sbin.chronyd chrony-3.2/debian/usr.sbin.chronyd
--- chrony-3.2/debian/usr.sbin.chronyd  1969-12-31 18:00:00.000000000 -0600
+++ chrony-3.2/debian/usr.sbin.chronyd  2018-01-20 03:20:00.000000000 -0600
@@ -0,0 +1,39 @@
+# Last Modified: Sat Jan 20 10:45:05 2018
+#include <tunables/global>
+
+/usr/sbin/chronyd (attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability sys_time,
+  capability net_bind_service,
+  capability setuid,
+  capability setgid,
+
+  /usr/sbin/chronyd mr,
+
+  /etc/chrony/{,**} r,
+  /run/chronyd.pid w,
+  /run/chrony/{,*} rw,
+  /var/lib/chrony/{,*} r,
+  /var/lib/chrony/* w,
+  /var/log/chrony/{,*} r,
+  /var/log/chrony/* w,
+
+  # rtc
+  /etc/adjtime r,
+  /dev/rtc{,[0-9]*} r,
+
+  # gps devices
+  /dev/pps[0-9]* r,
+  /dev/ptp[0-9]* r,
+
+  # For use with clocks that report via shared memory (e.g. gpsd),
+  # you may need to give ntpd access to all of shared memory, though
+  # this can be considered dangerous. See https://launchpad.net/bugs/722815
+  # for details. To enable, add this to local/usr.sbin.chronyd:
+  #     capability ipc_owner,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.chronyd>
+}

Bug#888038: chrony: please add AppArmor profile for chronyd

Reply via email to