Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1034519: chrony: AppArmor profile denies creation of chrony.ppsX.sock
87 views
Skip to first unread message
Ryan Govostes
Apr 17, 2023, 11:00:04 AM4/17/23
to
Package: chrony
Version: 4.3
Severity: normal
X-Debbugs-Cc: rgov...@gmail.com
Dear Maintainer,
gpsd and chronyd can communicate via domain sockets such as /var/run/chrony.ttyS0.sock. chronyd creates the sockets and gpsd connects to them.
However, the AppArmor profile for chronyd is too strict; it only allows the creation of sockets for tty devices, and not pps devices.
@{run}/chrony.tty{,*}.sock rw,
The corresponding rules on the gpsd profile are:
/{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
/tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
Could these be relaxed to allow /var/run/chrony.*.sock?
Ryan
-- System Information:
Debian Release: 11.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: armhf (armv7l)
Kernel: Linux 5.15.49-linuxkit (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_RANDSTRUCT
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages chrony depends on:
ii adduser 3.118
ii init-system-helpers 1.60
pn iproute2 <none>
ii libc6 2.31-13+deb11u3
pn libcap2 <none>
pn libedit2 <none>
ii libgnutls30 3.7.1-5
ii libnettle8 3.7.3-1
ii libseccomp2 2.5.1-1+deb11u1
ii tzdata 2021a-1+deb11u3
pn ucf <none>
chrony recommends no packages.
Versions of packages chrony suggests:
pn dnsutils <none>
pn networkd-dispatcher <none>
Version: 4.3
Severity: normal
X-Debbugs-Cc: rgov...@gmail.com
Dear Maintainer,
gpsd and chronyd can communicate via domain sockets such as /var/run/chrony.ttyS0.sock. chronyd creates the sockets and gpsd connects to them.
However, the AppArmor profile for chronyd is too strict; it only allows the creation of sockets for tty devices, and not pps devices.
@{run}/chrony.tty{,*}.sock rw,
The corresponding rules on the gpsd profile are:
/{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
/tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
Could these be relaxed to allow /var/run/chrony.*.sock?
Ryan
-- System Information:
Debian Release: 11.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: armhf (armv7l)
Kernel: Linux 5.15.49-linuxkit (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_RANDSTRUCT
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages chrony depends on:
ii adduser 3.118
ii init-system-helpers 1.60
pn iproute2 <none>
ii libc6 2.31-13+deb11u3
pn libcap2 <none>
pn libedit2 <none>
ii libgnutls30 3.7.1-5
ii libnettle8 3.7.3-1
ii libseccomp2 2.5.1-1+deb11u1
ii tzdata 2021a-1+deb11u3
pn ucf <none>
chrony recommends no packages.
Versions of packages chrony suggests:
pn dnsutils <none>
pn networkd-dispatcher <none>
Vincent Blut
Apr 17, 2023, 3:20:06 PM4/17/23
to
Control: severity -1 important
Control: tags -1 moreinfo
Hi Ryan,
Le 2023-04-17 14:54, Ryan Govostes a écrit :
> Package: chrony
> Version: 4.3
> Severity: normal
> X-Debbugs-Cc: rgov...@gmail.com
>
> Dear Maintainer,
>
> gpsd and chronyd can communicate via domain sockets such as /var/run/chrony.ttyS0.sock. chronyd creates the sockets and gpsd connects to them.
>
> However, the AppArmor profile for chronyd is too strict; it only allows the creation of sockets for tty devices, and not pps devices.
>
> @{run}/chrony.tty{,*}.sock rw,
Indeed, this rule is too restrictive…
> The corresponding rules on the gpsd profile are:
>
> /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
> /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
>
> Could these be relaxed to allow /var/run/chrony.*.sock?
…This might be too permissive though. Could you please tell me if changing the
rule to "@{run}/chrony{,.clk}.{tty,pps}*.sock rw," meets your need?
> Ryan
Cheers,
Vincent
P.S: run "apparmor_parser -r /etc/apparmor.d/usr.sbin.chronyd" after modifying
the profile.
Control: tags -1 moreinfo
Hi Ryan,
Le 2023-04-17 14:54, Ryan Govostes a écrit :
> Package: chrony
> Version: 4.3
> Severity: normal
> X-Debbugs-Cc: rgov...@gmail.com
>
> Dear Maintainer,
>
> gpsd and chronyd can communicate via domain sockets such as /var/run/chrony.ttyS0.sock. chronyd creates the sockets and gpsd connects to them.
>
> However, the AppArmor profile for chronyd is too strict; it only allows the creation of sockets for tty devices, and not pps devices.
>
> @{run}/chrony.tty{,*}.sock rw,
> The corresponding rules on the gpsd profile are:
>
> /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
> /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
>
> Could these be relaxed to allow /var/run/chrony.*.sock?
rule to "@{run}/chrony{,.clk}.{tty,pps}*.sock rw," meets your need?
> Ryan
Cheers,
Vincent
P.S: run "apparmor_parser -r /etc/apparmor.d/usr.sbin.chronyd" after modifying
the profile.
Vincent Blut
Apr 28, 2023, 9:00:04 AM4/28/23
to
Le 2023-04-17 20:45, Vincent Blut a écrit :
> Control: severity -1 important
> Control: tags -1 moreinfo
>
> Hi Ryan,
>
> Le 2023-04-17 14:54, Ryan Govostes a écrit :
> > Package: chrony
> > Version: 4.3
> > Severity: normal
> > X-Debbugs-Cc: rgov...@gmail.com
> >
> > Dear Maintainer,
> >
> > gpsd and chronyd can communicate via domain sockets such as /var/run/chrony.ttyS0.sock. chronyd creates the sockets and gpsd connects to them.
> >
> > However, the AppArmor profile for chronyd is too strict; it only allows the creation of sockets for tty devices, and not pps devices.
> >
> > @{run}/chrony.tty{,*}.sock rw,
>
> Indeed, this rule is too restrictive…
>
> > The corresponding rules on the gpsd profile are:
> >
> > /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
> > /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
> >
> > Could these be relaxed to allow /var/run/chrony.*.sock?
>
> …This might be too permissive though. Could you please tell me if changing the
> rule to "@{run}/chrony{,.clk}.{tty,pps}*.sock rw," meets your need?
Any update on this Ryan?
> Control: severity -1 important
> Control: tags -1 moreinfo
>
> Hi Ryan,
>
> Le 2023-04-17 14:54, Ryan Govostes a écrit :
> > Package: chrony
> > Version: 4.3
> > Severity: normal
> > X-Debbugs-Cc: rgov...@gmail.com
> >
> > Dear Maintainer,
> >
> > gpsd and chronyd can communicate via domain sockets such as /var/run/chrony.ttyS0.sock. chronyd creates the sockets and gpsd connects to them.
> >
> > However, the AppArmor profile for chronyd is too strict; it only allows the creation of sockets for tty devices, and not pps devices.
> >
> > @{run}/chrony.tty{,*}.sock rw,
>
> Indeed, this rule is too restrictive…
>
> > The corresponding rules on the gpsd profile are:
> >
> > /{,var/}run/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
> > /tmp/chrony.tty{,S,USB,AMA}[0-9]*.sock rw,
> >
> > Could these be relaxed to allow /var/run/chrony.*.sock?
>
> …This might be too permissive though. Could you please tell me if changing the
> rule to "@{run}/chrony{,.clk}.{tty,pps}*.sock rw," meets your need?
Cheers,
Vincent
Ryan Govostes
Apr 29, 2023, 3:20:05 PM4/29/23
to
Sorry, I didn't receive your original e-mail.
The proposed rule would be fine, but I don't see why /run/chrony*.sock
would be too permissive. The "chrony" prefix would be sufficient to
ensure that it is not possible to maliciously configure chrony to
control a path that "belongs" to another piece of software. The user
may want to use their own device naming scheme, like /dev/serial0
(used on Raspberry Pi OS) or /dev/gps0, which would be prohibited by
the more strict rule.
The only other example from the chrony.conf documentation is
"bindcmdaddress /var/run/chrony/chronyd.sock" (used for the chronyc
tool to issue commands to the daemon) but that's just an example, not
a default.
Ryan
The proposed rule would be fine, but I don't see why /run/chrony*.sock
would be too permissive. The "chrony" prefix would be sufficient to
ensure that it is not possible to maliciously configure chrony to
control a path that "belongs" to another piece of software. The user
may want to use their own device naming scheme, like /dev/serial0
(used on Raspberry Pi OS) or /dev/gps0, which would be prohibited by
the more strict rule.
The only other example from the chrony.conf documentation is
"bindcmdaddress /var/run/chrony/chronyd.sock" (used for the chronyc
tool to issue commands to the daemon) but that's just an example, not
a default.
Ryan
0 new messages