sonic-buildimage/files/image_config/ntp
arheneus@marvell.com e88c7d11ca
[ntp][apparmor] Allow apparmor read permission for ntpd under rw mount path of rootfs (#6040)
Certain platform specific packages sonic-platform-xyz, installs files onto rootfs, which would be placed on read-write mount path on /host/image-name/rw/...
when ntpd starts it tries to do read access on /usr/bin /usr/sbin/ /usr/local/bin , which inturn links further to the read-write mount path also.
Where ntpd would get below Apparmor Warning message

LOG:-
audit: type=1400 audit(1606226503.240:21): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/local/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:22): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/sbin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:23): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fix:
Add rw/.. mount path similar to root path access provided for ntpd in /etc/apparmor.d/usr.sbin.ntpd

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-12-18 04:57:35 -08:00
..
ntp [ntp]: modified ntp script to hide the error related to cfggen (#3745) 2019-11-14 00:06:54 -08:00
ntp-apparmor [ntp][apparmor] Allow apparmor read permission for ntpd under rw mount path of rootfs (#6040) 2020-12-18 04:57:35 -08:00
ntp-config.service [ntp]: NTP service ordering (#6115) 2020-12-04 08:49:20 -08:00
ntp-config.sh [ntp]: NTP service ordering (#6115) 2020-12-04 08:49:20 -08:00
ntp-systemd-wrapper [ntp] add ntp support in buster with mgmt vrf (#55) 2020-04-17 04:51:51 +00:00
ntp.conf.j2 [ntp]: Add "tinker panic 0" in ntp.conf to avoid ntpd from panic (#4263) 2020-03-21 18:50:12 -07:00