matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
e88c7d11ca
sonic-buildimage/files
History
arheneus@marvell.com e88c7d11ca
[ntp][apparmor] Allow apparmor read permission for ntpd under rw mount path of rootfs (#6040) 
Certain platform specific packages sonic-platform-xyz, installs files onto rootfs, which would be placed on read-write mount path on /host/image-name/rw/...
when ntpd starts it tries to do read access on /usr/bin /usr/sbin/ /usr/local/bin , which inturn links further to the read-write mount path also.
Where ntpd would get below Apparmor Warning message

LOG:-
audit: type=1400 audit(1606226503.240:21): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/local/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:22): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/sbin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:23): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fix:
Add rw/.. mount path similar to root path access provided for ntpd in /etc/apparmor.d/usr.sbin.ntpd

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-12-18 04:57:35 -08:00
..
Aboot [Arista] Update driver submodules (#6151) 2020-12-08 11:17:28 -08:00
apt [build]: add buster docker as the last step of the build proces 2020-04-16 10:26:18 +00:00
build_scripts [Python] Align files in root dir, dockers/ and files/ with PEP8 standards (#6109) 2020-12-03 15:57:50 -08:00
build_templates [build_templates]: Start SNMP timer after SWSS service (#6195) 2020-12-16 16:39:14 -08:00
dhcp ZTP infrastructure changes to support DHCP discovery provisioning data (#3298) 2019-12-10 08:16:56 -08:00
docker Enabling ipv6 support on docker container network. This is needed (#5418) 2020-09-22 08:32:17 -07:00
image_config [ntp][apparmor] Allow apparmor read permission for ntpd under rw mount path of rootfs (#6040) 2020-12-18 04:57:35 -08:00
initramfs-tools [NVMe] Add NVMe SSD disc type support to installer.sh script (#6142) 2020-12-09 19:03:27 -08:00
scripts In modular chassis, add CHASSIS_STATE_DB on control card (#5624) 2020-12-15 17:15:00 -08:00
sshd [sshd]: Create /run/sshd under systemd using RuntimeDirectory 2020-04-17 04:51:51 +00:00