matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
fc1295bdcc
sonic-buildimage/files/image_config
History
arheneus@marvell.com fc1295bdcc [ntp][apparmor] Allow apparmor read permission for ntpd under rw mount path of rootfs (#6040) 
Certain platform specific packages sonic-platform-xyz, installs files onto rootfs, which would be placed on read-write mount path on /host/image-name/rw/...
when ntpd starts it tries to do read access on /usr/bin /usr/sbin/ /usr/local/bin , which inturn links further to the read-write mount path also.
Where ntpd would get below Apparmor Warning message

LOG:-
audit: type=1400 audit(1606226503.240:21): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/local/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:22): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/sbin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:23): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fix:
Add rw/.. mount path similar to root path access provided for ntpd in /etc/apparmor.d/usr.sbin.ntpd

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2022-10-16 05:42:35 +00:00
..
apt [build]: SONiC buildimage ARM arch support (#2980) 2019-07-25 22:06:41 -07:00
bash [baseimage]: Increase TMOUT for serial port connections to 15 minutes (#3032) 2019-06-19 00:16:01 -07:00
caclmgrd [multi-asic] Enhanced iptable default rules (#6765) 2021-02-25 18:39:43 -08:00
config-setup Add service to restore TACACS from old config (#7560) (#7865) 2021-06-15 10:52:31 -07:00
constants [bgpcfgd]: Fixes for BBR (#5956) 2020-11-19 10:42:42 -08:00
corefile_uploader corefile uploader: Updates per review comments offline (#3915) 2019-12-31 14:42:01 -08:00
cron.d [core_cleanup] Fix issue where core_cleanup job runs too frequently (#3659) 2019-10-23 15:55:47 -07:00
ebtables [ebtbles] Replace binary config file to text config file for ebtables (#5252) 2021-01-27 16:57:41 -08:00
environment [201911] Change submodule path from Azure to sonic-net (#12313) 2022-10-12 21:07:22 +08:00
fstrim [baseimage]: Add fstrim service and fstrim timer by default (#2804) 2019-04-21 14:21:16 -07:00
hostcfgd hostcfgd: Handle missed tacacs updates between load & listen (#8223) 2021-08-06 10:38:37 -07:00
hostname [hostname-config] improve hostname-config process (#3676) 2019-10-29 08:30:27 -07:00
interfaces [interfaces] Reduce Calls to SONiC Cfggen (#5174) 2020-12-22 09:51:54 -08:00
kubernetes [baseimage]: Install Kubernetes packages if enabled in image (#4374) (#4432) 2020-04-16 21:54:45 -07:00
logrotate [Multi Asic] support of swss.rec and sairedis.rec for multi asic (#6310) 2021-01-27 17:12:32 -08:00
misc Fix to remove the import of APIClient (#5724) 2020-10-27 08:32:37 -07:00
monit Invoke disk check periodically (#7374) 2021-11-19 16:45:21 -08:00
ntp [ntp][apparmor] Allow apparmor read permission for ntpd under rw mount path of rootfs (#6040) 2022-10-16 05:42:35 +00:00
platform [baseimage]: Updates for Ebtables and support for multi-asic (#6542) 2021-01-27 16:59:10 -08:00
procdockerstatsd [201911][procdockerstatsd] fix typo for variable name (#7183) 2021-03-29 19:22:03 -07:00
process-reboot-cause [201911] Add hardware reboot cause when software reboot failed (#11753) 2022-08-25 12:30:53 -07:00
rsyslog Move frr logs from syslog to /var/log/frr/*.log (#5988) 2020-12-22 10:53:16 -08:00
snmp mvrf_avoid_snmp_yml_config: made changes to pass SNMP config from con… (#4057) 2020-02-03 15:38:38 -08:00
sudoers Fix vtysh shell-ingestion security issue (#8022) 2021-06-30 19:34:55 +08:00
sysctl Set sock rx Buf size to 3MB. (#5566) 2020-11-24 11:21:56 -08:00
syslog [baseimage]: /host unmount timeout issue during reboot. (#5032) 2020-08-09 10:38:33 -07:00
systemd [services] Restart SwSS service upon unexpected critical process exit (#2845) 2019-05-01 08:02:38 -07:00
topology [multi-asic][vs]: Update topology script to retrieve hwsku from minigraph (#6219) 2021-02-25 18:42:44 -08:00
updategraph [platform] Add Support For Environment Variable File (#5010) 2020-09-28 21:14:39 +00:00
warmboot-finalizer [warm boot finalizer] only wait for enabled components to reconcile (#6454) 2022-03-31 12:01:25 -07:00
watchdog-control Add disabling HW watchdog during boot for fast-reboot and warm-reboot (#4927) 2020-08-09 11:25:31 -07:00