[ntp][apparmor] Allow apparmor read permission for ntpd under rw moun…

…t path of rootfs (sonic-net#6040) Certain platform specific packages sonic-platform-xyz, installs files onto rootfs, which would be placed on read-write mount path on /host/image-name/rw/... when ntpd starts it tries to do read access on /usr/bin /usr/sbin/ /usr/local/bin , which inturn links further to the read-write mount path also. Where ntpd would get below Apparmor Warning message LOG:- audit: type=1400 audit(1606226503.240:21): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/local/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 audit: type=1400 audit(1606226503.240:22): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/sbin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 audit: type=1400 audit(1606226503.240:23): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Fix: Add rw/.. mount path similar to root path access provided for ntpd in /etc/apparmor.d/usr.sbin.ntpd Signed-off-by: Antony Rheneus <[email protected]>
Junchao-Mellanox · Dec 18, 2020 · e88c7d1 · e88c7d1
1 parent 54681f1
commit e88c7d1
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -192,6 +192,7 @@ echo '[INFO] Install docker'
 ## Install apparmor utils since they're missing and apparmor is enabled in the kernel
 ## Otherwise Docker will fail to start
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apparmor
+sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.sbin.ntpd
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apt-transport-https \
                                                        ca-certificates \
                                                        curl \

diff --git a/files/image_config/ntp/ntp-apparmor b/files/image_config/ntp/ntp-apparmor
@@ -0,0 +1,9 @@
+# Apparmor configuration
+# /etc/apparmor.d/local/usr.sbin.ntpd
+
+  # Allow read access to "rw" mount path of fs.squashfs
+  # Eg: /host/image-HEAD-sonic.../rw/usr/sbin 
+  /**/{,s}bin/      r,
+  /**/usr/{,s}bin/  r,
+  /**/usr/local/{,s}bin/  r,
+