From e88c7d11cae12a4973eca4f1ca9f4b4ba9facd71 Mon Sep 17 00:00:00 2001
From: "arheneus@marvell.com"
 <51254330+antony-rheneus@users.noreply.github.com>
Date: Fri, 18 Dec 2020 18:27:35 +0530
Subject: [PATCH] [ntp][apparmor] Allow apparmor read permission for ntpd under
 rw mount path of rootfs (#6040)

Certain platform specific packages sonic-platform-xyz, installs files onto rootfs, which would be placed on read-write mount path on /host/image-name/rw/...
when ntpd starts it tries to do read access on /usr/bin /usr/sbin/ /usr/local/bin , which inturn links further to the read-write mount path also.
Where ntpd would get below Apparmor Warning message

LOG:-
audit: type=1400 audit(1606226503.240:21): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/local/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:22): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/sbin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1606226503.240:23): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/image-HEAD-dirty-20201111.173951/rw/usr/bin/" pid=3733 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Fix:
Add rw/.. mount path similar to root path access provided for ntpd in /etc/apparmor.d/usr.sbin.ntpd

Signed-off-by: Antony Rheneus <arheneus@marvell.com>
---
 build_debian.sh                     | 1 +
 files/image_config/ntp/ntp-apparmor | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 files/image_config/ntp/ntp-apparmor

diff --git a/build_debian.sh b/build_debian.sh
index ed5f38bb2bb2..4838d3c87796 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -192,6 +192,7 @@ echo '[INFO] Install docker'
 ## Install apparmor utils since they're missing and apparmor is enabled in the kernel
 ## Otherwise Docker will fail to start
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apparmor
+sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.sbin.ntpd
 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apt-transport-https \
                                                        ca-certificates \
                                                        curl \
diff --git a/files/image_config/ntp/ntp-apparmor b/files/image_config/ntp/ntp-apparmor
new file mode 100644
index 000000000000..78edef66a51f
--- /dev/null
+++ b/files/image_config/ntp/ntp-apparmor
@@ -0,0 +1,9 @@
+# Apparmor configuration
+# /etc/apparmor.d/local/usr.sbin.ntpd
+
+  # Allow read access to "rw" mount path of fs.squashfs
+  # Eg: /host/image-HEAD-sonic.../rw/usr/sbin 
+  /**/{,s}bin/      r,
+  /**/usr/{,s}bin/  r,
+  /**/usr/local/{,s}bin/  r,
+