Apparmor profile for chronyd needs to allow creation of /var/run/chrony.tty*.sock

Hi Mark,
thanks for the report - we only discussed with peers about gpsd via shm so far.
The rule for that would be too open which is why it is disabled with a comment in the apparmor profile atm.

For gpsd via tty I'd have expected all chrony files in /var/run/chrony/... as most of them are in general, which is why we have the rule:
  /{,var/}run/chrony/{,*} rw,
Similar for /var/log and /var/lib

But the path you mention is obviously outside that rule :-/
I realized this is a free-form config entry for the refclock and one "could" set /var/run/chrony/..., but I've also seen that the example in man chrony.conf is exactly the path that you are reporting, like:
  refclock SOCK /var/run/chrony.ttyS0.sock

After your report of this example being "outside" the usual paths I wanted to make sure there are no similar examples we hit in just a few weeks. So I read through the man page and found a few more.

Overall I found:
  # Support all paths suggested in the man page (LP: #1771028). Assume these
  # are common use cases; others should be set as local include (see below).
  # Configs using a 'chrony.' prefix like the tempcomp config file example
  /etc/chrony.* r,
  # Example gpsd socket is outside /{,var/}run/chrony/
  /{,var/}run/chrony.tty{,*}.sock rw,
  # To sign replies to MS-SNTP clients by the smbd daemon
  /var/lib/samba/ntp_signd rw,

Lets (try to) combine that with a merge (unless it is complex and would stall this fix) of the most recent chrony as there was a new release way into our Feature Freeze and from there SRU to Bionic.

Summary:
- most common cases were covered by generic rules for lib/log/run and device paths already
- the suggested new rule is fine (Thanks!)
- the new use case (due to the man page pointing there) is expected to be common as well
- now that we spotted this lets look at similar cases to fix all at once

P.S. @Mark - if you find other issues due to using GPSD or other less common options please let me know as well.

FYI (as I wondered if we had GPSD rules already) we adressed some of the HW-access issues already in bug 1751241 , but those are not the same, so no conflict going forward with this bug.

For SRU later note steps to reproduce:

Trigger #1 - add to chrony conf a line like:
  refclock SOCK /var/run/chrony.ttyS0.sock
(does not need gpsd to really attach, so no special HW needed)

See Deny in dmesg:
[929890.257312] audit: type=1400 audit(1526282225.749:636): apparmor="DENIED" operation="mknod" namespace="root//lxd-b_<var-snap-lxd-common-lxd>" profile="/usr/sbin/chronyd" name="/run/chrony.ttyS0.sock" pid=13991 comm="chronyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
See Error on socket bind:
  chronyd[19700]: Fatal error : bind() failed

Trigger #2 - add to chrony conf a line like:
  tempcomp /sys/class/hwmon/hwmon0/temp2_input 30 /etc/chrony.tempcomp
(does not need real temp sensor, so no special HW needed)

See Deny in dmesg:
[930097.115771] audit: type=1400 audit(1526282432.609:639): apparmor="DENIED" operation="open" namespace="root//lxd-b_<var-snap-lxd-common-lxd>" profile="/usr/sbin/chronyd" name="/etc/chrony.tempcomp" pid=14651 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=114 ouid=0
See Error:
  May 14 07:20:32 b chronyd[19765]: Fatal error : Could not open tempcomp point file /etc/chrony.tempcomp
(Once fixed this init is passed, for a fully working temperature compensation you'd need special HW of course)

Trigger #3 - add to chrony conf a line like:
  ntpsigndsocket /var/lib/samba/ntp_signd
On Init you see:
  chronyd[19797]: MS-SNTP authentication enabled
In samba ntp_signd is part of the default services and /var/lib/samba/ntp_signd is the default path (See man smb.conf).
This would need a rather complex samba setup to fully trigger, but we can follow the man pages on that. From that one has to learn that the path is actually a dir, so adapt that to be:
  # To sign replies to MS-SNTP clients by the smbd daemon
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,
I'd avoid the smb setup for now and trust the man pages - further more we had the same rule for ntp (actually with a wrong path as it seems in very old bug 930266)

All issues gone with the suggested rules - making it part of the merge proposal as suggested.

Thanks Christian. The SOCK method is a much more accurate (apparently) way for chrony and gpsd to communicate. I do think we need to lock gpsd down as well but that's a separate issue.

The Debian maintainer works closely with us on chrony, so I suggested the change I came up with to him as well - linked up as Debian bug tasks.

This bug was fixed in the package chrony - 3.3-2ubuntu1

---------------
chrony (3.3-2ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable (LP: #1771061). Remaining changes:
    - d/chrony.conf: use ubuntu ntp pool and server (LP 1744664)
    - Set -x as default if unable to set time (e.g. in containers) (LP: 1589780)
      Chrony is a single service which acts as both NTP client (i.e. syncing the
      local clock) and NTP server (i.e. providing NTP services to the network),
      and that is both desired and expected in the vast majority of cases.
      But in containers syncing the local clock is usually impossible, but this
      shall not break the providing of NTP services to the network.
      To some extent this makes chrony's default config more similar to 'ntpd',
      which complained in syslog but still provided NTP server service in those
      cases.
      - debian/chrony.service: allow the service to run without CAP_SYS_TIME
      - debian/control: add new dependency libcap2-bin for capsh (usually
        installed anyway, but make them explicit to be sure).
      - debian/chrony.default: new option SYNC_IN_CONTAINER to not fall back
        (Default off).
      - debian/chronyd-starter.sh: wrapper to handle special cases in containers
        and if CAP_SYS_TIME is missing. Effectively allows to run NTP server in
        containers on a default installation and avoid failing to sync time (or
        if allowed to sync, avoid multiple containers to fight over it by
        accident).
      - debian/install: make chronyd-starter.sh available on install.
      - debian/docs, debian/README.container: provide documentation about the
        handling of this case.
    - d/postrm: re-establish systemd-timesyncd on removal (LP: 1764357)
    - Notify chrony to update sources in response to systemd-networkd
      events (LP: 1718227)
      - d/links: link dispatcher script to networkd-dispatcher events routable
        and off
      - d/control: set Recommends to networkd-dispatcher
      - d/p/lp-1718227-nm-dispatcher-for-networkd.patch
  * Dropped changes
    - debian/usr.sbin.chronyd: ensure RTC/GPS usage isn't blocked by apparmor
      (LP: 1751241) (in Debian now)
    - debian/usr.sbin.chronyd: add cap net_admin for hwtimestamp (LP: 1761327)
      (in Debian now)
    - d/p/lp1589780-sys_linux-don-t-keep-CAP_SYS_TIME-with-x-option.patch:
      When dropping the root privileges, don't try to keep the CAP_SYS_TIME
      capability if the -x option was enabled. This allows chronyd to be
      started without the capability (e.g. in containers) and also drop the
      root privileges (This is upstream now).
    - d/p/lp-1718227-ignore-non-up-down-events-in-nm-dispatcher.patch (This is
      upstream now).
    - d/control: switch to nss instead of tomcrypt (Debian switched to nettle
      which is in main, so we can drop this)
  * Added changes
    - debian/README.container: fix typos

chrony (3.3-2) unstable; urgency=medium

  * debian/chrony.service:
    - Conflict with ntp.service.

  * debian/control:
    - Bump standard-version to 4.1.4 (no changes required).
    - Switch to the Nettle cryptographic library for hash funct...

With Bionic being an LTS and rather new, even this being "just" a config file entry I think we should provide that to Bionic.
I'm prepping an SRU upload ...

Added a SRU Template and an MP [1] for the SRU changes.

[1]: https://code.launchpad.net/~paelzer/ubuntu/+source/chrony/+git/chrony/+merge/346740

Hello Mark, or anyone else affected,

Accepted chrony into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/chrony/3.2-4ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

root@b:~# echo "refclock SOCK /var/run/chrony.ttyS0.sock" >> /etc/chrony/chrony.conf
root@b:~# systemctl restart chrony
Job for chrony.service failed because the control process exited with error code.
See "systemctl status chrony.service" and "journalctl -xe" for details.

Hitting denies like:

[1790155.225877] audit: type=1400 audit(1527142484.030:1791): apparmor="DENIED" operation="mknod" namespace="root//lxd-b_<var-snap-lxd-common-lxd>" profile="/usr/sbin/chronyd" name="/run/chrony.ttyS0.sock" pid=27371 comm="chronyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Upgrade works fine, and denies are gone with the version from proposed.

# apt install chrony
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
The following packages will be upgraded:
  chrony
1 upgraded, 0 newly installed, 0 to remove and 23 not upgraded.
Need to get 203 kB of archives.
After this operation, 1024 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 chrony amd64 3.2-4ubuntu4.1 [203 kB]
Fetched 203 kB in 0s (1255 kB/s)
(Reading database ... 28548 files and directories currently installed.)
Preparing to unpack .../chrony_3.2-4ubuntu4.1_amd64.deb ...
Unpacking chrony (3.2-4ubuntu4.1) over (3.2-4ubuntu4) ...
Processing triggers for ureadahead (0.100.0-20) ...
Setting up chrony (3.2-4ubuntu4.1) ...
Installing new version of config file /etc/apparmor.d/usr.sbin.chronyd ...
...

Atfer this I have
root@b:~# systemctl status chrony
● chrony.service - chrony, an NTP client/server
   Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-05-24 06:17:30 UTC; 1min 22s ago
     Docs: man:chronyd(8)
           man:chronyc(1)
           man:chrony.conf(5)
  Process: 2594 ExecStartPost=/usr/lib/chrony/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
  Process: 2587 ExecStart=/usr/lib/systemd/scripts/chronyd-starter.sh $DAEMON_OPTS (code=exited, status=0/SUCCESS)
 Main PID: 2593 (chronyd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/chrony.service
           └─2593 /usr/sbin/chronyd -x

May 24 06:17:30 b systemd[1]: Starting chrony, an NTP client/server...
May 24 06:17:30 b chronyd-starter.sh[2587]: Warning: Missing cap_sys_time, syncing the system clock will fail
May 24 06:17:30 b chronyd-starter.sh[2587]: Warning: Running in a container, likely impossible and unintended to sync system clock
May 24 06:17:30 b chronyd-starter.sh[2587]: Adding -x as fallback disabling control of the system clock, see /usr/share/doc/chrony/README.containe
May 24 06:17:30 b chronyd[2593]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DE
May 24 06:17:30 b chronyd[2593]: Disabled control of system clock
May 24 06:17:30 b chronyd[2593]: Frequency 1.521 +/- 34.520 ppm read from /var/lib/chrony/chrony.drift
May 24 06:17:30 b systemd[1]: Started chrony, an NTP client/server.
May 24 06:17:38 b chronyd[2593]: Selected source...

This bug was fixed in the package chrony - 3.2-4ubuntu4.1

---------------
chrony (3.2-4ubuntu4.1) bionic; urgency=medium

  * debian/usr.sbin.chronyd:
    - Support all paths suggested in the man page.
    (LP: #1771028, Closes: #898614)

 -- Christian Ehrhardt <email address hidden> Wed, 23 May 2018 16:22:13 +0200

The verification of the Stable Release Update for chrony has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.