[pkg-apparmor] [PATCH 2/6] Add a profile for ntpd.

Felix Geyer fgeyer at debian.org
Fri Aug 29 21:19:21 UTC 2014 

---
 debian/README.Debian   |  1 +
 debian/copyright       | 22 ++++++++++++++
 profiles/tunables/ntpd | 15 ++++++++++
 profiles/usr.sbin.ntpd | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 119 insertions(+)
 create mode 100644 profiles/tunables/ntpd
 create mode 100644 profiles/usr.sbin.ntpd

diff --git a/debian/README.Debian b/debian/README.Debian
index dff1813..be043e9 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -8,6 +8,7 @@ Included profiles
 - Totem: taken from the apparmor-profiles repository at revision 134.
 - tcpdump: taken from Ubuntu's tcpdump 4.5.1-2ubuntu2.
 - irssi: taken from the apparmor-profiles repository at revision 132.
+- ntpd: taken from Ubuntu's ntp 1:4.2.6.p5+dfsg-3ubuntu2.
 
 Sources
 =======
diff --git a/debian/copyright b/debian/copyright
index a514356..c9b2ead 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -25,6 +25,11 @@ Files: profiles/usr.sbin.tcpdump
 Copyright: 2008-2014 AppArmor developers <apparmor at lists.ubuntu.com>
 License: GPL-2+
 
+Files: profiles/usr.sbin.ntpd profiles/tunables/ntpd
+Copyright: 2002-2005 Novell/SUSE
+           2009-2012 Canonical Ltd.
+License: GPL-2
+
 License: GPL-2+
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -42,3 +47,20 @@ License: GPL-2+
  .
  On Debian systems, the complete text of the GNU General
  Public License can be found in `/usr/share/common-licenses/GPL-2'.
+
+License: GPL-2
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of version 2 of the GNU General Public License as
+ published by the Free Software Foundation.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License can be found in `/usr/share/common-licenses/GPL-2'.
diff --git a/profiles/tunables/ntpd b/profiles/tunables/ntpd
new file mode 100644
index 0000000..1fc2d8f
--- /dev/null
+++ b/profiles/tunables/ntpd
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2011 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#Add your ntpd devices here eg. if you have a DCF clock
+# @{NTPD_DEVICE}="/dev/ttyS1"
+@{NTPD_DEVICE}="/dev/null"
diff --git a/profiles/usr.sbin.ntpd b/profiles/usr.sbin.ntpd
new file mode 100644
index 0000000..48e8d7a
--- /dev/null
+++ b/profiles/usr.sbin.ntpd
@@ -0,0 +1,81 @@
+# vim:syntax=apparmor
+# Updated for Ubuntu by: Jamie Strandboge <jamie at canonical.com>
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2009-2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+#include <tunables/ntpd>
+/usr/sbin/ntpd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  capability ipc_lock,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  capability sys_resource,
+  capability sys_time,
+  capability sys_nice,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
+  @{PROC}/net/if_inet6 r,
+  @{PROC}/*/net/if_inet6 r,
+  @{NTPD_DEVICE} rw,
+
+  /{,s}bin/      r,
+  /usr/{,s}bin/  r,
+  /usr/sbin/ntpd rmix,
+
+  /etc/ntp.conf r,
+  /etc/ntp.conf.dhcp r,
+  /etc/ntpd.conf r,
+  /etc/ntpd.conf.tmp r,
+  /var/lib/ntp/ntp.conf.dhcp r,
+
+  /etc/ntp.keys r,
+  /etc/ntp/** r,
+
+  /etc/ntp.drift rwl,
+  /etc/ntp.drift.TEMP rwl,
+  /etc/ntp/drift* rwl,
+  /var/lib/ntp/*drift rw,
+  /var/lib/ntp/*drift.TEMP rw,
+
+  /var/log/ntp w,
+  /var/log/ntp.log w,
+  /var/log/ntpd w,
+  /var/log/ntpstats/clockstats* rwl,
+  /var/log/ntpstats/loopstats*  rwl,
+  /var/log/ntpstats/peerstats*  rwl,
+  /var/log/ntpstats/protostats* rwl,
+  /var/log/ntpstats/rawstats*   rwl,
+  /var/log/ntpstats/sysstats*   rwl,
+
+  /{,var/}run/ntpd.pid w,
+
+  # samba4 ntp signing socket
+  /{,var/}run/samba/ntp_signd/socket rw,
+
+  # For use with clocks that report via shared memory (e.g. gpsd),
+  # you may need to give ntpd access to all of shared memory, though
+  # this can be considered dangerous. See https://launchpad.net/bugs/722815
+  # for details. To enable, add this to local/usr.sbin.ntpd:
+  #     capability ipc_owner,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.ntpd>
+}
-- 
2.1.0

More information about the pkg-apparmor-team mailing list