Le 2025-03-29 10:09, Martin Maney a écrit :
> On Thu, 10 Oct 2024 16:41:36 +0200 Vincent Blut <vincent.deb...@free.fr>
> wrote:
>
> Sorry, I never saw this back in October - just came across it when I
> checked on the bug at bugs.debian.
>
> > As you correctly pointed out, AppArmor is not able to follow symlinks,
>
> AppArmor is, as was so often said back before it was shoved down our
> throats, unable to do many things an actual security blanket needs to
> do. Except for getting in the way of legitimate access. :-(
>
> > @{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_input r,
>
> > This should allow chronyd to read most temperature sensors without
> > having to override the AppArmor profile.
>
> No, it won't. Perhaps on most recent desktop machines, maybe laptops
> as well, but SBCs can have the sensor in a number of more obscure
> places.Could you please name those "obscure places"? In your bug report, the path of the temperature sensor seems to be '/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon1/temp1_input' which should be covered by the aforementioned rule. In the meantime, I further relaxed the rule related to temperature sensors: https://salsa.debian.org/debian/chrony/-/commit/7a16f71c8b2b383f5bc5d6e5fc62c76111ca274e Cheers, Vincent
signature.asc
Description: PGP signature
