On 2/13/19 11:44 AM, Achim Gratz via devel wrote: > Richard Laager via devel writes: >> FWIW, I don't enable seccomp in the Debian package. It seems like a lot >> of risk of breakage. We have an Apparmor policy, from Novell/SUSE by way >> of Ubuntu for the ntp (NTP Classic) package. > > Just a word of caution: this AppArmor policy is geared towards an NTP > client and you will need to do some (poorly documented) configuration > changes when configuring a server so the adaemon can get at the device > files for the refclock.
Indeed, a couple changes can be necessary. README.Debian has these bits: If your ntpd configuration needs access to a device (e.g. a local DCF clock), you need to add this device to: /etc/apparmor.d/tunables/ntpd For use with clocks that report via shared memory (e.g. gpsd), you may need to give ntpd access to all of shared memory, though this can be considered dangerous. See https://launchpad.net/bugs/722815 for details. To enable, add this to /etc/apparmor.d/local/usr.sbin.ntpd: capability ipc_owner, -- Richard _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
