So what happens is this:
1. ntp verifies its options
2. the binary name is always included, so we get a verify in libopts like
validate_struct (opts=opts@entry=0x55a84db841e0 <ntpdOptions>,
pname=0x7fff724dd836 "/usr/sbin/ntpd")
3. if opts->pzProgName is not set validate_struct will check for the binary
through paths
4. it calls pathfind which looks through all of PATH
5. there is uses opendir and wants to enumerate things (to find the prog)
If path does not include forbidden dir's the error is non existing.
So the denie is really low severity - although it partially is stupid
programming as it is not really needed.
I wonder if we should add an allow or even a deny rule to just silence
it?
Since this only happens in later ntp versions an upstream change might
have dropped opts->pzProgName somehow to now trigger.
** Changed in: ntp (Ubuntu)
Status: New => Confirmed
** Changed in: ntp (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1741227
Title:
apparmor denial to several paths to binaries
Status in ntp package in Ubuntu:
Confirmed
Bug description:
Issue shows up (non fatal) as:
apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
Since non crit this is mostyl about many of us being curious why it
actually does do it :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
