So what happens is this:
1. ntp verifies its options
2. the binary name is always included, so we get a verify in libopts like
validate_struct (opts=opts@entry=0x55a84db841e0 <ntpdOptions>,
pname=0x7fff724dd836 "/usr/sbin/ntpd")
3. if opts->pzProgName is not set validate_struct will check for the binary
through paths
4. it calls pathfind which looks through all of PATH
5. there is uses opendir and wants to enumerate things (to find the prog)
If path does not include forbidden dir's the error is non existing.
So the denie is really low severity - although it partially is stupid
programming as it is not really needed.
I wonder if we should add an allow or even a deny rule to just silence
it?
Since this only happens in later ntp versions an upstream change might
have dropped opts->pzProgName somehow to now trigger.
** Changed in: ntp (Ubuntu)
Status: New => Confirmed
** Changed in: ntp (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1741227
Title:
apparmor denial to several paths to binaries
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
