File: usr.sbin.chronyd

package info (click to toggle)
chrony 4.8-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 3,780 kB
  • sloc: ansic: 38,349; sh: 5,876; yacc: 862; makefile: 232
file content (92 lines) | stat: -rw-r--r-- 2,836 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# vim:syntax=apparmor
# Last Modified: Sun Sep 05 16:48:05 2021

abi <abi/3.0>,

#include <tunables/global>

/usr/sbin/chronyd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # For /run/chrony to be created
  capability chown,

  # Give “root” the ability to read and write the PID file
  capability dac_override,
  capability dac_read_search,

  # Needed to support HW timestamping
  capability net_admin,

  # Needed to allow NTP server sockets to be bound to a privileged port
  capability net_bind_service,

  # Needed to allow an NTP socket to be bound to a device using the
  # SO_BINDTODEVICE socket option on kernels before 5.7
  capability net_raw,

  # Needed to drop privileges
  capability setgid,
  capability setuid,

  # Needed to set the SCHED_FIFO real-time scheduler at the specified priority
  # using the '-P' option
  capability sys_nice,

  # Needed to lock chronyd into RAM
  capability sys_resource,

  # Needed to set the system/real-time clock
  capability sys_time,

  /usr/sbin/chronyd mr,

  /etc/chrony/{,**} r,
  /var/lib/chrony/{,*} rw,
  /var/log/chrony/{,*} rw,
  @{run}/chrony/{,*} rw,
  @{run}/chrony-dhcp/{,*} r,

  # Using the “tempcomp” directive gives chronyd the ability to improve
  # the stability and accuracy of the clock by compensating the temperature
  # changes measured by a sensor close to the oscillator.
  @{sys}/**/hwmon[0-9]*/temp[0-9]*_input r,

  # Support all paths suggested in the man page (LP: #1771028). Assume these
  # are common use cases; others should be set as local include (see below).
  # Configs using a 'chrony.' prefix like the tempcomp config file example
  /etc/chrony.* r,
  # Example gpsd socket is outside @{run}/chrony/
  @{run}/chrony.*.sock rw,
  # To sign replies to MS-SNTP clients by the smbd daemon
  /var/lib/samba/ntp_signd/socket rw,
  # Default path of the socket to sync with ptp4l
  @{run}/refclock.ptp.sock rw,

  # rtc
  /etc/adjtime r,
  /dev/rtc{,[0-9]*} rw,

  # gps devices
  /dev/pps[0-9]* rw,
  /dev/ptp[0-9]* rw,

  # Allow reading the chronyd configuration file that timemaster(8)
  # generates, along with any other config files and sockets.
  @{run}/timemaster/* r,
  # Allow read-write access to the socket path(s).
  @{run}/timemaster/chrony.SOCK[0-9]* rw,

  # Allow systemd Type=notify using sd_notify's $NOTIFY_SOCKET
  @{run}/systemd/notify w,

  # For use with clocks that report via shared memory (e.g. gpsd),
  # you may need to give ntpd access to all of shared memory, though
  # this can be considered dangerous. See https://launchpad.net/bugs/722815
  # for details. To enable, add this to local/usr.sbin.chronyd:
  #     capability ipc_owner,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.chronyd>
}