From 72ba36f411c5bed1d0f755c4b34af31d46b4060a Mon Sep 17 00:00:00 2001
From: Charles Johnson <charles@opscode.com>
Date: Thu, 24 Oct 2013 15:11:36 -0700
Subject: [PATCH] Author: Scott Lampert <scott@lampert.org> - Add fix for
 ntp.leapseconds apparmor error   Fixes [COOK-3023]

---
 README.md                            | 23 +++-----
 attributes/default.rb                |  2 +
 files/default/usr.sbin.ntpd.apparmor | 83 ++++++++++++++++++++++++++++
 recipes/apparmor.rb                  | 30 ++++++++++
 recipes/default.rb                   |  2 +
 spec/unit/attributes_spec.rb         | 12 ++++
 spec/unit/recipes/apparmor_spec.rb   | 16 ++++++
 spec/unit/recipes/default_spec.rb    |  4 ++
 8 files changed, 158 insertions(+), 14 deletions(-)
 create mode 100644 files/default/usr.sbin.ntpd.apparmor
 create mode 100644 recipes/apparmor.rb
 create mode 100644 spec/unit/recipes/apparmor_spec.rb

diff --git a/README.md b/README.md
index 9c91d698..d3e3ab3a 100644
--- a/README.md
+++ b/README.md
@@ -27,15 +27,15 @@ Attributes
 ### Recommended tunables
 
 * `ntp['servers']` - (applies to NTP Servers and Clients)
-- Array, should be a list of upstream NTP servers that will be considered authoritative by the local NTP daemon. The local NTP daemon will act as a client, adjusting local time to match time data retrieved from the upstream NTP servers.
+  - Array, should be a list of upstream NTP servers that will be considered authoritative by the local NTP daemon. The local NTP daemon will act as a client, adjusting local time to match time data retrieved from the upstream NTP servers.
 
   The NTP protocol works best with at least 4 servers. The ntp daemon will disregard any server after the 10th listed, but will continue monitoring all listed servers. For more information, see [Upstream Server Time Quantity](http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5.3.3.) at [support.ntp.org](http://support.ntp.org).
 
 * `ntp['peers']` - (applies to NTP Servers ONLY)
-- Array, should be a list of local NTP peers. For more information, see [Designing Your NTP Network](http://support.ntp.org/bin/view/Support/DesigningYourNTPNetwork) at [support.ntp.org](http://support.ntp.org).
+  - Array, should be a list of local NTP peers. For more information, see [Designing Your NTP Network](http://support.ntp.org/bin/view/Support/DesigningYourNTPNetwork) at [support.ntp.org](http://support.ntp.org).
 
 * `ntp['restrictions']` - (applies to NTP Servers only)
-- Array, should be a list of restrict lines to define access to NTP clients on your LAN.
+  - Array, should be a list of restrict lines to define access to NTP clients on your LAN.
 
 * `ntp['sync_clock']` (applies to NTP Servers and Clients)
   - Boolean. Defaults to false. Forces the ntp daemon to be halted, an ntp -q command to be issued, and the ntp daemon to be restarted again on every Chef-client run. Will have no effect if drift is over 1000 seconds.
@@ -53,43 +53,35 @@ Attributes
 ### Platform specific
 
 * `ntp['packages']`
-
   - Array, the packages to install
   - Default, ntp for everything, ntpdate depending on platform. Not applicable for
     Windows nodes
 
 * `ntp['service']`
-
   - String, the service to act on
   - Default, ntp, NTP, or ntpd, depending on platform
 
 * `ntp['varlibdir']`
-
   - String, the path to /var/lib files such as the driftfile.
   - Default, platform-specific location. Not applicable for Windows nodes
 
 * `ntp['driftfile']`
-
   - String, the path to the frequency file.
   - Default, platform-specific location.
 
 * `ntp['conffile']`
-
   - String, the path to the ntp configuration file.
   - Default, platform-specific location.
 
 * `ntp['statsdir']`
-
   - String, the directory path for files created by the statistics facility.
   - Default, platform-specific location. Not applicable for Windows nodes
 
 * `ntp['conf_owner'] and ntp['conf_group']`
-
   - String, the owner and group of the sysconf directory files, such as /etc/ntp.conf.
   - Default, platform-specific root:root or root:wheel.
 
 * `ntp['var_owner'] and ntp['var_group']`
-
   - String, the owner and group of the /var/lib directory files, such as /var/lib/ntp.
   - Default, platform-specific ntp:ntp or root:wheel. Not applicable for Windows nodes
 
@@ -98,20 +90,17 @@ Attributes
   - Default, /etc/ntp.leapseconds.
 
 * `ntp['package_url']`
-
   - String, the URL to the the Meinberg NTPd client installation package.
   - Default, Meinberg site download URL
   - Windows platform only
 
 * `ntp['vs_runtime_url']`
-
   - String, the URL to the the Visual Studio C++ 2008 runtime libraries that are required
     for the Meinberg NTP client.
   - Default, Microsoft site download URL
   - Windows platform only
 
 * `ntp['vs_runtime_productname']`
-
   - String, the installation name of the Visual Studio C++ Runtimes file.
   - Default, "Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022"
   - Windows platform only
@@ -121,6 +110,12 @@ Attributes
   - Default, false
   - Not applicable for Windows nodes
 
+* `ntp['apparmor_enabled']`
+  - Boolean, enables configuration of apparmor if set to true
+  - Defaults to false and will make no provisions for apparmor.  If a
+    platform is apparmor enabled by default, (currently Ubuntu)
+    default will be true.
+
 
 Usage
 -----
diff --git a/attributes/default.rb b/attributes/default.rb
index b0cbdef0..31400089 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -42,11 +42,13 @@
 default['ntp']['sync_hw_clock'] = false
 default['ntp']['listen'] = nil
 default['ntp']['listen_network'] = nil
+default['ntp']['apparmor_enabled'] = false
 
 # overrides on a platform-by-platform basis
 case node['platform_family']
 when 'debian'
   default['ntp']['service'] = 'ntp'
+  default['ntp']['apparmor_enabled'] = true if node['platform'] == 'ubuntu' && node['platform_version'].to_f >= 8.04
 when 'rhel'
   default['ntp']['packages'] = %w(ntp) if node['platform_version'].to_i < 6
 when 'windows'
diff --git a/files/default/usr.sbin.ntpd.apparmor b/files/default/usr.sbin.ntpd.apparmor
new file mode 100644
index 00000000..fe6714b9
--- /dev/null
+++ b/files/default/usr.sbin.ntpd.apparmor
@@ -0,0 +1,83 @@
+# vim:syntax=apparmor
+#
+# Maintained by Chef
+#
+# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com>
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2009-2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+#include <tunables/ntpd>
+/usr/sbin/ntpd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  capability ipc_lock,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  capability sys_resource,
+  capability sys_time,
+  capability sys_nice,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
+  @{PROC}/net/if_inet6 r,
+  @{PROC}/*/net/if_inet6 r,
+  @{NTPD_DEVICE} rw,
+
+  /usr/sbin/ntpd rmix,
+
+  /etc/ntp.conf r,
+  /etc/ntp.conf.dhcp r,
+  /etc/ntpd.conf r,
+  /etc/ntpd.conf.tmp r,
+  /var/lib/ntp/ntp.conf.dhcp r,
+
+  /etc/ntp.leapseconds r,
+
+  /etc/ntp.keys r,
+  /etc/ntp/** r,
+
+  /etc/ntp.drift rwl,
+  /etc/ntp.drift.TEMP rwl,
+  /etc/ntp/drift* rwl,
+  /var/lib/ntp/*drift rw,
+  /var/lib/ntp/*drift.TEMP rw,
+
+  /var/log/ntp w,
+  /var/log/ntp.log w,
+  /var/log/ntpd w,
+  /var/log/ntpstats/clockstats* rwl,
+  /var/log/ntpstats/loopstats*  rwl,
+  /var/log/ntpstats/peerstats*  rwl,
+  /var/log/ntpstats/rawstats*   rwl,
+  /var/log/ntpstats/sysstats*   rwl,
+
+  /{,var/}run/ntpd.pid w,
+
+  # samba4 ntp signing socket
+  /{,var/}run/samba/ntp_signd/socket rw,
+
+  # For use with clocks that report via shared memory (e.g. gpsd),
+  # you may need to give ntpd access to all of shared memory, though
+  # this can be considered dangerous. See https://launchpad.net/bugs/722815
+  # for details. To enable, add this to local/usr.sbin.ntpd:
+  #     capability ipc_owner,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.ntpd>
+}
diff --git a/recipes/apparmor.rb b/recipes/apparmor.rb
new file mode 100644
index 00000000..65663a4d
--- /dev/null
+++ b/recipes/apparmor.rb
@@ -0,0 +1,30 @@
+#
+# Cookbook Name:: ntp
+# Recipe:: apparmor
+# Author:: Scott Lampert (<scott@lampert.org>)
+#
+# Copyright 2013, Scott Lampert
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+service 'apparmor' do
+  action :nothing
+end
+
+cookbook_file '/etc/apparmor.d/usr.sbin.ntpd' do
+  source 'usr.sbin.ntpd.apparmor'
+  owner 'root'
+  group 'root'
+  mode '0644'
+  notifies :restart, 'service[apparmor]'
+end
diff --git a/recipes/default.rb b/recipes/default.rb
index 8cd611b4..bb3a8018 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -38,6 +38,8 @@
     group node['ntp']['conf_group']
     mode  '0644'
   end
+
+  include_recipe 'ntp::apparmor' if node['ntp']['apparmor_enabled']
 end
 
 unless node['ntp']['servers'].size > 0
diff --git a/spec/unit/attributes_spec.rb b/spec/unit/attributes_spec.rb
index 84babafb..d3171cf3 100644
--- a/spec/unit/attributes_spec.rb
+++ b/spec/unit/attributes_spec.rb
@@ -77,6 +77,10 @@
     it 'sets the upstream server list in the recipe' do
       expect(ntp['servers']).to include('0.pool.ntp.org')
     end
+
+    it 'sets apparmor_enabled to false' do
+      expect(ntp['apparmor_enabled']).to eq(false)
+    end
   end
 
   describe 'on Debian-family platforms' do
@@ -87,6 +91,14 @@
     end
   end
 
+  describe 'on Ubuntu' do
+    let(:chef_run) { ChefSpec::ChefRunner.new(platform: 'ubuntu', version: '12.04').converge('ntp::default') }
+
+    it 'sets the apparmor_enabled attribute to true' do
+      expect(ntp['apparmor_enabled']).to eq(true)
+    end
+  end
+
   describe 'on the CentOS 5 platform' do
     let(:chef_run) { ChefSpec::ChefRunner.new(platform: 'centos', version: '5.8').converge('ntp::default') }
 
diff --git a/spec/unit/recipes/apparmor_spec.rb b/spec/unit/recipes/apparmor_spec.rb
new file mode 100644
index 00000000..db3d78b7
--- /dev/null
+++ b/spec/unit/recipes/apparmor_spec.rb
@@ -0,0 +1,16 @@
+require 'spec_helper'
+
+describe 'ntp::apparmor' do
+  let(:chef_run) { ChefSpec::ChefRunner.new.converge('recipe[ntp::apparmor]') }
+
+  it 'creates the apparmor file' do
+    expect(chef_run).to create_cookbook_file '/etc/apparmor.d/usr.sbin.ntpd'
+    file = chef_run.cookbook_file('/etc/apparmor.d/usr.sbin.ntpd')
+    expect(file).to be_owned_by('root', 'root')
+  end
+
+  it 'restarts the apparmor service' do
+    chef_run.cookbook_file('/etc/apparmor.d/usr.sbin.ntpd').should notify('service[apparmor]', :restart)
+  end
+
+end
diff --git a/spec/unit/recipes/default_spec.rb b/spec/unit/recipes/default_spec.rb
index 751b3158..fa9b4f7f 100644
--- a/spec/unit/recipes/default_spec.rb
+++ b/spec/unit/recipes/default_spec.rb
@@ -246,6 +246,10 @@
     it 'sets ntp to start on boot' do
       expect(chef_run).to set_service_to_start_on_boot('ntp')
     end
+
+    it 'includes the apparmor recipe' do
+      expect(chef_run).to include_recipe('ntp::apparmor')
+    end
   end
 
   context 'freebsd' do