From a5615ce766aabaf398c4be6bd82e544ae9140e57 Mon Sep 17 00:00:00 2001
From: Haiqing Bai <haiqing.bai@windriver.com>
Date: Thu, 25 May 2023 18:12:47 +0800
Subject: [PATCH] puppet-manifests: Added apparmor rule for
 /etc/ntp_initial.conf

'/etc/ntp_initial.conf' is created by puppet ntp module and it
is impossible to be assigned the read/write permission by the
default apparmor profile '/etc/apparmor.d/usr.sbin.ntpd'.
This commit uses the puppet command to add the 'r' permission
to '/etc/ntp_initial.conf' after it is created by puppet ntp
module.

Test Plan:
Pass: Deploy the iso on an AIO-SX
      Execute following steps to enable app-armor
      #system host-lock controller-0
      #system hos-update controller-0 apparmor=enabled
      #system host-unlock controller-0
      No delay/timeout of 180 secs be seen in the [puppet.log]


Closes-Bug: 2020773

Change-Id: Iff5f8711db95ebc09b0a551cfbc48d5844461887
Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>
---
 .../src/modules/platform/manifests/ntp.pp     | 29 ++++++++++---------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/puppet-manifests/src/modules/platform/manifests/ntp.pp b/puppet-manifests/src/modules/platform/manifests/ntp.pp
index bb38840a4..d26a4817d 100644
--- a/puppet-manifests/src/modules/platform/manifests/ntp.pp
+++ b/puppet-manifests/src/modules/platform/manifests/ntp.pp
@@ -1,23 +1,25 @@
+class platform::ntp::apparmor {
+  exec { 'apparmor-update-ntpd':
+    command => "sed -i '/\\/etc\\/ntp.conf r,/a\\ \\ \\/etc\\/ntp_initial.conf r,' /etc/apparmor.d/usr.sbin.ntpd",
+    unless  => "grep -q '/etc/ntp_initial.conf r,' /etc/apparmor.d/usr.sbin.ntpd",
+    notify  => Exec['reload-apparmor-ntp-profile'],
+  }
+
+  exec { 'reload-apparmor-ntp-profile':
+    command     => '/usr/sbin/apparmor_parser -vTr /etc/apparmor.d/usr.sbin.ntpd',
+    refreshonly => true
+  }
+}
 class platform::ntp (
   $ntpdate_timeout,
   $servers = [],
   $enabled = true,
 )
 {
+  include platform::ntp::apparmor
   # Setting ntp service name
-  case $::osfamily {
-    'RedHat': {
-      $ntp_service_name = 'ntpd'
-      $ntp_pmon_conf_template = 'platform/ntp.pmon.conf.erb'
-    }
-    'Debian': {
-      $ntp_service_name = 'ntp'
-      $ntp_pmon_conf_template = 'platform/ntp_debian.pmon.conf.erb'
-    }
-    default: {
-      fail("unsuported osfamily ${::osfamily}, currently Debian and Redhat are the only supported platforms")
-    }
-  }
+  $ntp_service_name = 'ntp'
+  $ntp_pmon_conf_template = 'platform/ntp_debian.pmon.conf.erb'
 
   if $enabled {
     $pmon_ensure = 'link'
@@ -26,6 +28,7 @@ class platform::ntp (
   }
 
   File['ntp_config']
+  -> Class['platform::ntp::apparmor']
   -> File['ntp_config_initial']
   -> file { 'ntp_pmon_config':
     ensure  => file,