[chrony-dev] seccomp testing needed

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


The latest code now includes a support for the seccomp filtering mode.
In chrony this is mainly useful to reduce the kernel attack surface
and possibly prevent kernel exploits via bugs in system calls when the
chronyd process is compromised.

Unfortunately, it is quite fragile as the list of allowed syscalls
needs to cover different versions of libraries chronyd is using,
different configurations and architectures. It's disabled by default.

I tested it on Fedora 22 on x86-64 and i686. I'm interested to know if
it works on other systems and architectures. If you want to test it
you need to compile chrony with libseccomp development files installed
and start chronyd with -F 1 on the command line. If some syscall is
missing, the kernel will kill the chronyd process. If that happens run
chronyd without -F in strace so we can find out what syscalls have to
be added to the list.

Thanks,

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/