| [chrony-dev] [GIT] chrony/chrony.git branch, master, updated. 2.1.1-65-g434faee |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
This is an automated email from git. It was enerated because a ref
change was pushed to the repository "chrony/chrony.git".
The branch, master has been updated
via 434faeecb8e08d7f5160487e8a47109500cc9590 (commit)
via ea2858b323ed73b0cc41ba49a96844f28dcb61b5 (commit)
via 3391d5f846cdb9d66c925b91192a880f646fea65 (commit)
via 7d6de7afe680bababef4421250c7af62d643aa14 (commit)
from 67ce6bd279b436b16dcb182ff3da631164ab829f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 434faeecb8e08d7f5160487e8a47109500cc9590
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Mon Jun 16 16:21:25 2014 +0200
sys_linux: add support for seccomp filters
The Linux secure computing (seccomp) facility allows a process to
install a filter in the kernel that will allow only specific system
calls to be made. The process is killed when trying to make other system
calls. This is useful to reduce the kernel attack surface and possibly
prevent kernel exploits when the process is compromised.
Use the libseccomp library to add rules and load the filter into the
kernel. Keep a list of system calls that are always allowed after
chronyd is initialized. Restrict arguments that may be passed to the
socket(), setsockopt(), fcntl(), and ioctl() system calls. Arguments
to socketcall(), which is used on some architectures as a multiplexer
instead of separate socket system calls, are not restricted for now.
The mailonchange directive is not allowed as it calls sendmail.
Calls made by the libraries that chronyd is using have to be covered
too. It's difficult to determine which system calls they need as it may
change after an upgrade and it may depend on their configuration (e.g.
resolver in libc). There are also differences between architectures. It
can all break very easily and is therefore disabled by default. It can
be enabled with the new -F option.
This is based on a patch from Andrew Griffiths <agriffit@xxxxxxxxxx>.
commit ea2858b323ed73b0cc41ba49a96844f28dcb61b5
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Fri Sep 4 12:19:44 2015 +0200
main: install signal handler sooner
commit 3391d5f846cdb9d66c925b91192a880f646fea65
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Fri Sep 4 17:02:26 2015 +0200
doc: fix typo in chronyd man page
commit 7d6de7afe680bababef4421250c7af62d643aa14
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Thu Sep 3 11:30:09 2015 +0200
rtc: fix setting time from driftfile when RTC reading fails
Fix RTC_Linux_TimePreInit() to return 0 when the RTC device can be
opened, but reading its time fails to at least have the time restored
from the driftfile.
-----------------------------------------------------------------------
Summary of changes:
chrony.texi.in | 5 ++
chronyd.8.in | 8 ++-
configure | 17 ++++++-
main.c | 13 +++--
rtc_linux.c | 2 +
sys.c | 11 +++++
sys.h | 4 ++
sys_linux.c | 151 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
sys_linux.h | 2 +
9 files changed, 208 insertions(+), 5 deletions(-)
hooks/post-receive
--
chrony/chrony.git
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.