Re: [chrony-dev] seccomp filter needs updates

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] seccomp filter needs updates
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Wed, 2 May 2018 10:27:02 +0200

On Mon, Apr 30, 2018 at 08:14:47PM +0000, Markus Linnala wrote:
> I've tested chrony 3.3 in Linux/Fedora 28 and it seems seccomp filter (-F
> 1) is not updated accordingly regarding glibc 2.27 and kernel version 4.16.

It seems to be working for me with glibc-2.27-8.fc28.x86_64 and
kernel-4.16.3-301.fc28.x86_64.

On what arch do you test it?

> I can provide patch, but how should I format it? Sort by subsystem and then
> by alpha and keep multiple entries per line up to 99. Each call per patch
> and annoation where it is used?

It may be difficult to find out why exactly a syscall is needed and
this may change over time. Grouping changes related to the filter into
a single commit is ok. Lines should normally be at most about 90
chars. If you are reformatting a line or adding a new line, you can
make it a bit shorter (e.g. 80) and allow a new syscall to be added
later without breaking the line.

> But as lines are formatted, it is not easy
> to use blame to see why one entry is added to seccomp filter (like 411f4697
> about getdents/glob).

Usually we don't know why and since when each syscall is needed, so I
think that's ok.

> Is there a way to add test case for seccomp? I was not able to use seccomp
> with clknetsim and trace used syscalls with strace.

Starting chronyd normally under root and checking if it's able to run
for at least few minutes and exit cleanly is probably the only good
option. strace, clknetsim and similar tools may change the syscalls.

> My "test case" was just to use OS defaults and add -F 1 as extra parameter
> and see what happens.

Adding more options to chrony.conf may enable other system calls. My
guess is that it includes:

dumpdir
hwtimestamp
include
leapsectz
log
refclock (with different drivers)
rtcautotrim
rtcfile

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Messages sorted by: [ date | thread ]
Next by Date: [chrony-dev] New online/offline command
Next by thread: [chrony-dev] New online/offline command

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/