[chrony-dev] [PATCH] sys_linux: allow setsockopt(SOL_IP, IP_TOS) in seccomp

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ] 

This system call is required by the DSCP marking feature introduced in commit
6a5665ca5877bad1ae77c906715414aac77d9f77.

Before this change, enabling seccomp filtering (chronyd -F 1) and specifying a
custom DSCP value in the configuration (for example "dscp 46") causes the
process to be killed by seccomp due to IP_TOS not being allowed by the filter.

Tested before and after the change on Ubuntu 21.04, kernel 5.11.0-13-generic.
IP_TOS is available since Linux 1.0, so I didn't add any ifdefs for it.

Signed-off-by: Foster Snowhill <forst@xxxxxxxxxxxx>
---
 sys_linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys_linux.c b/sys_linux.c
index 06ec45f..a33887f 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -621,7 +621,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
   };
const static int socket_options[][2] = { 
-    { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND },
+    { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND }, { SOL_IP, IP_TOS },
 #ifdef FEAT_IPV6
     { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
 #endif
--
2.24.3 (Apple Git-128)


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/