[chrony-dev] [PATCH v2] sys_linux: allow rseq in seccomp filter

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-dev] [PATCH v2] sys_linux: allow rseq in seccomp filter
From: christian.ehrhardt@xxxxxxxxxxxxx
Date: Wed, 9 Feb 2022 09:06:13 +0100
Cc: Vincent Blut <vincent.debian@xxxxxxx>, Miroslav Lichvar <mlichvar@xxxxxxxxxx>, Michael Hudson-Doyle <michael.hudson@xxxxxxxxxxxxx>, Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1644393977; bh=pjQhe3EKQ3yzO1zTSPxTjzPg93cEoj//KY9y2z8lzWs=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=KW+01ogs+RI6bF9hq26VxPO9atNg50LI9IjBfJAs7IKF6Jn+p82C/eELQin/Oji5o N37uZC/LjtBKm6okdezNPZjF+IwIhDBiRSSB3bMIyPL6PFYaTnXoCQtfnn5rAnHAd1 FaHOzUAu9EClVx2XW6I/X0lfJl1+pK8A4fMaMIQu9GmUrcrZrieFnMjJ1xGUvRHRQi CWCxhsKKUxT1D6snDV0/FrQSCpcXs6eFPLtxOUlE8DzbJymEgVUPeTLkVIfL66zYnp uFlT0vn1aYJn89noqKzpoKZ3tiwHGt1qnkhh6pyFLL54RRDuYIvwYc8ZQ9ci84hL7j HHf4tm3voP8tQ==

From: Michael Hudson-Doyle <michael.hudson@xxxxxxxxxxxxx>

Libc 2.35 will use rseq syscalls [1][2] by default and thereby
break chrony in seccomp isolation.

Update in v2:
 - fixed link references

[1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
[2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html

Tested-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Signed-off-by: Michael Hudson-Doyle <michael.hudson@xxxxxxxxxxxxx>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
---
 sys_linux.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys_linux.c b/sys_linux.c
index 9cab2efa..1b9ba5f8 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -601,6 +601,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
     SCMP_SYS(getrandom),
     SCMP_SYS(sysinfo),
     SCMP_SYS(uname),
+#ifdef __NR_rseq
+    SCMP_SYS(rseq),
+#endif
   };
 
   const int denied_any[] = {
-- 
2.35.0


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- [chrony-dev] Re: [PATCH v2] sys_linux: allow rseq in seccomp filter
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-dev] [PATCH] sys_linux: allow rseq in seccomp filter
Next by Date: [chrony-dev] [GIT] chrony/chrony.git branch master updated. 4.2-5-g8bb8f15
Previous by thread: [chrony-dev] [PATCH] sys_linux: allow rseq in seccomp filter
Next by thread: [chrony-dev] Re: [PATCH v2] sys_linux: allow rseq in seccomp filter

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/