[chrony-dev] [PATCH] sys_linux: allow rseq in seccomp filter

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-dev] [PATCH] sys_linux: allow rseq in seccomp filter
From: christian.ehrhardt@xxxxxxxxxxxxx
Date: Wed, 9 Feb 2022 08:16:16 +0100
Cc: Vincent Blut <vincent.debian@xxxxxxx>, Miroslav Lichvar <mlichvar@xxxxxxxxxx>, Michael Hudson-Doyle <michael.hudson@xxxxxxxxxxxxx>, Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1644390983; bh=tFS/2JyXVMhDLEoX9tag5DEwJZiQtmXOl3A7VkoJLDk=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=VycHevKOb4Qc8Oiz9xDOFs6p1aLo09LujTyZqGDbzf33TNwxULcmhD3eUtSZqsMmV KMAVSrWf+Xio3TR6u3klrJDWE5rbGuYQIOw8jbLzZkSG50j6VILJBO6hFGYX6aFYwc wdXmEMNYcR+zwnr81qv4Lro3istHRRllgzv52he4qO09u1NBx6+o0A1uSrphQLnsfJ YyvbC9R9+Eq1AQFuV6BU3eUt98A3Mq1/w/YjpinfcTtJr3NDiCDK+iDEqQSiHuSGKh qk1vH2LUcltPkchoXbGvveRv4QMKmIVIR9EU9lOmLrPB+pYk5chi4KjPm7rhpYcseI gNLPENnXFQ59g==

From: Michael Hudson-Doyle <michael.hudson@xxxxxxxxxxxxx>

Libc 2.35 will use rseq syscalls [[2][1] by default and thereby
break chrony in seccomp isolation.

[1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
[2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html

Tested-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
Signed-off-by: Michael Hudson-Doyle <michael.hudson@xxxxxxxxxxxxx>
---
 sys_linux.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys_linux.c b/sys_linux.c
index 9cab2efa..1b9ba5f8 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -601,6 +601,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
     SCMP_SYS(getrandom),
     SCMP_SYS(sysinfo),
     SCMP_SYS(uname),
+#ifdef __NR_rseq
+    SCMP_SYS(rseq),
+#endif
   };
 
   const int denied_any[] = {
-- 
2.35.0


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-dev] [GIT] chrony/chrony.git branch master updated. 4.2-4-ge55f174
Next by Date: [chrony-dev] [PATCH v2] sys_linux: allow rseq in seccomp filter
Previous by thread: [chrony-dev] [GIT] chrony/chrony.git branch master updated. 4.2-4-ge55f174
Next by thread: [chrony-dev] [PATCH v2] sys_linux: allow rseq in seccomp filter

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/