| Re: [chrony-dev] Seccomp issue on Alpine linux |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] Seccomp issue on Alpine linux
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Mon, 22 May 2023 10:02:24 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684742548; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ibvisRvVupb4qAYM3RryOoEaNKuh7CoF+OtyBaludzc=; b=iSzGlKoMagrCIZtTGneDP3CCU7duyPTzAgOstbd/304bAQyVtCGvvrf0Jrn0/pGF6NzvT/ EOp8Pwm74QvA0We1YqtXkxIzHb+vqkkT/y4cknh6lXmsFcTzgj75Pmm4qAaPcx5QskBBI2 gRR6MpUs5S5Guyo6tJs+Dn2aGn/1hQI=
On Sun, May 21, 2023 at 10:41:30PM +0200, jvoisin wrote:
> Hello,
>
> it seems that chrony's seccomp policy doesn't play nice with Alpine
> Linux, likely due to the fact that there is a call to `membarrier`
> somewhere that the latter does and that the former doesn't like.
>
> See https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/47087
> for details.
Thanks for the report. Does it work for you if you apply this patch?
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -498,6 +498,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
SCMP_SYS(getrlimit),
SCMP_SYS(getuid),
SCMP_SYS(getuid32),
+#ifdef __NR_membarrier
+ SCMP_SYS(membarrier),
+#endif
#ifdef __NR_rseq
SCMP_SYS(rseq),
#endif
If you have extracted source code, can you please run these two tests
to confirm there are no other seccomp failures on musl?
# cd test/system
# ./099-scfilter
# ./199-scfilter
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.