Re: [chrony-dev] Seccomp issue on Alpine linux

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-dev] Seccomp issue on Alpine linux
From: jvoisin <julien.voisin@xxxxxxxxxx>
Date: Wed, 31 May 2023 16:22:09 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dustri.org; s=gm1; t=1685542930; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zXhdz9+OFl4cQymkWe4s4IpLztUH29N/CooU5eALj/0=; b=RON7awREJ2e+7NI7EzcI1nTaAg3zJ9lAWwwzoU5Ulo9Gc5gLyb1PhZfoY1Eh3H/U98UBIm uR8NBBOAUztrONB+2v2IPV+Ki6AEuhjuJPboUwOG251mp/jb1blEe9nBQE5cM8PHOu8qUR AIthzreUEpiJRhOhrn9LfTXhSydcaZhdWjsvoD3wXE2/oSj39C5RLWuwrUM15dUgTDdfC1 MgDdITjK0cDj8tshtYO3C1HjOujkb28gQUNMOaZXFnpdq88XUcHq16x/ntgsC98/wMsyfV kca4lzy5sTl8MStnzvdoAy4p2ut4xnapy8VqpvXdc02T0lyAJS7I9bjoCKEt0w==

> Try running the failing test as "TEST_SCFILTER=1 ./001-minimal" and see the
> failing syscall number in the system or audit log.

Unfortunately, Alpine uses busybox' ps:

```
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
  non-default settings:
    minimal_config=1
  starting chronydps: unrecognized option: p
BusyBox v1.36.1 (2023-05-25 05:48:21 UTC) multi-call binary.

Usage: ps [-o COL1,COL2=HEADER] [-T]

Show list of processes

	-o COL1,COL2=HEADER	Select columns for display
	-T			Show threads
                                      	ERROR
FAIL
  stopping chronyd                                      	ERROR
alpine:/home/jvoisin/chrony/test/system#
```

This can be fixed with `apk add procps`.

```
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
  non-default settings:
    minimal_config=1
  starting chronyd                                      	ERROR
FAIL
  stopping chronyd                                      	ERROR

alpine:/home/jvoisin/chrony/test/system# dmesg | tail -n 2
[  120.059165] audit: type=1326 audit(1685542342.126:5): auid=4294967295
uid=0 gid=0 ses=4294967295 pid=2388 comm="chronyd"
exe="/home/jvoisin/chrony/chronyd" sig=31 arch=c000003e syscall=20
compat=0 ip=0x7fe0b3e4d306 code=0x0
alpine:/home/jvoisin/chrony/test/system# vim sys_linux.c
alpine:/home/jvoisin/chrony/test/system# git diff
diff --git a/sys_linux.c b/sys_linux.c
index c6cb453..04e3a86 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -603,6 +603,7 @@ SYS_Linux_EnableSystemCallFilter(int level,
SYS_ProcessContext context)
     SCMP_SYS(select),
     SCMP_SYS(set_robust_list),
     SCMP_SYS(write),
+    SCMP_SYS(writev),

     /* Miscellaneous */
     SCMP_SYS(getrandom),
alpine:/home/jvoisin/chrony/test/system# make
alpine:/home/jvoisin/chrony/test/system# cd test/system
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
  non-default settings:
    minimal_config=1
  starting chronyd                                      	OK
  stopping chronyd                                      	OK
  checking chronyd messages                             	BAD
FAIL
alpine:/home/jvoisin/chrony/test/system# ./099-scfilter
Testing system call filter in non-destructive tests:
  level -1:
    001-minimal                                         	BAD
FAIL
alpine:/home/jvoisin/chrony/test/system#
alpine:/home/jvoisin/chrony/test/system# ./199-scfilter
Testing system call filter in destructive tests:
  level -1:
    100-clockupdate                                     	BAD
FAIL
alpine:/home/jvoisin/chrony/test/system#
```

so there are some failings, but nothing more in the dmesg about seccomp
violation.





-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-dev] Seccomp issue on Alpine linux
  - From: Miroslav Lichvar

References:
- [chrony-dev] Seccomp issue on Alpine linux
  - From: jvoisin
- Re: [chrony-dev] Seccomp issue on Alpine linux
  - From: Miroslav Lichvar
- Re: [chrony-dev] Seccomp issue on Alpine linux
  - From: jvoisin
- Re: [chrony-dev] Seccomp issue on Alpine linux
  - From: Miroslav Lichvar
- Re: [chrony-dev] Seccomp issue on Alpine linux
  - From: jvoisin

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-dev] Seccomp issue on Alpine linux
Next by Date: Re: [chrony-dev] Seccomp issue on Alpine linux
Previous by thread: Re: [chrony-dev] Seccomp issue on Alpine linux
Next by thread: Re: [chrony-dev] Seccomp issue on Alpine linux

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/