| Re: [chrony-dev] Seccomp issue on Alpine linux |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] Seccomp issue on Alpine linux
- From: jvoisin <julien.voisin@xxxxxxxxxx>
- Date: Thu, 1 Jun 2023 13:16:17 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dustri.org; s=gm1; t=1685618179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=64k3Ngb7ReZu+PWAnBwnqO9NbBXUA8XRrUMgC1m+2hk=; b=QyDsDJqMd+VptAoVtC0iaWCYVXfeXpmvcqIOSCEUatja+UGSCXGOjLIokuB+3N/bP5FF6R bLQ4/B3dGD5fab/SxUXBF+YS1Cv/DNp15nU1UW62ki5ctCeJLQ59W0hc46lhj8u1Og7p4S reHSBA8BMLVRuIn9Bp0oq8M3vUxqr4sNGMckruPXRsrWEvQiIte683Gkz3kLQaB+z4hM7l nKYm/yLdN9PIM5KKyEv+bNogorpMQt8aL0tXUaFd9hp+2e+JqgMffBzREfdfxR1Cq/OOs/ j5d0mcluUQJY33rpapq4liBglq1zvi4e24asarWS9mYsSG4pRNw6sUt+z25l2g==
On 01/06/2023 13:10, Miroslav Lichvar wrote:
> On Thu, Jun 01, 2023 at 01:04:43PM +0200, jvoisin wrote:
>> Albeit we might want to restrict the parameters passed to ioctl, instead
>> of allowing it unconditionally.
>
> Can you please run it under strace and see what ioctl it needs?
>
> # CHRONYD_WRAPPER=strace ./002-extended
> # grep ioctl tmp/chronyd.out
>
```
alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER=strace
TEST_SCFILTER=1 ./002-extended
Testing extended configuration:
non-default settings:
starting chronyd OK
waiting for synchronization OK
stopping chronyd OK
checking chronyd messages OK
checking chronyd files OK
PASS
alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.out
execve("../../chronyd", ["../../chronyd", "-x", "-l",
"/home/jvoisin/chrony/test/system"..., "-f",
"/home/jvoisin/chrony/test/system"..., "-u", "root", "-F", "1"],
0x7ffec16cb668 /* 21 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7f86c2428b48) = 0
set_tid_address(0x7f86c2428fb8) = 11587
brk(NULL) = 0x5588bd75a000
brk(0x5588bd75c000) = 0x5588bd75c000
mmap(0x5588bd75a000, 4096, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x5588bd75a000
open("/etc/ld-musl-x86_64.path", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1
ENOENT (No such file or directory)
open("/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT
(No such file or directory)
open("/usr/local/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) =
-1 ENOENT (No such file or directory)
open("/usr/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
fstat(3, {st_mode=S_IFREG|0755, st_size=108528, ...}) = 0
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
960) = 960
mmap(NULL, 114688, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f86c2373000
mmap(0x7f86c2375000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED,
3, 0x2000) = 0x7f86c2375000
mmap(0x7f86c237f000, 57344, PROT_READ, MAP_PRIVATE|MAP_FIXED, 3, 0xc000)
= 0x7f86c237f000
mmap(0x7f86c238d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x19000) = 0x7f86c238d000
close(3) = 0
mprotect(0x7f86c238d000, 4096, PROT_READ) = 0
mprotect(0x7f86c2425000, 4096, PROT_READ) = 0
mprotect(0x5588bd00e000, 4096, PROT_READ) = 0
getuid() = 0
pipe([3, 4]) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1 RT_2], 8) = 0
fork() = 11588
rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN RT_1 RT_2], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
close(4) = 0
read(3, "", 1024) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=11588,
si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
exit_group(0) = ?
+++ exited with 0 +++
alpine:/home/jvoisin/chrony/test/system#
```
is there a way to tell the strace wrapper to follow children?
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.