| Re: [chrony-dev] Seccomp issue on Alpine linux |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-dev] Seccomp issue on Alpine linux
- From: jvoisin <julien.voisin@xxxxxxxxxx>
- Date: Thu, 1 Jun 2023 13:04:43 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dustri.org; s=gm1; t=1685617483; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7/J/HW9ndnbYnF8Fxs0YtePebOFw60+CyZCxDQUepFE=; b=CHtewpK/1TtMkAVUQc4dH/OG2C3iYA/YGCWkJUQv1npu3YkkXsZpsXq+i+5NjMEDC6roUR Hpk6iqU8xkvG2DEhHw7G90VC7Bd1y8cv+9y8P2XO3ceNgjGRJOJrDSKeFm8naWK0j1CoSX F2ur+iVcD6A9WFAOL4/8PqWmDQzcPUa3sktajWCkEGrF4yOnKjYqm2SH+zuAnO364UUt3N a8TZV/2Q3xfvIT89ZfLB3qlEtw0Q5n/W2h2p+HpxjJh7RDyyrtu12w55nsF5ZuAEqPxNGW d9J0ZYiEVI5G/Bf5Cd+2MxmvnGLJM2UgtxyMEBbxdipD2uIYAJp/enFQjPHGsg==
On 01/06/2023 08:37, Miroslav Lichvar wrote:
> On Wed, May 31, 2023 at 04:54:09PM +0200, jvoisin wrote:
>> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
>> 2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
>> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
>> -DEBUG)
>> 2023-05-31T14:51:14Z Disabled control of system clock
>> 2023-05-31T14:51:14Z World-readable permissions on
>> /home/jvoisin/chrony/test/system/tmp/keys
>> 2023-05-31T14:51:14Z Loaded 1 symmetric keys
>> 2023-05-31T14:51:14Z Running with root privileges
>> 2023-05-31T14:51:14Z Frequency 0.000 +/- 10000.000 ppm read from
>> /home/jvoisin/chrony/test/system/tmp/driftfile
>> 2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring
>> 2023-05-31T14:51:14Z Loaded seccomp filter (level 1)
>> alpine:/home/jvoisin/chrony/test/system#
>> ```
>
> The log is missing the "chronyd exiting" message. It might have
> crashed due to seccomp filter. If you run "TEST_SCFILTER=1
> ./002-extended", do you see the offending syscall in the system log?
>
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./002-extended
Testing extended configuration:
non-default settings:
starting chronyd OK
waiting for synchronization ERROR
FAIL
stopping chronyd ERROR
alpine:/home/jvoisin/chrony/test/system# dmesg | tail -n 1
[74805.395129] audit: type=1326 audit(1685617027.470:7): auid=4294967295
uid=0 gid=0 ses=4294967295 pid=4596 comm="chronyd"
exe="/home/jvoisin/chrony/chronyd" sig=31 arch=c000003e syscall=16
compat=0 ip=0x7ff195e5ce76 code=0x0
alpine:/home/jvoisin/chrony/test/system# vim ../../sys_linux.c
alpine:/home/jvoisin/chrony/test/system# git diff
diff --git a/sys_linux.c b/sys_linux.c
index c6cb453..d248de0 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -603,11 +603,13 @@ SYS_Linux_EnableSystemCallFilter(int level,
SYS_ProcessContext context)
SCMP_SYS(select),
SCMP_SYS(set_robust_list),
SCMP_SYS(write),
+ SCMP_SYS(writev),
/* Miscellaneous */
SCMP_SYS(getrandom),
SCMP_SYS(sysinfo),
SCMP_SYS(uname),
+ SCMP_SYS(ioctl),
};
const int denied_any[] = {
diff --git a/test/system/test.common b/test/system/test.common
index 7005c9e..0660351 100644
--- a/test/system/test.common
+++ b/test/system/test.common
@@ -42,6 +42,8 @@ test_start() {
su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null || \
test_skip "$user cannot access $TEST_DIR"
rm "$TEST_DIR/test"
+ else
+ chown 0:0 "$TEST_DIR" || test_skip "could not chown
$TEST_DIR"
fi
echo "Testing $*:"
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./002-extended
Testing extended configuration:
non-default settings:
starting chronyd OK
waiting for synchronization OK
stopping chronyd OK
checking chronyd messages OK
checking chronyd files OK
PASS
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./099-scfilter
Testing system call filter in non-destructive tests:
level -1:
001-minimal OK
002-extended OK
003-memlock OK
004-priority OK
006-privdrop OK
007-cmdmon OK
008-confload OK
009-binddevice OK
010-nts OK
level 1:
001-minimal OK
002-extended OK
003-memlock OK
004-priority OK
006-privdrop OK
007-cmdmon OK
008-confload OK
009-binddevice OK
010-nts OK
level -2:
001-minimal OK
002-extended OK
003-memlock OK
004-priority OK
006-privdrop OK
007-cmdmon OK
008-confload OK
009-binddevice OK
010-nts OK
level 2:
001-minimal OK
002-extended OK
003-memlock OK
004-priority OK
006-privdrop OK
007-cmdmon OK
008-confload OK
009-binddevice OK
010-nts OK
PASS
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./199-scfilter
Testing system call filter in destructive tests:
level -1:
100-clockupdate OK
101-rtc OK
102-hwtimestamp OK
103-refclock OK
104-systemdirs OK
level 1:
100-clockupdate OK
101-rtc OK
102-hwtimestamp OK
103-refclock OK
104-systemdirs OK
level -2:
100-clockupdate OK
101-rtc OK
102-hwtimestamp OK
103-refclock OK
104-systemdirs OK
level 2:
100-clockupdate OK
101-rtc OK
102-hwtimestamp OK
103-refclock OK
104-systemdirs OK
PASS
alpine:/home/jvoisin/chrony/test/system#
```
Albeit we might want to restrict the parameters passed to ioctl, instead
of allowing it unconditionally.
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.