On Mon, 2015-10-05 at 13:58 +0200, Miroslav Lichvar wrote:
In chrony 2.2-pre1 was added support for system call filtering with
the kernel seccomp facility. In chrony it's mainly useful to reduce
the damage from attackers who can execute arbitrary code, e.g.
prevent
gaining the root privileges through a kernel vulnerability.
The rawhide chrony package is now compiled with the seccomp support,
but the filtering is not enabled by default. The trouble is it has to
cover all system calls needed in all possible configurations of
chrony
and all libraries it depends on, which is difficult and it may even
change over time as the libraries are updated.
As Florian suggested it makes more sense to compartmentalize chrony so
that only a small controlled part of it needs to run with seccomp. My
recommendation, if you want to use libraries in the filtered code, make
their authors aware of that, so that they document any changes in the
used system calls, and if possible ask them to document the existing
system calls used (e.g., similarly to:
http://www.gnutls.org/manual/html_node/Running-in-a-sandbox.html )
regards,
Nikos