On Tue, Oct 06, 2015 at 10:15:38AM +0200, Florian Weimer wrote:
On 10/05/2015 05:27 PM, Miroslav Lichvar wrote:
> I guess glibc and getaddrinfo() will be the most problematic part in
> the chrony seccomp support. Is there a precedent in Fedora of a
> package using a seccomp filter and getaddrinfo() by default?
getaddrinfo uses NSS under the cover, which loads NSS modules and runs
their code to perform lookups. The system configuration may even use
modules which do not come with the distribution.
You need to run getaddrinfo from a separate process/thread which lacks a
seccomp filter.
FWIW, the latest upstream code now does name resolving in a separate
process as you have suggested. Since the original post I already had
to add some system calls that were apparently made with some NSS
configurations. Hopefully it will be more reliable now. The COPR has a
build of the current code if anyone is interested in testing.
Thanks,
--
Miroslav Lichvar