Testing chrony seccomp support
dan at danny.cz
Wed Oct 7 07:24:22 UTC 2015
On Mon, 5 Oct 2015 13:58:26 +0200
Miroslav Lichvar <mlichvar at redhat.com> wrote:
> In chrony 2.2-pre1 was added support for system call filtering with
> the kernel seccomp facility. In chrony it's mainly useful to reduce
> the damage from attackers who can execute arbitrary code, e.g. prevent
> gaining the root privileges through a kernel vulnerability.
please keep in mind that libseccomp currently supports only limited set
of architectures -
It will change (in Rawhide) after mainline kernel 4.3 release when s390
and ppc will become supported as well.
> The rawhide chrony package is now compiled with the seccomp support,
> but the filtering is not enabled by default. The trouble is it has to
> cover all system calls needed in all possible configurations of chrony
> and all libraries it depends on, which is difficult and it may even
> change over time as the libraries are updated.
> I'm interested to know if this works in other configurations than what
> I tried, especially non-default NSS configurations, and get an idea if
> this could be enabled by default at some point.
> If you would like to help with the testing:
> 1. echo 'OPTIONS="-F -1"' > /etc/sysconfig/chronyd
> 2. systemctl restart chronyd
> 3. occasionally check if chronyd is still running
> If you see in the log that the process was killed with status=31/SYS,
> it's a problem in the seccomp support. Please let me know it has
> crashed for you. Unfortunately, abrt doesn't seem to catch these
> crashes, even when /proc/sys/fs/suid_dumpable is set to 2.
> For F22 and F23 there is a COPR repo with packages built from the
> current development code:
> Miroslav Lichvar
> devel mailing list
> devel at lists.fedoraproject.org
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel