Testing chrony seccomp support
Dan HorĂ¡k
dan at danny.cz
Wed Oct 7 07:24:22 UTC 2015
On Mon, 5 Oct 2015 13:58:26 +0200
Miroslav Lichvar <mlichvar at redhat.com> wrote:
> In chrony 2.2-pre1 was added support for system call filtering with
> the kernel seccomp facility. In chrony it's mainly useful to reduce
> the damage from attackers who can execute arbitrary code, e.g. prevent
> gaining the root privileges through a kernel vulnerability.
please keep in mind that libseccomp currently supports only limited set
of architectures -
http://pkgs.fedoraproject.org/cgit/libseccomp.git/tree/libseccomp.spec#n5
It will change (in Rawhide) after mainline kernel 4.3 release when s390
and ppc will become supported as well.
Dan
> The rawhide chrony package is now compiled with the seccomp support,
> but the filtering is not enabled by default. The trouble is it has to
> cover all system calls needed in all possible configurations of chrony
> and all libraries it depends on, which is difficult and it may even
> change over time as the libraries are updated.
>
> I'm interested to know if this works in other configurations than what
> I tried, especially non-default NSS configurations, and get an idea if
> this could be enabled by default at some point.
>
> If you would like to help with the testing:
>
> 1. echo 'OPTIONS="-F -1"' > /etc/sysconfig/chronyd
> 2. systemctl restart chronyd
> 3. occasionally check if chronyd is still running
>
> If you see in the log that the process was killed with status=31/SYS,
> it's a problem in the seccomp support. Please let me know it has
> crashed for you. Unfortunately, abrt doesn't seem to catch these
> crashes, even when /proc/sys/fs/suid_dumpable is set to 2.
>
> For F22 and F23 there is a COPR repo with packages built from the
> current development code:
> https://copr.fedoraproject.org/coprs/mlichvar/chrony/
>
> Thanks,
>
> --
> Miroslav Lichvar
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel
mailing list