Testing chrony seccomp support

Miroslav Lichvar mlichvar at redhat.com
Wed Oct 7 12:13:36 UTC 2015


On Wed, Oct 07, 2015 at 09:24:22AM +0200, Dan HorĂ¡k wrote:
> On Mon, 5 Oct 2015 13:58:26 +0200
> Miroslav Lichvar <mlichvar at redhat.com> wrote:
> 
> > In chrony 2.2-pre1 was added support for system call filtering with
> > the kernel seccomp facility. In chrony it's mainly useful to reduce
> > the damage from attackers who can execute arbitrary code, e.g. prevent
> > gaining the root privileges through a kernel vulnerability.
> 
> please keep in mind that libseccomp currently supports only limited set
> of architectures -
> http://pkgs.fedoraproject.org/cgit/libseccomp.git/tree/libseccomp.spec#n5
> It will change (in Rawhide) after mainline kernel 4.3 release when s390
> and ppc will become supported as well.

The chrony spec should now follow that. Thanks.

-- 
Miroslav Lichvar


More information about the devel mailing list