Testing chrony seccomp support

Dan Horák dan at danny.cz
Wed Oct 7 12:20:24 UTC 2015


On Wed, 7 Oct 2015 14:13:36 +0200
Miroslav Lichvar <mlichvar at redhat.com> wrote:

> On Wed, Oct 07, 2015 at 09:24:22AM +0200, Dan Horák wrote:
> > On Mon, 5 Oct 2015 13:58:26 +0200
> > Miroslav Lichvar <mlichvar at redhat.com> wrote:
> > 
> > > In chrony 2.2-pre1 was added support for system call filtering
> > > with the kernel seccomp facility. In chrony it's mainly useful to
> > > reduce the damage from attackers who can execute arbitrary code,
> > > e.g. prevent gaining the root privileges through a kernel
> > > vulnerability.
> > 
> > please keep in mind that libseccomp currently supports only limited
> > set of architectures -
> > http://pkgs.fedoraproject.org/cgit/libseccomp.git/tree/libseccomp.spec#n5
> > It will change (in Rawhide) after mainline kernel 4.3 release when
> > s390 and ppc will become supported as well.
> 
> The chrony spec should now follow that. Thanks.

thanks, once the support lands in libseccomp, we (aka the secondary
arch team) will be going over the packages that use libseccomp in
buildroots and remove the exceptions


		Dan


More information about the devel mailing list