2018-10-31 23:01:40 +00:00
|
|
|
From 881e427f3236046466bdb8235edf86e6dfa34391 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Michael Bishop <cleverca22@gmail.com>
|
|
|
|
Date: Mon, 11 Jun 2018 08:30:48 -0300
|
|
|
|
Subject: [PATCH] fix the seccomp filter to include a few previously missed
|
|
|
|
syscalls
|
|
|
|
|
|
|
|
---
|
|
|
|
ntpd/ntpd.c | 8 ++++++++
|
|
|
|
1 file changed, 8 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
|
|
|
|
index 2c7f02ec5..4c59dc2ba 100644
|
|
|
|
--- a/ntpd/ntpd.c
|
|
|
|
+++ b/ntpd/ntpd.c
|
|
|
|
@@ -1140,10 +1140,12 @@ int scmp_sc[] = {
|
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
2017-04-02 19:29:30 +01:00
|
|
|
SCMP_SYS(close),
|
|
|
|
SCMP_SYS(connect),
|
|
|
|
SCMP_SYS(exit_group),
|
|
|
|
+ SCMP_SYS(fcntl),
|
|
|
|
SCMP_SYS(fstat),
|
|
|
|
SCMP_SYS(fsync),
|
|
|
|
SCMP_SYS(futex),
|
|
|
|
SCMP_SYS(getitimer),
|
|
|
|
+ SCMP_SYS(getpid),
|
|
|
|
SCMP_SYS(getsockname),
|
|
|
|
SCMP_SYS(ioctl),
|
|
|
|
SCMP_SYS(lseek),
|
2018-10-31 23:01:40 +00:00
|
|
|
@@ -1162,6 +1164,8 @@ int scmp_sc[] = {
|
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
2017-04-02 19:29:30 +01:00
|
|
|
SCMP_SYS(sendto),
|
|
|
|
SCMP_SYS(setitimer),
|
|
|
|
SCMP_SYS(setsid),
|
2018-10-31 23:01:40 +00:00
|
|
|
+ SCMP_SYS(setsockopt),
|
|
|
|
+ SCMP_SYS(openat),
|
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
2017-04-02 19:29:30 +01:00
|
|
|
SCMP_SYS(socket),
|
|
|
|
SCMP_SYS(stat),
|
|
|
|
SCMP_SYS(time),
|
2018-10-31 23:01:40 +00:00
|
|
|
@@ -1178,9 +1182,11 @@ int scmp_sc[] = {
|
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
2017-04-02 19:29:30 +01:00
|
|
|
SCMP_SYS(clock_settime),
|
|
|
|
SCMP_SYS(close),
|
|
|
|
SCMP_SYS(exit_group),
|
|
|
|
+ SCMP_SYS(fcntl),
|
|
|
|
SCMP_SYS(fsync),
|
|
|
|
SCMP_SYS(futex),
|
|
|
|
SCMP_SYS(getitimer),
|
|
|
|
+ SCMP_SYS(getpid),
|
|
|
|
SCMP_SYS(madvise),
|
|
|
|
SCMP_SYS(mmap),
|
|
|
|
SCMP_SYS(mmap2),
|
2018-10-31 23:01:40 +00:00
|
|
|
@@ -1194,6 +1200,8 @@ int scmp_sc[] = {
|
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
2017-04-02 19:29:30 +01:00
|
|
|
SCMP_SYS(select),
|
|
|
|
SCMP_SYS(setitimer),
|
|
|
|
SCMP_SYS(setsid),
|
2018-10-31 23:01:40 +00:00
|
|
|
+ SCMP_SYS(setsockopt),
|
|
|
|
+ SCMP_SYS(openat),
|
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
2017-04-02 19:29:30 +01:00
|
|
|
SCMP_SYS(sigprocmask),
|
|
|
|
SCMP_SYS(sigreturn),
|
|
|
|
SCMP_SYS(socketcall),
|