In chrony 2.2-pre1 was added support for system call filtering with the kernel seccomp facility. In chrony it's mainly useful to reduce the damage from attackers who can execute arbitrary code, e.g. prevent gaining the root privileges through a kernel vulnerability. The rawhide chrony package is now compiled with the seccomp support, but the filtering is not enabled by default. The trouble is it has to cover all system calls needed in all possible configurations of chrony and all libraries it depends on, which is difficult and it may even change over time as the libraries are updated. I'm interested to know if this works in other configurations than what I tried, especially non-default NSS configurations, and get an idea if this could be enabled by default at some point. If you would like to help with the testing: 1. echo 'OPTIONS="-F -1"' > /etc/sysconfig/chronyd 2. systemctl restart chronyd 3. occasionally check if chronyd is still running If you see in the log that the process was killed with status=31/SYS, it's a problem in the seccomp support. Please let me know it has crashed for you. Unfortunately, abrt doesn't seem to catch these crashes, even when /proc/sys/fs/suid_dumpable is set to 2. For F22 and F23 there is a COPR repo with packages built from the current development code: https://copr.fedoraproject.org/coprs/mlichvar/chrony/ Thanks, -- Miroslav Lichvar -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
