Re: Testing chrony seccomp support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 5 Oct 2015 13:58:26 +0200
Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

> In chrony 2.2-pre1 was added support for system call filtering with
> the kernel seccomp facility. In chrony it's mainly useful to reduce
> the damage from attackers who can execute arbitrary code, e.g. prevent
> gaining the root privileges through a kernel vulnerability.

please keep in mind that libseccomp currently supports only limited set
of architectures -
http://pkgs.fedoraproject.org/cgit/libseccomp.git/tree/libseccomp.spec#n5
It will change (in Rawhide) after mainline kernel 4.3 release when s390
and ppc will become supported as well.


		Dan
 
> The rawhide chrony package is now compiled with the seccomp support,
> but the filtering is not enabled by default. The trouble is it has to
> cover all system calls needed in all possible configurations of chrony
> and all libraries it depends on, which is difficult and it may even
> change over time as the libraries are updated.
> 
> I'm interested to know if this works in other configurations than what
> I tried, especially non-default NSS configurations, and get an idea if
> this could be enabled by default at some point.
> 
> If you would like to help with the testing:
> 
> 1. echo 'OPTIONS="-F -1"' > /etc/sysconfig/chronyd
> 2. systemctl restart chronyd
> 3. occasionally check if chronyd is still running
> 
> If you see in the log that the process was killed with status=31/SYS,
> it's a problem in the seccomp support. Please let me know it has
> crashed for you. Unfortunately, abrt doesn't seem to catch these
> crashes, even when /proc/sys/fs/suid_dumpable is set to 2.
> 
> For F22 and F23 there is a COPR repo with packages built from the
> current development code:
> https://copr.fedoraproject.org/coprs/mlichvar/chrony/
> 
> Thanks,
> 
> -- 
> Miroslav Lichvar
> -- 
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux