On Mon, 5 Oct 2015 13:58:26 +0200 Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote: > In chrony 2.2-pre1 was added support for system call filtering with > the kernel seccomp facility. In chrony it's mainly useful to reduce > the damage from attackers who can execute arbitrary code, e.g. prevent > gaining the root privileges through a kernel vulnerability. please keep in mind that libseccomp currently supports only limited set of architectures - http://pkgs.fedoraproject.org/cgit/libseccomp.git/tree/libseccomp.spec#n5 It will change (in Rawhide) after mainline kernel 4.3 release when s390 and ppc will become supported as well. Dan > The rawhide chrony package is now compiled with the seccomp support, > but the filtering is not enabled by default. The trouble is it has to > cover all system calls needed in all possible configurations of chrony > and all libraries it depends on, which is difficult and it may even > change over time as the libraries are updated. > > I'm interested to know if this works in other configurations than what > I tried, especially non-default NSS configurations, and get an idea if > this could be enabled by default at some point. > > If you would like to help with the testing: > > 1. echo 'OPTIONS="-F -1"' > /etc/sysconfig/chronyd > 2. systemctl restart chronyd > 3. occasionally check if chronyd is still running > > If you see in the log that the process was killed with status=31/SYS, > it's a problem in the seccomp support. Please let me know it has > crashed for you. Unfortunately, abrt doesn't seem to catch these > crashes, even when /proc/sys/fs/suid_dumpable is set to 2. > > For F22 and F23 there is a COPR repo with packages built from the > current development code: > https://copr.fedoraproject.org/coprs/mlichvar/chrony/ > > Thanks, > > -- > Miroslav Lichvar > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
