Re: Testing chrony seccomp support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2016-01-18 at 14:15 +0100, Miroslav Lichvar wrote:
> On Mon, Jan 18, 2016 at 11:02:44AM +0100, Nikos Mavrogiannopoulos
> wrote:
> > As Florian suggested it makes more sense to compartmentalize chrony
> > so
> > that only a small controlled part of it needs to run with seccomp.
> > My
> > recommendation, if you want to use libraries in the filtered code,
> > make
> > their authors aware of that, so that they document any changes in
> > the
> > used system calls, and if possible ask them to document the
> > existing
> > system calls used (e.g., similarly to:
> > http://www.gnutls.org/manual/html_node/Running-in-a-sandbox.html ;)
> 
> chronyd doesn't use libc for much more than that. There is memory
> allocation, reading/writing system clock, reading/writing/moving
> files, creating/connecting/binding sockets, receiving/sending
> packets, and select(). Name resolving is now out of the filter. The
> only other library that's currently used after the seccomp filter is
> loaded is freebl3 from NSS.
> 
> I guess some of that could be moved to the helper process. If only
> the most dangerous code (whatever that is) should run with seccomp,
> I'm not sure if there is a layer where a clean small cut could be
> made. I suspect the interface between the two processes would be huge
> and it would bloat the code significantly.

If you have complex structures to be transfered you may want to rely on
something automated to serialize/deserialize requests. That will
increase the code, but reduce the complexity. I've used protocol
buffers over unix sockets for that exact reason and I'm pretty happy
with it.

regards,
Nikos
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux