On Mon, 2016-01-18 at 14:15 +0100, Miroslav Lichvar wrote: > On Mon, Jan 18, 2016 at 11:02:44AM +0100, Nikos Mavrogiannopoulos > wrote: > > As Florian suggested it makes more sense to compartmentalize chrony > > so > > that only a small controlled part of it needs to run with seccomp. > > My > > recommendation, if you want to use libraries in the filtered code, > > make > > their authors aware of that, so that they document any changes in > > the > > used system calls, and if possible ask them to document the > > existing > > system calls used (e.g., similarly to: > > http://www.gnutls.org/manual/html_node/Running-in-a-sandbox.html ;) > > chronyd doesn't use libc for much more than that. There is memory > allocation, reading/writing system clock, reading/writing/moving > files, creating/connecting/binding sockets, receiving/sending > packets, and select(). Name resolving is now out of the filter. The > only other library that's currently used after the seccomp filter is > loaded is freebl3 from NSS. > > I guess some of that could be moved to the helper process. If only > the most dangerous code (whatever that is) should run with seccomp, > I'm not sure if there is a layer where a clean small cut could be > made. I suspect the interface between the two processes would be huge > and it would bloat the code significantly. If you have complex structures to be transfered you may want to rely on something automated to serialize/deserialize requests. That will increase the code, but reduce the complexity. I've used protocol buffers over unix sockets for that exact reason and I'm pretty happy with it. regards, Nikos -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx