On 01/06/2023 08:37, Miroslav Lichvar wrote: > On Wed, May 31, 2023 at 04:54:09PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log >> 2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP >> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 >> -DEBUG) >> 2023-05-31T14:51:14Z Disabled control of system clock >> 2023-05-31T14:51:14Z World-readable permissions on >> /home/jvoisin/chrony/test/system/tmp/keys >> 2023-05-31T14:51:14Z Loaded 1 symmetric keys >> 2023-05-31T14:51:14Z Running with root privileges >> 2023-05-31T14:51:14Z Frequency 0.000 +/- 10000.000 ppm read from >> /home/jvoisin/chrony/test/system/tmp/driftfile >> 2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring >> 2023-05-31T14:51:14Z Loaded seccomp filter (level 1) >> alpine:/home/jvoisin/chrony/test/system# >> ``` > > The log is missing the "chronyd exiting" message. It might have > crashed due to seccomp filter. If you run "TEST_SCFILTER=1 > ./002-extended", do you see the offending syscall in the system log? > alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd OK waiting for synchronization ERROR FAIL stopping chronyd ERROR alpine:/home/jvoisin/chrony/test/system# dmesg | tail -n 1 [74805.395129] audit: type=1326 audit(1685617027.470:7): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4596 comm="chronyd" exe="/home/jvoisin/chrony/chronyd" sig=31 arch=c000003e syscall=16 compat=0 ip=0x7ff195e5ce76 code=0x0 alpine:/home/jvoisin/chrony/test/system# vim ../../sys_linux.c alpine:/home/jvoisin/chrony/test/system# git diff diff --git a/sys_linux.c b/sys_linux.c index c6cb453..d248de0 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -603,11 +603,13 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write), + SCMP_SYS(writev),
/* Miscellaneous */ SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname), + SCMP_SYS(ioctl), }; const int denied_any[] = { diff --git a/test/system/test.common b/test/system/test.common index 7005c9e..0660351 100644 --- a/test/system/test.common +++ b/test/system/test.common @@ -42,6 +42,8 @@ test_start() { su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null || \ test_skip "$user cannot access $TEST_DIR" rm "$TEST_DIR/test" + else + chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR" fi echo "Testing $*:" alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd OK waiting for synchronization OK stopping chronyd OK checking chronyd messages OK checking chronyd files OK PASS alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./099-scfilter Testing system call filter in non-destructive tests: level -1: 001-minimal OK 002-extended OK 003-memlock OK 004-priority OK 006-privdrop OK 007-cmdmon OK 008-confload OK 009-binddevice OK 010-nts OK level 1: 001-minimal OK 002-extended OK 003-memlock OK 004-priority OK 006-privdrop OK 007-cmdmon OK 008-confload OK 009-binddevice OK 010-nts OK level -2: 001-minimal OK 002-extended OK 003-memlock OK 004-priority OK 006-privdrop OK 007-cmdmon OK 008-confload OK 009-binddevice OK 010-nts OK level 2: 001-minimal OK 002-extended OK 003-memlock OK 004-priority OK 006-privdrop OK 007-cmdmon OK 008-confload OK 009-binddevice OK 010-nts OK PASS alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./199-scfilter Testing system call filter in destructive tests: level -1: 100-clockupdate OK 101-rtc OK 102-hwtimestamp OK 103-refclock OK 104-systemdirs OK level 1: 100-clockupdate OK 101-rtc OK 102-hwtimestamp OK 103-refclock OK 104-systemdirs OK level -2: 100-clockupdate OK 101-rtc OK 102-hwtimestamp OK 103-refclock OK 104-systemdirs OK level 2: 100-clockupdate OK 101-rtc OK 102-hwtimestamp OK 103-refclock OK 104-systemdirs OK PASS alpine:/home/jvoisin/chrony/test/system# ``` Albeit we might want to restrict the parameters passed to ioctl, instead of allowing it unconditionally. -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.