On Tue, Oct 06, 2015 at 10:15:38AM +0200, Florian Weimer wrote: > On 10/05/2015 05:27 PM, Miroslav Lichvar wrote: > > I guess glibc and getaddrinfo() will be the most problematic part in > > the chrony seccomp support. Is there a precedent in Fedora of a > > package using a seccomp filter and getaddrinfo() by default? > > getaddrinfo uses NSS under the cover, which loads NSS modules and runs > their code to perform lookups. The system configuration may even use > modules which do not come with the distribution. > > You need to run getaddrinfo from a separate process/thread which lacks a > seccomp filter.
FWIW, the latest upstream code now does name resolving in a separate process as you have suggested. Since the original post I already had to add some system calls that were apparently made with some NSS configurations. Hopefully it will be more reliable now. The COPR has a build of the current code if anyone is interested in testing. Thanks, -- Miroslav Lichvar -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
