On Mon, 2015-10-05 at 13:58 +0200, Miroslav Lichvar wrote: > In chrony 2.2-pre1 was added support for system call filtering with > the kernel seccomp facility. In chrony it's mainly useful to reduce > the damage from attackers who can execute arbitrary code, e.g. > prevent > gaining the root privileges through a kernel vulnerability. > > The rawhide chrony package is now compiled with the seccomp support, > but the filtering is not enabled by default. The trouble is it has to > cover all system calls needed in all possible configurations of > chrony > and all libraries it depends on, which is difficult and it may even > change over time as the libraries are updated.
As Florian suggested it makes more sense to compartmentalize chrony so that only a small controlled part of it needs to run with seccomp. My recommendation, if you want to use libraries in the filtered code, make their authors aware of that, so that they document any changes in the used system calls, and if possible ask them to document the existing system calls used (e.g., similarly to: http://www.gnutls.org/manual/html_node/Running-in-a-sandbox.html ) regards, Nikos -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
