On Mon, Jan 18, 2016 at 11:02:44AM +0100, Nikos Mavrogiannopoulos wrote: > As Florian suggested it makes more sense to compartmentalize chrony so > that only a small controlled part of it needs to run with seccomp. My > recommendation, if you want to use libraries in the filtered code, make > their authors aware of that, so that they document any changes in the > used system calls, and if possible ask them to document the existing > system calls used (e.g., similarly to: > http://www.gnutls.org/manual/html_node/Running-in-a-sandbox.html )
chronyd doesn't use libc for much more than that. There is memory allocation, reading/writing system clock, reading/writing/moving files, creating/connecting/binding sockets, receiving/sending packets, and select(). Name resolving is now out of the filter. The only other library that's currently used after the seccomp filter is loaded is freebl3 from NSS. I guess some of that could be moved to the helper process. If only the most dangerous code (whatever that is) should run with seccomp, I'm not sure if there is a layer where a clean small cut could be made. I suspect the interface between the two processes would be huge and it would bloat the code significantly. -- Miroslav Lichvar -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
