New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ntpd: Add patch to allow getpid syscall in seccomp filter. #24573
Conversation
Please don't merge yet, I found that it does not completely solve the problem. It works when I restart the ntpd service or from command line but it doesn't work when auto-starting on boot. There must be more system calls missing on the list. |
7347951
to
04a97aa
Compare
Fixes issue NixOS#21136. The problem is that the seccomp system call filter configured by ntpd did not include some system calls that were apparently needed. For example the program hanged in getpid just after the filter was installed: prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument) seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0 getpid() = ? I do not know exactly why this is a problem on NixOS only, perhaps we have getpid caching disabled. The fcntl and setsockopt system calls also had to be added.
I had to also add fcntl and setsockopt, it works for me. I didn't test on i686 though only x86_64. |
@@ -15,6 +15,10 @@ stdenv.mkDerivation rec { | |||
sha256 = "0whbyf82lrczbri4adbsa4hg1ppfa6c7qcj7nhjwdfp1g1vjh95p"; | |||
}; | |||
|
|||
# The hardcoded list of allowed system calls for seccomp is | |||
# insufficient for NixOS, add more to make it work (issue #21136). | |||
patches = [ ./seccomp.patch ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also send this patch upstream?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does any other linux distribution enable this? It might be that seccomp in ntp is slightly unmaintained.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it also fails due to the use of the openat
syscall when it tries to update the drift file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think a blacklist is better. There is a whole class of *at system calls that might be used instead of their pendants by libc.
Can't you anyways nowadays have systemd doing the seccomp thing instead of each app reimplementing the same thing (and poorly, as seems to be the case). |
This would be the alternative, we could set a blacklist like this within the service unit
|
Merging as it seems like this fixes a problem right now; I guess we can talk about how to do it better later. |
Would it be OK to bring this into 17.03 despite the seemingly temporary nature of the fix? |
yes. |
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include getpid, but the program then called getpid which hanged. This could be
seen with strace:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
Motivation for this change
Ntpd was broken.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)