ntpd: Add patch to allow getpid syscall in seccomp filter. #24573
Conversation
|
Please don't merge yet, I found that it does not completely solve the problem. It works when I restart the ntpd service or from command line but it doesn't work when auto-starting on boot. There must be more system calls missing on the list. |
ambrop72
force-pushed
the
ntpd-fix
branch
2 times, most recently
from
7347951
to
04a97aa
Compare
Fixes issue NixOS#21136. The problem is that the seccomp system call filter configured by ntpd did not include some system calls that were apparently needed. For example the program hanged in getpid just after the filter was installed: prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument) seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0 getpid() = ? I do not know exactly why this is a problem on NixOS only, perhaps we have getpid caching disabled. The fcntl and setsockopt system calls also had to be added.
|
I had to also add fcntl and setsockopt, it works for me. I didn't test on i686 though only x86_64. |
| @@ -15,6 +15,10 @@ stdenv.mkDerivation rec { | |||
| sha256 = "0whbyf82lrczbri4adbsa4hg1ppfa6c7qcj7nhjwdfp1g1vjh95p"; | |||
| }; | |||
|
|
|||
| # The hardcoded list of allowed system calls for seccomp is | |||
| # insufficient for NixOS, add more to make it work (issue #21136). | |||
| patches = [ ./seccomp.patch ]; | |||
There was a problem hiding this comment.
Can you also send this patch upstream?
There was a problem hiding this comment.
Does any other linux distribution enable this? It might be that seccomp in ntp is slightly unmaintained.
There was a problem hiding this comment.
it also fails due to the use of the openat syscall when it tries to update the drift file
There was a problem hiding this comment.
I still think a blacklist is better. There is a whole class of *at system calls that might be used instead of their pendants by libc.
|
Can't you anyways nowadays have systemd doing the seccomp thing instead of each app reimplementing the same thing (and poorly, as seems to be the case). |
|
This would be the alternative, we could set a blacklist like this within the service unit |
|
Merging as it seems like this fixes a problem right now; I guess we can talk about how to do it better later. |
|
Would it be OK to bring this into 17.03 despite the seemingly temporary nature of the fix? |
|
yes. |
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include getpid, but the program then called getpid which hanged. This could be
seen with strace:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
Motivation for this change
Ntpd was broken.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)