ntpd: Allow additional syscalls in seccomp filter.

Fixes issue #21136. The problem is that the seccomp system call filter configured by ntpd did not include some system calls that were apparently needed. For example the program hanged in getpid just after the filter was installed: prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument) seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0 getpid() = ? I do not know exactly why this is a problem on NixOS only, perhaps we have getpid caching disabled. The fcntl and setsockopt system calls also had to be added. (cherry picked from commit 35e0eea)
NixOS · Apr 17, 2017 · 3069f72 · 3069f72
1 parent ebbabab
commit 3069f72
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix
@@ -15,6 +15,10 @@ stdenv.mkDerivation rec {
     sha256 = "17xrk7gxrl3hgg0i73n8qm53knyh01lf0f3l1zx9x6r1cip3dlnx";
   };
 
+  # The hardcoded list of allowed system calls for seccomp is
+  # insufficient for NixOS, add more to make it work (issue #21136).
+  patches = [ ./seccomp.patch ];
+
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"

diff --git a/pkgs/tools/networking/ntp/seccomp.patch b/pkgs/tools/networking/ntp/seccomp.patch
@@ -0,0 +1,44 @@
+diff -urN ntp-4.2.8p10.orig/ntpd/ntpd.c ntp-4.2.8p10/ntpd/ntpd.c
+--- ntp-4.2.8p10.orig/ntpd/ntpd.c	2017-04-02 20:21:17.371319663 +0200
++++ ntp-4.2.8p10/ntpd/ntpd.c	2017-04-02 21:26:02.766178723 +0200
+@@ -1157,10 +1157,12 @@
+ 	SCMP_SYS(close),
+ 	SCMP_SYS(connect),
+ 	SCMP_SYS(exit_group),
++	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fstat),
+ 	SCMP_SYS(fsync),
+ 	SCMP_SYS(futex),
+ 	SCMP_SYS(getitimer),
++	SCMP_SYS(getpid),
+ 	SCMP_SYS(getsockname),
+ 	SCMP_SYS(ioctl),
+ 	SCMP_SYS(lseek),
+@@ -1179,6 +1181,7 @@
+ 	SCMP_SYS(sendto),
+ 	SCMP_SYS(setitimer),
+ 	SCMP_SYS(setsid),
++        SCMP_SYS(setsockopt),
+ 	SCMP_SYS(socket),
+ 	SCMP_SYS(stat),
+ 	SCMP_SYS(time),
+@@ -1195,9 +1198,11 @@
+ 	SCMP_SYS(clock_settime),
+ 	SCMP_SYS(close),
+ 	SCMP_SYS(exit_group),
++	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fsync),
+ 	SCMP_SYS(futex),
+ 	SCMP_SYS(getitimer),
++	SCMP_SYS(getpid),
+ 	SCMP_SYS(madvise),
+ 	SCMP_SYS(mmap),
+ 	SCMP_SYS(mmap2),
+@@ -1211,6 +1216,7 @@
+ 	SCMP_SYS(select),
+ 	SCMP_SYS(setitimer),
+ 	SCMP_SYS(setsid),
++        SCMP_SYS(setsockopt),
+ 	SCMP_SYS(sigprocmask),
+ 	SCMP_SYS(sigreturn),
+ 	SCMP_SYS(socketcall),