sys_linux: add support for seccomp filters

The Linux secure computing (seccomp) facility allows a process to install a filter in the kernel that will allow only specific system calls to be made. The process is killed when trying to make other system calls. This is useful to reduce the kernel attack surface and possibly prevent kernel exploits when the process is compromised. Use the libseccomp library to add rules and load the filter into the kernel. Keep a list of system calls that are always allowed after chronyd is initialized. Restrict arguments that may be passed to the socket(), setsockopt(), fcntl(), and ioctl() system calls. Arguments to socketcall(), which is used on some architectures as a multiplexer instead of separate socket system calls, are not restricted for now. The mailonchange directive is not allowed as it calls sendmail. Calls made by the libraries that chronyd is using have to be covered too. It's difficult to determine which system calls they need as it may change after an upgrade and it may depend on their configuration (e.g. resolver in libc). There are also differences between architectures. It can all break very easily and is therefore disabled by default. It can be enabled with the new -F option. This is based on a patch from Andrew Griffiths <agriffit@redhat.com>.
2025-12-03 18:05:06 -05:00 · 2014-06-16 16:21:25 +02:00
parent ea2858b323
commit 434faeecb8
8 changed files with 203 additions and 2 deletions
--- a/17
+++ b/17
@@ -115,6 +115,7 @@ For better control, use the options below.
  --disable-rtc          Don't include RTC even on Linux
  --disable-privdrop     Disable support for dropping root privileges
  --without-libcap       Don't use libcap even if it is available
+  --without-seccomp      Don't use seccomp even if it is available
  --disable-asyncdns     Disable asynchronous name resolving
  --disable-forcednsretry Don't retry on permanent DNS error
  --with-ntp-era=SECONDS Specify earliest assumed NTP time in seconds
@@ -217,6 +218,8 @@ try_rtc=0
 feat_droproot=1
 try_libcap=-1
 try_clockctl=0
+feat_scfilter=1
+try_seccomp=-1
 readline_lib=""
 readline_inc=""
 ncurses_lib=""
@@ -322,6 +325,9 @@ do
    --disable-asyncdns)
      feat_asyncdns=0
    ;;
+    --without-seccomp)
+      try_seccomp=0
+    ;;
    --disable-forcednsretry)
      feat_forcednsretry=0
    ;;
@@ -387,6 +393,7 @@ case $SYSTEM in
        EXTRA_OBJECTS="sys_generic.o sys_linux.o wrap_adjtimex.o"
        [ $try_libcap != "0" ] && try_libcap=1
        try_rtc=1
+        [ $try_seccomp != "0" ] && try_seccomp=1
        try_setsched=1
        try_lockmem=1
        try_phc=1
@@ -602,6 +609,14 @@ then
  add_def FEAT_PRIVDROP
 fi

+if [ $feat_scfilter = "1" ] && [ $try_seccomp = "1" ] && \
+  test_code seccomp 'seccomp.h' '' '-lseccomp' \
+    'seccomp_init(SCMP_ACT_KILL);'
+then
+  add_def FEAT_SCFILTER
+  EXTRA_LIBS="$EXTRA_LIBS -lseccomp"
+fi
+
 if [ $feat_rtc = "1" ] && [ $try_rtc = "1" ] && \
  test_code '<linux/rtc.h>' 'sys/ioctl.h linux/rtc.h' '' '' \
    'ioctl(1, RTC_UIE_ON&RTC_UIE_OFF&RTC_RD_TIME&RTC_SET_TIME, 0&RTC_UF);'
@@ -792,7 +807,7 @@ add_def MAIL_PROGRAM "\"$mail_program\""

 common_features="`get_features ASYNCDNS IPV6 SECHASH DEBUG`"
 chronyc_features="`get_features READLINE`"
-chronyd_features="`get_features CMDMON NTP REFCLOCK RTC PRIVDROP`"
+chronyd_features="`get_features CMDMON NTP REFCLOCK RTC PRIVDROP SCFILTER`"
 add_def CHRONYC_FEATURES "\"$chronyc_features $common_features\""
 add_def CHRONYD_FEATURES "\"$chronyd_features $common_features\""
 echo "Features : $chronyd_features $chronyc_features $common_features"