sys: add OpenBSD support

Add OpenBSD support, including pledge(2) support by implementing SYS_EnableSystemCallFilter(). This commit depends on the addition of AdjustFreq() privops and the addtion of invoking SYS_EnableSystemCallFilter() from PRV_StartHelper(). Only system call filter levels on/off' are supported. Setting level to 0 disables the filter and setting it to 1 enables it. Update the documentation to reflect that OpenBSD supports: - the SCHED_FIFO real-time scheduler (option -P) - locking chronyd into memory (option -m) - reload sample history of servers and ref clocks (option -r) - forking into two process when run as non-root user (option -u) - maxdrift/maxslewrate of 100000.
2026-03-10 16:49:38 -04:00 · 2026-02-04 22:09:09 +01:00
parent 9a57ef8dbf
commit 4ddc6b334d
9 changed files with 425 additions and 44 deletions
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -1449,8 +1449,8 @@ for a high quality clock using a temperature compensated crystal oscillator.
 This directive specifies the maximum assumed drift (frequency error) of the
 system clock. It limits the frequency adjustment that *chronyd* is allowed to
 use to correct the measured drift. It is an additional limit to the maximum
-adjustment that can be set by the system driver (100000 ppm on Linux, 500 ppm
-on FreeBSD, NetBSD, and macOS 10.13+, 32500 ppm on illumos).
+adjustment that can be set by the system driver (100000 ppm on Linux and
+OpenBSD, 500 ppm on FreeBSD, NetBSD, and macOS 10.13+, 32500 ppm on illumos).
 +
 By default, the maximum assumed drift is 500000 ppm, i.e. the adjustment is
 limited by the system driver rather than this directive.
@@ -1487,10 +1487,10 @@ is effective only on systems where *chronyd* is able to control the rate (i.e.
 all supported systems with the exception of macOS 12 or earlier).
 +
 For each system there is a maximum frequency offset of the clock that can be set
-by the driver. On Linux it is 100000 ppm, on FreeBSD, NetBSD and macOS 10.13+ it
-is 5000 ppm, and on illumos it is 32500 ppm. Also, due to a kernel limitation,
-setting *maxslewrate* on FreeBSD, NetBSD, macOS 10.13+ to a value between 500
-ppm and 5000 ppm will effectively set it to 500 ppm.
+by the driver. On Linux and OpenBSD it is 100000 ppm, on FreeBSD, NetBSD and
+macOS 10.13+ it is 5000 ppm, on illumos it is 32500 ppm. Also, due to a kernel
+limitation, setting *maxslewrate* on FreeBSD, NetBSD, macOS 10.13+ to a value
+between 500 ppm and 5000 ppm will effectively set it to 500 ppm.
 +
 By default, the maximum slew rate is set to 83333.333 ppm (one twelfth).

@@ -2988,7 +2988,7 @@ file when the <<chronyc.adoc#rekey,*rekey*>> command is issued by *chronyc*).
 [[lock_all]]*lock_all*::
 The *lock_all* directive will lock the *chronyd* process into RAM so that it
 will never be paged out. This can result in lower and more consistent latency.
-The directive is supported on Linux, FreeBSD, NetBSD, and illumos.
+The directive is supported on Linux, FreeBSD, NetBSD, OpenBSD, and illumos.

 [[pidfile]]*pidfile* _file_::
 Unless *chronyd* is started with the *-Q* option, it writes its process ID
@@ -3039,11 +3039,11 @@ accepted NTP-over-PTP messages. Messages from other domains are ignored.
 The default is 123, the minimum is 0, and the maximum is 255.

 [[sched_priority]]*sched_priority* _priority_::
-On Linux, FreeBSD, NetBSD, and illumos, the *sched_priority* directive will
-select the SCHED_FIFO real-time scheduler at the specified priority (which must
-be between 0 and 100). On macOS, this option must have either a value of 0 (the
-default) to disable the thread time constraint policy or 1 for the policy to be
-enabled.
+On Linux, FreeBSD, NetBSD, OpenBSD, and illumos, the *sched_priority* directive
+will select the SCHED_FIFO real-time scheduler at the specified priority (which
+must be between 0 and 100). On macOS, this option must have either a value of 0
+(the default) to disable the thread time constraint policy or 1 for the policy
+to be enabled.
 +
 On systems other than macOS, this directive uses the *pthread_setschedparam()*
 system call to instruct the kernel to use the SCHED_FIFO first-in, first-out
@@ -3065,9 +3065,9 @@ The *user* directive sets the name of the system user to which *chronyd* will
 switch after start in order to drop root privileges.
 +
 On Linux, *chronyd* needs to be compiled with support for the *libcap* library.
-On macOS, FreeBSD, NetBSD and illumos *chronyd* forks into two processes.
-The child process retains root privileges, but can only perform a very limited
-range of privileged system calls on behalf of the parent.
+On macOS, FreeBSD, NetBSD, OpenBSD, and illumos *chronyd* forks into two
+processes. The child process retains root privileges, but can only perform a
+very limited range of privileged system calls on behalf of the parent.
 +
 The compiled-in default value is _@DEFAULT_USER@_.

--- a/doc/chronyd.adoc
+++ b/doc/chronyd.adoc
@@ -102,7 +102,7 @@ directive in the configuration file. This option is useful if you want to stop
 and restart *chronyd* briefly for any reason, e.g. to install a new version.
 However, it should be used only on systems where the kernel can maintain clock
 compensation whilst not under *chronyd*'s control (i.e. Linux, FreeBSD, NetBSD,
-illumos, and macOS 10.13 or later).
+OpenBSD, illumos, and macOS 10.13 or later).

 *-R*::
 When this option is used, the <<chrony.conf.adoc#initstepslew,*initstepslew*>>
@@ -143,9 +143,9 @@ after start in order to drop root privileges. It overrides the
 _@DEFAULT_USER@_.
 +
 On Linux, *chronyd* needs to be compiled with support for the *libcap* library.
-On macOS, FreeBSD, NetBSD, and illumos *chronyd* forks into two processes.
-The child process retains root privileges, but can only perform a very limited
-range of privileged system calls on behalf of the parent.
+On macOS, FreeBSD, NetBSD, OpenBSD, and illumos *chronyd* forks into two
+processes. The child process retains root privileges, but can only perform a
+very limited range of privileged system calls on behalf of the parent.

 *-U*::
 This option disables a check for root privileges to allow *chronyd* to be
@@ -159,21 +159,22 @@ specific directives.

 *-F* _level_::
 This option configures system call filters loaded by *chronyd* processes if it
-was compiled with support for the Linux secure computing (seccomp) facility.
-Three levels are defined: 0, 1, 2. The filters are disabled at level 0. At
-levels 1 and 2, *chronyd* will be killed if it makes a system call which is
-blocked by the filters. The level can be specified as a negative number to
-trigger the SIGSYS signal instead of SIGKILL, which can be useful for
-debugging. The default value is 0.
+was compiled with support for the Linux secure computing (seccomp) facility or
+OpenBSD pledge. For Linux three levels are defined: 0, 1, 2, for OpenBSD two
+levels: 0, 1. The filters are disabled at level 0. On Linux at levels 1 and 2
+and on OpenBSD at level 1, *chronyd* will be killed if it makes a system call
+which is blocked by the filters. On Linux the level can be specified as a
+negative number to trigger the SIGSYS signal instead of SIGKILL, which can be
+useful for debugging. The default value is 0.
 +
-At level 1, the filters allow only selected system calls that are normally
-expected to be made by *chronyd*. Other system calls are blocked. This level is
-recommended only if it is known to work on the version of the system where
-*chrony* is installed. The filters need to allow also system calls made by
-libraries that *chronyd* is using (e.g. libc), but different versions or
-implementations of the libraries might make different system calls. If the
-filters are missing a system call, *chronyd* could be killed even in normal
-operation.
+On Linux at level 1, the filters allow only selected system calls that are
+normally expected to be made by *chronyd*. Other system calls are blocked.
+This level is recommended only if it is known to work on the version of the
+system where *chrony* is installed. The filters need to allow also system
+calls made by libraries that *chronyd* is using (e.g. libc), but different
+versions or implementations of the libraries might make different system calls.
+If the filters are missing a system call, *chronyd* could be killed even in
+normal operation.
 +
 At level 2, the filters block only a small number of specific system calls
 (e.g. fork and exec). This approach should avoid false positives, but the
@@ -183,15 +184,15 @@ limited.
 The filters cannot be enabled with the *mailonchange* directive.

 *-P* _priority_::
-On Linux, FreeBSD, NetBSD, and illumos this option will select the SCHED_FIFO
-real-time scheduler at the specified priority (which must be between 0 and
-100). On macOS, this option must have either a value of 0 to disable the thread
-time constraint policy or 1 for the policy to be enabled. Other systems do not
-support this option. The default value is 0.
+On Linux, FreeBSD, NetBSD, OpenBSD, and illumos this option will select the
+SCHED_FIFO real-time scheduler at the specified priority (which must be
+between 0 and 100). On macOS, this option must have either a value of 0 to
+disable the thread time constraint policy or 1 for the policy to be enabled.
+Other systems do not support this option. The default value is 0.

 *-m*::
 This option will lock *chronyd* into RAM so that it will never be paged out.
-This mode is only supported on Linux, FreeBSD, NetBSD, and illumos.
+This mode is only supported on Linux, FreeBSD, NetBSD, OpenBSD, and illumos.

 *-x*::
 This option disables the control of the system clock. *chronyd* will not try to