DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2025-12-07 18:15:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

sys_linux: use privops helper when running with seccomp filter

Browse Source 
Enable the PRV_Name2IPAddress() function with seccomp support and start
the helper process before loading the seccomp filter (but after dropping
root privileges). This will move the getaddrinfo() call outside the
seccomp filter and should make it more reliable as the list of required
system calls won't depend on what glibc NSS modules are used on the
system.
This commit is contained in:
Miroslav Lichvar
2016-01-12 17:52:34 +01:00
parent 9b9d6ab150
commit 54c8732c46
5 changed files with 33 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
chrony.texi.in
View File

@@ -988,6 +988,13 @@ This option configures a system call filter when @code{chronyd} is compiled with
support for the Linux secure computing (seccomp) facility. In level 1 the
process is killed when a forbidden system call is made, in level -1 the SYSSIG
signal is thrown instead and in level 0 the filter is disabled (default 0).
It's recommended to enable the filter only when it's known to work on the
version of the system where @code{chrony} is installed as the filter needs to
allow also system calls made from libraries that @code{chronyd} is using (e.g.
libc) and different versions or implementations of the libraries may make
different system calls. If the filter is missing some system call,
@code{chronyd} could be killed even in normal operation.
@item -q
When run in this mode, @code{chronyd} will set the system clock once
and exit. It will not detach from the terminal.