From fd60dabde7c8375392335daa664f2a71a1ae2b3a Mon Sep 17 00:00:00 2001 From: Thomas Kupper Date: Wed, 11 Feb 2026 07:53:41 +0100 Subject: [PATCH] privops: enable system call filter In preparation of OpenBSD support, add SYS_EnableSystemCallFilter() call to PRV_StartHelper(). In OpenBSD the privops helper will use a system call filter (pledge(2)), whereas in Linux the privops helper doesn't use any system call filter at the moment. Modify Unit test ntp_sources call to PRV_Initialise() with parameter scfilter_level set to 0. --- main.c | 2 +- privops.c | 8 +++++++- privops.h | 4 ++-- sys.h | 1 + sys_linux.c | 3 +++ test/unit/ntp_sources.c | 2 +- 6 files changed, 15 insertions(+), 5 deletions(-) diff --git a/main.c b/main.c index 77d62e3..9c90b58 100644 --- a/main.c +++ b/main.c @@ -650,7 +650,7 @@ int main /* Write our pidfile to prevent other instances from running */ write_pidfile(); - PRV_Initialise(); + PRV_Initialise(scfilter_level); LCL_Initialise(); SCH_Initialise(); SCK_Initialise(address_family); diff --git a/privops.c b/privops.c index 57dc5a3..16114ce 100644 --- a/privops.c +++ b/privops.c @@ -34,6 +34,7 @@ #include "logging.h" #include "privops.h" #include "socket.h" +#include "sys.h" #include "util.h" #define OP_ADJUSTTIME 1024 @@ -131,6 +132,7 @@ typedef struct { static int helper_fd; static pid_t helper_pid; +static int scfilter_level; static int have_helper(void) @@ -624,9 +626,10 @@ PRV_ReloadDNS(void) /* ======================================================================= */ void -PRV_Initialise(void) +PRV_Initialise(int level) { helper_fd = -1; + scfilter_level = level; } /* ======================================================================= */ @@ -667,6 +670,9 @@ PRV_StartHelper(void) /* ignore signals, the process will exit on OP_QUIT request */ UTI_SetQuitSignalsHandler(SIG_IGN, 1); + if (scfilter_level != 0) + SYS_EnableSystemCallFilter(scfilter_level, SYS_PRIVOPS_HELPER); + helper_main(sock_fd2); } else { diff --git a/privops.h b/privops.h index 4a6a3a4..53513c7 100644 --- a/privops.h +++ b/privops.h @@ -65,11 +65,11 @@ void PRV_ReloadDNS(void); #endif #ifdef PRIVOPS_HELPER -void PRV_Initialise(void); +void PRV_Initialise(int scfilter_level); void PRV_StartHelper(void); void PRV_Finalise(void); #else -#define PRV_Initialise() +#define PRV_Initialise(scfilter_level) #define PRV_StartHelper() #define PRV_Finalise() #endif diff --git a/sys.h b/sys.h index 9272daf..d2b26b9 100644 --- a/sys.h +++ b/sys.h @@ -38,6 +38,7 @@ extern void SYS_Finalise(void); typedef enum { SYS_MAIN_PROCESS, SYS_NTSKE_HELPER, + SYS_PRIVOPS_HELPER, } SYS_ProcessContext; /* Switch to the specified user and group in given context */ diff --git a/sys_linux.c b/sys_linux.c index 19ba004..210428b 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -658,6 +658,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) modules are installed and enabled on the system). */ if (default_action != SCMP_ACT_ALLOW) PRV_StartHelper(); + } else if (context == SYS_PRIVOPS_HELPER) { + /* The privops helper on Linux doesn't have any filter loaded */ + return; } ctx = seccomp_init(default_action); diff --git a/test/unit/ntp_sources.c b/test/unit/ntp_sources.c index be5d2ea..5038675 100644 --- a/test/unit/ntp_sources.c +++ b/test/unit/ntp_sources.c @@ -137,7 +137,7 @@ test_unit(void) CNF_Initialise(0, 0); CNF_ParseLine(NULL, 1, conf); - PRV_Initialise(); + PRV_Initialise(0); LCL_Initialise(); TST_RegisterDummyDrivers(); SCH_Initialise();