DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2026-03-11 09:09:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

privops: enable system call filter

Browse Source 
In preparation of OpenBSD support, add SYS_EnableSystemCallFilter() call
to PRV_StartHelper().

In OpenBSD the privops helper will use a system call filter (pledge(2)),
whereas in Linux the privops helper doesn't use any system call filter
at the moment.

Modify Unit test ntp_sources call to PRV_Initialise() with parameter
scfilter_level set to 0.
This commit is contained in:
Thomas Kupper
2026-02-11 07:53:41 +01:00
committed by Miroslav Lichvar
parent cda67351ae
commit fd60dabde7
6 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
sys_linux.c
View File

@@ -658,6 +658,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
modules are installed and enabled on the system). */
if (default_action != SCMP_ACT_ALLOW)
PRV_StartHelper();
} else if (context == SYS_PRIVOPS_HELPER) {
/* The privops helper on Linux doesn't have any filter loaded */
return;
}
ctx = seccomp_init(default_action);