Re: [chrony-dev] Seccomp issue on Alpine linux

Wed, 31 May 2023 07:22:41 -0700 

> Try running the failing test as "TEST_SCFILTER=1 ./001-minimal" and see the
> failing syscall number in the system or audit log.

Unfortunately, Alpine uses busybox' ps:

```
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
  non-default settings:
    minimal_config=1
  starting chronydps: unrecognized option: p
BusyBox v1.36.1 (2023-05-25 05:48:21 UTC) multi-call binary.

Usage: ps [-o COL1,COL2=HEADER] [-T]

Show list of processes

        -o COL1,COL2=HEADER     Select columns for display
        -T                      Show threads
                                        ERROR
FAIL
  stopping chronyd                                              ERROR
alpine:/home/jvoisin/chrony/test/system#
```

This can be fixed with `apk add procps`.

```
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
  non-default settings:
    minimal_config=1
  starting chronyd                                              ERROR
FAIL
  stopping chronyd                                              ERROR

alpine:/home/jvoisin/chrony/test/system# dmesg | tail -n 2
[  120.059165] audit: type=1326 audit(1685542342.126:5): auid=4294967295
uid=0 gid=0 ses=4294967295 pid=2388 comm="chronyd"
exe="/home/jvoisin/chrony/chronyd" sig=31 arch=c000003e syscall=20
compat=0 ip=0x7fe0b3e4d306 code=0x0
alpine:/home/jvoisin/chrony/test/system# vim sys_linux.c
alpine:/home/jvoisin/chrony/test/system# git diff
diff --git a/sys_linux.c b/sys_linux.c
index c6cb453..04e3a86 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -603,6 +603,7 @@ SYS_Linux_EnableSystemCallFilter(int level,
SYS_ProcessContext context)
     SCMP_SYS(select),
     SCMP_SYS(set_robust_list),
     SCMP_SYS(write),
+    SCMP_SYS(writev),

     /* Miscellaneous */
     SCMP_SYS(getrandom),
alpine:/home/jvoisin/chrony/test/system# make
alpine:/home/jvoisin/chrony/test/system# cd test/system
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
  non-default settings:
    minimal_config=1
  starting chronyd                                              OK
  stopping chronyd                                              OK
  checking chronyd messages                                     BAD
FAIL
alpine:/home/jvoisin/chrony/test/system# ./099-scfilter
Testing system call filter in non-destructive tests:
  level -1:
    001-minimal                                                 BAD
FAIL
alpine:/home/jvoisin/chrony/test/system#
alpine:/home/jvoisin/chrony/test/system# ./199-scfilter
Testing system call filter in destructive tests:
  level -1:
    100-clockupdate                                             BAD
FAIL
alpine:/home/jvoisin/chrony/test/system#
```

so there are some failings, but nothing more in the dmesg about seccomp
violation.





-- 
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

Reply via email to