Bug#995207: chrony: Using 'bindacqdevice' directive causes a SIGSYS error

[S Egbert]

.
> 
> After having stopped chronyd, please run the command below when using the
> 'bindacqdevice' directive and attach the chronyd_debug.txt file.
> 
> # strace -o chronyd_debug.txt chronyd -d -F -1

OK, I did some more testing on my so-called fix:  SO_BINDTOADDRESS define 
statement made no impact toward resolving this problem.


Once I put in the '#define SO_BINDTOADDRESS 1' statement into the 'config.h' 
that was generated by 'configure' setup tool, all the -F settings are now 
working.

'chrony -d -Fx -L-1' F0  F1  F2  F-1
* apt install chrony-4.0 OK   -   -   -
* apt source chrony-4.0  OK   -   -  OK
* git main branch HEAD   OK   -  OK   -
* development + MY FIX   OK   -  OK   - 

My fix made no difference in gitdev HEAD: Please disregard my claim that the 
SO_BINDTOADDRESS C macro we’re not being defined. 

Back to the issue on hand, I like the -F2 setting.

At this point so far, I'm open to further suggestion.

1.  Go ahead and put 4.1 into debian-unstable with -F2 default
2.  Give me more things to try.
3.  ???

Bug#995207: chrony: Using 'bindacqdevice' directive causes a SIGSYS error

[S Egbert]

Got a bit further when I myself included `#define SO_BINDTODEVICE 1` to the 
`config.h` that `configure` created.

Then I noticed that `configure` underwent a Redhat overhaul. 

Missing the maintainer’s `configure.ac` so we can’t readily fix this.  Punt 
this bug upstair.

> On Sep 29, 2021, at 9:10 AM, Vincent Blut  wrote:
> 
> Le 2021-09-28 12:54, S Egbert a écrit :
>> Trying attachment again.
> 
> Thanks. To see what happens when blocking only a small number of specific
> syscalls, could you please run the following command and attach the
> chronyd-debug.txt file?
> 
> # timeout 10 strace -o chronyd-debug.txt -e trace=setsockopt chronyd -d -F 2
> 
> Cheers,
> Vincent

Bug#995207: chrony: Using 'bindacqdevice' directive causes a SIGSYS error

[S Egbert]

Summary:
The syscall filter daemon option flag -F is the cure.

Using '-F 0' to disable the syscall filter works.  No other settings are 
workable.

A summary table:

Chrony   -- daemon flags used --
Version  -F0 -F1 -F-1
---  --  --  --
4.0-9ok  SIGSYS  SIGSYS
#83f96e  ok  SIGSYS  SIGSYS

Using the latest '/etc/systemd/system/chronyd.service' from 'examples' 
subdirectory in the Git repo does not improve the picture nor alter the summary 
table given above.

chrony: 4.0-8, Debian
chrony: git repo "development" main HEAD branch (#83f96efd), Sept 29, 2021
libseccomp2 2.5.1-1
libc6 2.31-13
Kernel: 5.10.46 - untainted
Virtualization: non-virtualized, machine-level
CPU: Intel i5-3470

Bug#995207: chrony: Using 'bindacqdevice' directive causes a SIGSYS error

[S Egbert]

>> Trying attachment again.
> 
> Thanks. To see what happens when blocking only a small number of specific
> syscalls, could you please run the following command and attach the
> chronyd-debug.txt file?
> 
> # timeout 10 strace -o chronyd-debug.txt -e trace=setsockopt chronyd -d -F 2

setsockopt(3, SOL_IP, IP_PKTINFO, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(3, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0
setsockopt(3, SOL_IP, IP_FREEBIND, [1], 4) = 0
setsockopt(4, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
setsockopt(4, SOL_IPV6, IPV6_RECVPKTINFO, [1], 4) = 0
setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
setsockopt(4, SOL_SOCKET, SO_REUSEPORT, [1], 4) = 0
setsockopt(4, SOL_IP, IP_FREEBIND, [1], 4) = 0
setsockopt(7, SOL_IP, IP_PKTINFO, [1], 4) = 0
setsockopt(7, SOL_SOCKET, SO_BINDTODEVICE, "enp5s0\0", 7) = ?
+++ killed by SIGSYS +++

Bug#995207: chrony: Using 'bindacqdevice' directive causes a SIGSYS error

[Vincent Blut]

Le 2021-09-28 12:54, S Egbert a écrit :
> Trying attachment again.

Thanks. To see what happens when blocking only a small number of specific
syscalls, could you please run the following command and attach the
chronyd-debug.txt file?

# timeout 10 strace -o chronyd-debug.txt -e trace=setsockopt chronyd -d -F 2

Cheers,
Vincent


signature.asc
Description: PGP signature

Bug#995207: chrony: Using 'bindacqdevice' directive causes a SIGSYS error

[Vincent Blut]

Control: tags -1 - upstream + moreinfo
Control: severity -1 important

Hi,

Le 2021-09-27 17:31, Steve Egbert a écrit :
> Package: chrony
> Version: 4.0-8
> Severity: critical
> Tags: upstream
> X-Debbugs-Cc: s.egb...@sbcglobal.net
> 
> Dear Maintainer,
> 
> 
> Wanted to use the 'bindacqdevice' due to my host having a dynamic IP 
> interface.
> 
> Using that 'bindacqdevice' directive keyword anywhere in my
> /etc/chrony/chrony.conf file results in a signal 31 (according to Linux 
> auditd).
> 
> My guess is that attempts to do a Chrony as a NTP server (disbursing out
> NTP beacons), we need to have an socket open on this dynamic IP interface.
> 
> This is the setting of the systemd resource.
> 
> Removing the 'bindacqdevice' directive, and all works perfectly.
> 
> Was half-expecting to be able to use 'bindacqdevice' configuration directive
> here.

After having stopped chronyd, please run the command below when using the
'bindacqdevice' directive and attach the chronyd_debug.txt file.

# strace -o chronyd_debug.txt chronyd -d -F -1

Cheers,
Vincent


signature.asc
Description: PGP signature

Bug#995207: chrony: Using 'bindacqdevice' directive causes a SIGSYS error

[Steve Egbert]

Package: chrony
Version: 4.0-8
Severity: critical
Tags: upstream
X-Debbugs-Cc: s.egb...@sbcglobal.net

Dear Maintainer,


Wanted to use the 'bindacqdevice' due to my host having a dynamic IP interface.

Using that 'bindacqdevice' directive keyword anywhere in my
/etc/chrony/chrony.conf file results in a signal 31 (according to Linux auditd).

My guess is that attempts to do a Chrony as a NTP server (disbursing out
NTP beacons), we need to have an socket open on this dynamic IP interface.

This is the setting of the systemd resource.

Removing the 'bindacqdevice' directive, and all works perfectly.

Was half-expecting to be able to use 'bindacqdevice' configuration directive
here.



-- System Information:
Debian Release: 11.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.46 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chrony depends on:
ii  adduser  3.118
ii  init-system-helpers  1.60
ii  iproute2 5.10.0-4
ii  libc62.31-13
ii  libcap2  1:2.44-1
ii  libedit2 3.1-20191231-2+b1
ii  libgnutls30  3.7.1-5
ii  libnettle8   3.7.3-1
ii  libseccomp2  2.5.1-1
ii  tzdata   2021a-1
ii  ucf  3.0043

chrony recommends no packages.

Versions of packages chrony suggests:
ii  bind9-dnsutils [dnsutils]  1:9.16.15-1
pn  networkd-dispatcher

-- Configuration Files:
/etc/default/chrony changed:
DAEMON_OPTS="-F 1 -L 0"


-- no debconf information