Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 14:54, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 02:20:13PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# grep -i ioctl tmp/chronyd.out >> [pid 11833] ioctl(3, TIOCGWINSZ, 0x7fffa01bec58) = -1 ENOTTY (Not a tty) >> [pid 11833] ioctl(5, TIOCGWINSZ, 0x7fffa01bec68) = -1 ENOTTY (Not a tty) >> [pid 11833] ioctl(9, TIOCGWINSZ, 0x7fffa01be8e8) = -1 ENOTTY (Not a tty) >> [pid 11833] ioctl(11, TIOCGWINSZ, 0x7fffa01be9c8) = -1 ENOTTY (Not a tty) >> [pid 11833] ioctl(4, TIOCGWINSZ, 0x7fffa01be318) = -1 ENOTTY (Not a tty) >> alpine:/home/jvoisin/chrony/test/system# > > Great, thanks! > > This should be now fixed in git. > Glorious! Hopefully we can enable the seccomp thingy in for chrony's next release in Alpine and close https://gitlab.alpinelinux.org/alpine/aports/-/issues/14891 Thank you for your hand-holding and your patience <3 -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 02:20:13PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# grep -i ioctl tmp/chronyd.out > [pid 11833] ioctl(3, TIOCGWINSZ, 0x7fffa01bec58) = -1 ENOTTY (Not a tty) > [pid 11833] ioctl(5, TIOCGWINSZ, 0x7fffa01bec68) = -1 ENOTTY (Not a tty) > [pid 11833] ioctl(9, TIOCGWINSZ, 0x7fffa01be8e8) = -1 ENOTTY (Not a tty) > [pid 11833] ioctl(11, TIOCGWINSZ, 0x7fffa01be9c8) = -1 ENOTTY (Not a tty) > [pid 11833] ioctl(4, TIOCGWINSZ, 0x7fffa01be318) = -1 ENOTTY (Not a tty) > alpine:/home/jvoisin/chrony/test/system# Great, thanks! This should be now fixed in git. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 14:17, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 02:14:40PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" >> TEST_SCFILTER=1 ./002-extended > > Try removing TEST_SCFILTER=1. It might be interfering with strace. > >> Testing extended configuration: >> non-default settings: >> starting chronyd >> ^C >> alpine:/home/jvoisin/chrony/test/system# grep -i iotcl tmp/chronyd.out > > Typo iotcl->ioctl? Duh, thanks <3 ``` alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd^C stopping chronyd OK alpine:/home/jvoisin/chrony/test/system# grep -i ioctl tmp/chronyd.out [pid 11833] ioctl(3, TIOCGWINSZ, 0x7fffa01bec58) = -1 ENOTTY (Not a tty) [pid 11833] ioctl(5, TIOCGWINSZ, 0x7fffa01bec68) = -1 ENOTTY (Not a tty) [pid 11833] ioctl(9, TIOCGWINSZ, 0x7fffa01be8e8) = -1 ENOTTY (Not a tty) [pid 11833] ioctl(11, TIOCGWINSZ, 0x7fffa01be9c8) = -1 ENOTTY (Not a tty) [pid 11833] ioctl(4, TIOCGWINSZ, 0x7fffa01be318) = -1 ENOTTY (Not a tty) alpine:/home/jvoisin/chrony/test/system# ``` -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 02:14:40PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" > TEST_SCFILTER=1 ./002-extended Try removing TEST_SCFILTER=1. It might be interfering with strace. > Testing extended configuration: > non-default settings: > starting chronyd > ^C > alpine:/home/jvoisin/chrony/test/system# grep -i iotcl tmp/chronyd.out Typo iotcl->ioctl? On a glibc-based system I see in the log: [pid 135939] ioctl(6, TCGETS, 0x7ffcb332bd00) = -1 ENOTTY (Inappropriate ioctl for device) [pid 135939] ioctl(7, TCGETS, 0x7ffcb332cee0) = -1 EINVAL (Invalid argument) -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 13:59, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 01:51:27PM +0200, jvoisin wrote: >> On 01/06/2023 13:31, Miroslav Lichvar wrote: >>> On Thu, Jun 01, 2023 at 01:16:17PM +0200, jvoisin wrote: is there a way to tell the strace wrapper to follow children? >>> >>> Try CHRONYD_WRAPPER="strace -f" ./002-extended >>> >>> but you will need to terminate it manually (e.g. ctrl-c). >>> >> ``` >> alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" >> TEST_SCFILTER=1 ./002-extended >> Testing extended configuration: >> non-default settings: >> starting chronyd >> ``` >> >> then it doesn't start. > > Yes, that's expected. Press ctrl-c after few seconds and check the log > file for ioctls. > ``` alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd ^C alpine:/home/jvoisin/chrony/test/system# grep -i iotcl tmp/chronyd.out alpine:/home/jvoisin/chrony/test/system# ``` no luck :/ -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 01:51:27PM +0200, jvoisin wrote: > On 01/06/2023 13:31, Miroslav Lichvar wrote: > > On Thu, Jun 01, 2023 at 01:16:17PM +0200, jvoisin wrote: > >> is there a way to tell the strace wrapper to follow children? > > > > Try CHRONYD_WRAPPER="strace -f" ./002-extended > > > > but you will need to terminate it manually (e.g. ctrl-c). > > > ``` > alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" > TEST_SCFILTER=1 ./002-extended > Testing extended configuration: > non-default settings: > starting chronyd > ``` > > then it doesn't start. Yes, that's expected. Press ctrl-c after few seconds and check the log file for ioctls. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 13:31, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 01:16:17PM +0200, jvoisin wrote: >> is there a way to tell the strace wrapper to follow children? > > Try CHRONYD_WRAPPER="strace -f" ./002-extended > > but you will need to terminate it manually (e.g. ctrl-c). > ``` alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd ``` then it doesn't start. -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 01:16:17PM +0200, jvoisin wrote: > is there a way to tell the strace wrapper to follow children? Try CHRONYD_WRAPPER="strace -f" ./002-extended but you will need to terminate it manually (e.g. ctrl-c). -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 13:10, Miroslav Lichvar wrote:
> On Thu, Jun 01, 2023 at 01:04:43PM +0200, jvoisin wrote:
>> Albeit we might want to restrict the parameters passed to ioctl, instead
>> of allowing it unconditionally.
>
> Can you please run it under strace and see what ioctl it needs?
>
> # CHRONYD_WRAPPER=strace ./002-extended
> # grep ioctl tmp/chronyd.out
>
```
alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER=strace
TEST_SCFILTER=1 ./002-extended
Testing extended configuration:
non-default settings:
starting chronyd OK
waiting for synchronization OK
stopping chronyd OK
checking chronyd messages OK
checking chronyd filesOK
PASS
alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.out
execve("../../chronyd", ["../../chronyd", "-x", "-l",
"/home/jvoisin/chrony/test/system"..., "-f",
"/home/jvoisin/chrony/test/system"..., "-u", "root", "-F", "1"],
0x7ffec16cb668 /* 21 vars */) = 0
arch_prctl(ARCH_SET_FS, 0x7f86c2428b48) = 0
set_tid_address(0x7f86c2428fb8) = 11587
brk(NULL) = 0x5588bd75a000
brk(0x5588bd75c000) = 0x5588bd75c000
mmap(0x5588bd75a000, 4096, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x5588bd75a000
open("/etc/ld-musl-x86_64.path", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1
ENOENT (No such file or directory)
open("/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT
(No such file or directory)
open("/usr/local/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) =
-1 ENOENT (No such file or directory)
open("/usr/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
fstat(3, {st_mode=S_IFREG|0755, st_size=108528, ...}) = 0
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
960) = 960
mmap(NULL, 114688, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f86c2373000
mmap(0x7f86c2375000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED,
3, 0x2000) = 0x7f86c2375000
mmap(0x7f86c237f000, 57344, PROT_READ, MAP_PRIVATE|MAP_FIXED, 3, 0xc000)
= 0x7f86c237f000
mmap(0x7f86c238d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x19000) = 0x7f86c238d000
close(3)= 0
mprotect(0x7f86c238d000, 4096, PROT_READ) = 0
mprotect(0x7f86c2425000, 4096, PROT_READ) = 0
mprotect(0x5588bd00e000, 4096, PROT_READ) = 0
getuid()= 0
pipe([3, 4])= 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1 RT_2], 8) = 0
fork() = 11588
rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN RT_1 RT_2], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
close(4)= 0
read(3, "", 1024) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=11588,
si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
exit_group(0) = ?
+++ exited with 0 +++
alpine:/home/jvoisin/chrony/test/system#
```
is there a way to tell the strace wrapper to follow children?
--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe"
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the
subject.
Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 01:04:43PM +0200, jvoisin wrote: > Albeit we might want to restrict the parameters passed to ioctl, instead > of allowing it unconditionally. Can you please run it under strace and see what ioctl it needs? # CHRONYD_WRAPPER=strace ./002-extended # grep ioctl tmp/chronyd.out -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 08:37, Miroslav Lichvar wrote:
> On Wed, May 31, 2023 at 04:54:09PM +0200, jvoisin wrote:
>> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
>> 2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
>> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
>> -DEBUG)
>> 2023-05-31T14:51:14Z Disabled control of system clock
>> 2023-05-31T14:51:14Z World-readable permissions on
>> /home/jvoisin/chrony/test/system/tmp/keys
>> 2023-05-31T14:51:14Z Loaded 1 symmetric keys
>> 2023-05-31T14:51:14Z Running with root privileges
>> 2023-05-31T14:51:14Z Frequency 0.000 +/- 1.000 ppm read from
>> /home/jvoisin/chrony/test/system/tmp/driftfile
>> 2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring
>> 2023-05-31T14:51:14Z Loaded seccomp filter (level 1)
>> alpine:/home/jvoisin/chrony/test/system#
>> ```
>
> The log is missing the "chronyd exiting" message. It might have
> crashed due to seccomp filter. If you run "TEST_SCFILTER=1
> ./002-extended", do you see the offending syscall in the system log?
>
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./002-extended
Testing extended configuration:
non-default settings:
starting chronyd OK
waiting for synchronization ERROR
FAIL
stopping chronyd ERROR
alpine:/home/jvoisin/chrony/test/system# dmesg | tail -n 1
[74805.395129] audit: type=1326 audit(1685617027.470:7): auid=4294967295
uid=0 gid=0 ses=4294967295 pid=4596 comm="chronyd"
exe="/home/jvoisin/chrony/chronyd" sig=31 arch=c03e syscall=16
compat=0 ip=0x7ff195e5ce76 code=0x0
alpine:/home/jvoisin/chrony/test/system# vim ../../sys_linux.c
alpine:/home/jvoisin/chrony/test/system# git diff
diff --git a/sys_linux.c b/sys_linux.c
index c6cb453..d248de0 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -603,11 +603,13 @@ SYS_Linux_EnableSystemCallFilter(int level,
SYS_ProcessContext context)
SCMP_SYS(select),
SCMP_SYS(set_robust_list),
SCMP_SYS(write),
+SCMP_SYS(writev),
/* Miscellaneous */
SCMP_SYS(getrandom),
SCMP_SYS(sysinfo),
SCMP_SYS(uname),
+SCMP_SYS(ioctl),
};
const int denied_any[] = {
diff --git a/test/system/test.common b/test/system/test.common
index 7005c9e..0660351 100644
--- a/test/system/test.common
+++ b/test/system/test.common
@@ -42,6 +42,8 @@ test_start() {
su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null ||
\
test_skip "$user cannot access $TEST_DIR"
rm "$TEST_DIR/test"
+ else
+chown 0:0 "$TEST_DIR" || test_skip "could not chown
$TEST_DIR"
fi
echo "Testing $*:"
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./002-extended
Testing extended configuration:
non-default settings:
starting chronyd OK
waiting for synchronization OK
stopping chronyd OK
checking chronyd messages OK
checking chronyd filesOK
PASS
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./099-scfilter
Testing system call filter in non-destructive tests:
level -1:
001-minimal OK
002-extendedOK
003-memlock OK
004-priorityOK
006-privdropOK
007-cmdmon OK
008-confloadOK
009-binddevice OK
010-nts OK
level 1:
001-minimal OK
002-extendedOK
003-memlock OK
004-priorityOK
006-privdropOK
007-cmdmon OK
008-confloadOK
009-binddevice OK
010-nts OK
level -2:
001-minimal OK
002-extendedOK
003-memlock OK
004-priorityOK
006-privdropOK
007-cmdmon
Re: [chrony-dev] Seccomp issue on Alpine linux
On Wed, May 31, 2023 at 04:54:09PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log > 2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP > +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 > -DEBUG) > 2023-05-31T14:51:14Z Disabled control of system clock > 2023-05-31T14:51:14Z World-readable permissions on > /home/jvoisin/chrony/test/system/tmp/keys > 2023-05-31T14:51:14Z Loaded 1 symmetric keys > 2023-05-31T14:51:14Z Running with root privileges > 2023-05-31T14:51:14Z Frequency 0.000 +/- 1.000 ppm read from > /home/jvoisin/chrony/test/system/tmp/driftfile > 2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring > 2023-05-31T14:51:14Z Loaded seccomp filter (level 1) > alpine:/home/jvoisin/chrony/test/system# > ``` The log is missing the "chronyd exiting" message. It might have crashed due to seccomp filter. If you run "TEST_SCFILTER=1 ./002-extended", do you see the offending syscall in the system log? -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 31/05/2023 16:42, Miroslav Lichvar wrote:
> On Wed, May 31, 2023 at 04:28:51PM +0200, jvoisin wrote:
>> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
>> 2023-05-31T14:28:33Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
>> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
>> -DEBUG)
>> 2023-05-31T14:28:33Z Wrong owner of /home/jvoisin/chrony/test/system/tmp
>> (GID != 0)
>> 2023-05-31T14:28:33Z Disabled command socket
>> /home/jvoisin/chrony/test/system/tmp/chronyd.sock
>
> It seems the tmp directory is being created with a different group than 0
> (root). Is it a wheel group?
yes, root is part of wheel:
```
alpine:/home/jvoisin/chrony/test/system# groups
root bin daemon sys adm disk wheel floppy dialout tape video
alpine:/home/jvoisin/chrony/test/system#
```
>
> Can you please try it again with this patch?
>
> diff --git a/test/system/test.common b/test/system/test.common
> index 7005c9e1..aa48ac67 100644
> --- a/test/system/test.common
> +++ b/test/system/test.common
> @@ -42,6 +42,8 @@ test_start() {
> su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null
> || \
> test_skip "$user cannot access $TEST_DIR"
> rm "$TEST_DIR/test"
> + else
> + chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR"
> fi
>
> echo "Testing $*:"
>
```
alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal
Testing minimal configuration:
non-default settings:
minimal_config=1
starting chronyd OK
stopping chronyd OK
checking chronyd messages OK
PASS
alpine:/home/jvoisin/chrony/test/system# ./099-scfilter
Testing system call filter in non-destructive tests:
level -1:
001-minimal OK
002-extendedBAD
FAIL
alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
+REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
-DEBUG)
2023-05-31T14:51:14Z Disabled control of system clock
2023-05-31T14:51:14Z World-readable permissions on
/home/jvoisin/chrony/test/system/tmp/keys
2023-05-31T14:51:14Z Loaded 1 symmetric keys
2023-05-31T14:51:14Z Running with root privileges
2023-05-31T14:51:14Z Frequency 0.000 +/- 1.000 ppm read from
/home/jvoisin/chrony/test/system/tmp/driftfile
2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring
2023-05-31T14:51:14Z Loaded seccomp filter (level 1)
alpine:/home/jvoisin/chrony/test/system#
```
--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe"
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the
subject.
Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Wed, May 31, 2023 at 04:28:51PM +0200, jvoisin wrote:
> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log
> 2023-05-31T14:28:33Z chronyd version DEVELOPMENT starting (+CMDMON +NTP
> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6
> -DEBUG)
> 2023-05-31T14:28:33Z Wrong owner of /home/jvoisin/chrony/test/system/tmp
> (GID != 0)
> 2023-05-31T14:28:33Z Disabled command socket
> /home/jvoisin/chrony/test/system/tmp/chronyd.sock
It seems the tmp directory is being created with a different group than 0
(root). Is it a wheel group?
Can you please try it again with this patch?
diff --git a/test/system/test.common b/test/system/test.common
index 7005c9e1..aa48ac67 100644
--- a/test/system/test.common
+++ b/test/system/test.common
@@ -42,6 +42,8 @@ test_start() {
su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null ||
\
test_skip "$user cannot access $TEST_DIR"
rm "$TEST_DIR/test"
+ else
+ chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR"
fi
echo "Testing $*:"
--
Miroslav Lichvar
--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe"
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the
subject.
Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 31/05/2023 16:26, Miroslav Lichvar wrote: > On Wed, May 31, 2023 at 04:22:09PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal >> Testing minimal configuration: >> non-default settings: >> minimal_config=1 >> starting chronyd OK >> stopping chronyd OK >> checking chronyd messages BAD >> FAIL > > What do you see in tmp/chronyd.log after this test? > ``` alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronyd OK stopping chronyd OK checking chronyd messages BAD FAIL alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log 2023-05-31T14:28:33Z chronyd version DEVELOPMENT starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG) 2023-05-31T14:28:33Z Wrong owner of /home/jvoisin/chrony/test/system/tmp (GID != 0) 2023-05-31T14:28:33Z Disabled command socket /home/jvoisin/chrony/test/system/tmp/chronyd.sock 2023-05-31T14:28:33Z Disabled control of system clock 2023-05-31T14:28:33Z Running with root privileges 2023-05-31T14:28:33Z Loaded seccomp filter (level 1) 2023-05-31T14:28:33Z chronyd exiting alpine:/home/jvoisin/chrony/test/system# ``` -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Wed, May 31, 2023 at 04:22:09PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal > Testing minimal configuration: > non-default settings: > minimal_config=1 > starting chronydOK > stopping chronydOK > checking chronyd messages BAD > FAIL What do you see in tmp/chronyd.log after this test? -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
> Try running the failing test as "TEST_SCFILTER=1 ./001-minimal" and see the > failing syscall number in the system or audit log. Unfortunately, Alpine uses busybox' ps: ``` alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronydps: unrecognized option: p BusyBox v1.36.1 (2023-05-25 05:48:21 UTC) multi-call binary. Usage: ps [-o COL1,COL2=HEADER] [-T] Show list of processes -o COL1,COL2=HEADER Select columns for display -T Show threads ERROR FAIL stopping chronyd ERROR alpine:/home/jvoisin/chrony/test/system# ``` This can be fixed with `apk add procps`. ``` alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronyd ERROR FAIL stopping chronyd ERROR alpine:/home/jvoisin/chrony/test/system# dmesg | tail -n 2 [ 120.059165] audit: type=1326 audit(1685542342.126:5): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=2388 comm="chronyd" exe="/home/jvoisin/chrony/chronyd" sig=31 arch=c03e syscall=20 compat=0 ip=0x7fe0b3e4d306 code=0x0 alpine:/home/jvoisin/chrony/test/system# vim sys_linux.c alpine:/home/jvoisin/chrony/test/system# git diff diff --git a/sys_linux.c b/sys_linux.c index c6cb453..04e3a86 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -603,6 +603,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write), +SCMP_SYS(writev), /* Miscellaneous */ SCMP_SYS(getrandom), alpine:/home/jvoisin/chrony/test/system# make alpine:/home/jvoisin/chrony/test/system# cd test/system alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronyd OK stopping chronyd OK checking chronyd messages BAD FAIL alpine:/home/jvoisin/chrony/test/system# ./099-scfilter Testing system call filter in non-destructive tests: level -1: 001-minimal BAD FAIL alpine:/home/jvoisin/chrony/test/system# alpine:/home/jvoisin/chrony/test/system# ./199-scfilter Testing system call filter in destructive tests: level -1: 100-clockupdate BAD FAIL alpine:/home/jvoisin/chrony/test/system# ``` so there are some failings, but nothing more in the dmesg about seccomp violation. -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Mon, May 29, 2023 at 04:07:37PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# ./099-scfilter > Testing system call filter in non-destructive tests: > level -1: > 001-minimal BAD > FAIL > alpine:/home/jvoisin/chrony/test/system# > ``` > > What would be the best way to find the root cause/blacklisted syscalls? Try running the failing test as "TEST_SCFILTER=1 ./001-minimal" and see the failing syscall number in the system or audit log. Thanks, -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 29/05/2023 09:16, Miroslav Lichvar wrote: > On Sun, May 28, 2023 at 07:32:12PM +0200, jvoisin wrote: >>> If you have extracted source code, can you please run these two tests >>> to confirm there are no other seccomp failures on musl? >>> >>> # cd test/system >>> # ./099-scfilter >>> # ./199-scfilter >>> >> >> I'd love to, but the latest master doesn't compile here: > > Compiling from git requires bison installed, or you can copy getdate.c > from a released tarball. It would be nice for `./configure` to check for this :/ Anyway, here are the results: ``` alpine:/home/jvoisin/chrony/test/system# ./199-scfilter Testing system call filter in destructive tests: level -1: 100-clockupdate BAD FAIL alpine:/home/jvoisin/chrony/test/system# ./099-scfilter Testing system call filter in non-destructive tests: level -1: 001-minimal BAD FAIL alpine:/home/jvoisin/chrony/test/system# ``` What would be the best way to find the root cause/blacklisted syscalls? -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Sun, May 28, 2023 at 07:32:12PM +0200, jvoisin wrote: > > If you have extracted source code, can you please run these two tests > > to confirm there are no other seccomp failures on musl? > > > > # cd test/system > > # ./099-scfilter > > # ./199-scfilter > > > > I'd love to, but the latest master doesn't compile here: Compiling from git requires bison installed, or you can copy getdate.c from a released tarball. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
> If you have extracted source code, can you please run these two tests > to confirm there are no other seccomp failures on musl? > > # cd test/system > # ./099-scfilter > # ./199-scfilter > I'd love to, but the latest master doesn't compile here: ``` $ make […] gcc -O2 -g -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -Wmissing-prototypes -Wall -pthread -o chronyd array.o cmdparse.o conf.o local.o logging.o main.o memory.o quantiles.o reference.o regress.o rtc.o samplefilt.o sched.o socket.o sources.o sourcestats.o stubs.o smooth.o sys.o sys_null.o tempcomp.o util.o sys_generic.o sys_linux.o sys_timex.o sys_posix.o cmdmon.o manual.o pktlength.o ntp_auth.o ntp_core.o ntp_ext.o ntp_io.o ntp_sources.o addrfilt.o clientlog.o keys.o nameserv.o refclock.o refclock_phc.o refclock_pps.o refclock_shm.o refclock_sock.o nameserv_async.o hash_intmd5.o -pie -Wl,-z,relro,-z,now gcc -O2 -g -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -Wmissing-prototypes -Wall -pthread -c client.c make: *** No rule to make target 'getdate.c', needed by 'getdate.o'. Stop. $ ``` -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Sun, May 21, 2023 at 10:41:30PM +0200, jvoisin wrote: > Hello, > > it seems that chrony's seccomp policy doesn't play nice with Alpine > Linux, likely due to the fact that there is a call to `membarrier` > somewhere that the latter does and that the former doesn't like. > > See https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/47087 > for details. Thanks for the report. Does it work for you if you apply this patch? --- a/sys_linux.c +++ b/sys_linux.c @@ -498,6 +498,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(getrlimit), SCMP_SYS(getuid), SCMP_SYS(getuid32), +#ifdef __NR_membarrier +SCMP_SYS(membarrier), +#endif #ifdef __NR_rseq SCMP_SYS(rseq), #endif If you have extracted source code, can you please run these two tests to confirm there are no other seccomp failures on musl? # cd test/system # ./099-scfilter # ./199-scfilter -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
