Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 14:54, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 02:20:13PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# grep -i ioctl tmp/chronyd.out >> [pid 11833] ioctl(3, TIOCGWINSZ, 0x7fffa01bec58) = -1 ENOTTY (Not a tty) >> [pid 11833] ioctl(5, TIOCGWINSZ, 0x7fffa01bec68) = -1 ENOTTY (Not a tty) >> [pid 11833] ioctl(9, TIOCGWINSZ, 0x7fffa01be8e8) = -1 ENOTTY (Not a tty) >> [pid 11833] ioctl(11, TIOCGWINSZ, 0x7fffa01be9c8) = -1 ENOTTY (Not a tty) >> [pid 11833] ioctl(4, TIOCGWINSZ, 0x7fffa01be318) = -1 ENOTTY (Not a tty) >> alpine:/home/jvoisin/chrony/test/system# > > Great, thanks! > > This should be now fixed in git. > Glorious! Hopefully we can enable the seccomp thingy in for chrony's next release in Alpine and close https://gitlab.alpinelinux.org/alpine/aports/-/issues/14891 Thank you for your hand-holding and your patience <3 -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 02:20:13PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# grep -i ioctl tmp/chronyd.out > [pid 11833] ioctl(3, TIOCGWINSZ, 0x7fffa01bec58) = -1 ENOTTY (Not a tty) > [pid 11833] ioctl(5, TIOCGWINSZ, 0x7fffa01bec68) = -1 ENOTTY (Not a tty) > [pid 11833] ioctl(9, TIOCGWINSZ, 0x7fffa01be8e8) = -1 ENOTTY (Not a tty) > [pid 11833] ioctl(11, TIOCGWINSZ, 0x7fffa01be9c8) = -1 ENOTTY (Not a tty) > [pid 11833] ioctl(4, TIOCGWINSZ, 0x7fffa01be318) = -1 ENOTTY (Not a tty) > alpine:/home/jvoisin/chrony/test/system# Great, thanks! This should be now fixed in git. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 14:17, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 02:14:40PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" >> TEST_SCFILTER=1 ./002-extended > > Try removing TEST_SCFILTER=1. It might be interfering with strace. > >> Testing extended configuration: >> non-default settings: >> starting chronyd >> ^C >> alpine:/home/jvoisin/chrony/test/system# grep -i iotcl tmp/chronyd.out > > Typo iotcl->ioctl? Duh, thanks <3 ``` alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd^C stopping chronyd OK alpine:/home/jvoisin/chrony/test/system# grep -i ioctl tmp/chronyd.out [pid 11833] ioctl(3, TIOCGWINSZ, 0x7fffa01bec58) = -1 ENOTTY (Not a tty) [pid 11833] ioctl(5, TIOCGWINSZ, 0x7fffa01bec68) = -1 ENOTTY (Not a tty) [pid 11833] ioctl(9, TIOCGWINSZ, 0x7fffa01be8e8) = -1 ENOTTY (Not a tty) [pid 11833] ioctl(11, TIOCGWINSZ, 0x7fffa01be9c8) = -1 ENOTTY (Not a tty) [pid 11833] ioctl(4, TIOCGWINSZ, 0x7fffa01be318) = -1 ENOTTY (Not a tty) alpine:/home/jvoisin/chrony/test/system# ``` -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 02:14:40PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" > TEST_SCFILTER=1 ./002-extended Try removing TEST_SCFILTER=1. It might be interfering with strace. > Testing extended configuration: > non-default settings: > starting chronyd > ^C > alpine:/home/jvoisin/chrony/test/system# grep -i iotcl tmp/chronyd.out Typo iotcl->ioctl? On a glibc-based system I see in the log: [pid 135939] ioctl(6, TCGETS, 0x7ffcb332bd00) = -1 ENOTTY (Inappropriate ioctl for device) [pid 135939] ioctl(7, TCGETS, 0x7ffcb332cee0) = -1 EINVAL (Invalid argument) -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 13:59, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 01:51:27PM +0200, jvoisin wrote: >> On 01/06/2023 13:31, Miroslav Lichvar wrote: >>> On Thu, Jun 01, 2023 at 01:16:17PM +0200, jvoisin wrote: is there a way to tell the strace wrapper to follow children? >>> >>> Try CHRONYD_WRAPPER="strace -f" ./002-extended >>> >>> but you will need to terminate it manually (e.g. ctrl-c). >>> >> ``` >> alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" >> TEST_SCFILTER=1 ./002-extended >> Testing extended configuration: >> non-default settings: >> starting chronyd >> ``` >> >> then it doesn't start. > > Yes, that's expected. Press ctrl-c after few seconds and check the log > file for ioctls. > ``` alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd ^C alpine:/home/jvoisin/chrony/test/system# grep -i iotcl tmp/chronyd.out alpine:/home/jvoisin/chrony/test/system# ``` no luck :/ -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 01:51:27PM +0200, jvoisin wrote: > On 01/06/2023 13:31, Miroslav Lichvar wrote: > > On Thu, Jun 01, 2023 at 01:16:17PM +0200, jvoisin wrote: > >> is there a way to tell the strace wrapper to follow children? > > > > Try CHRONYD_WRAPPER="strace -f" ./002-extended > > > > but you will need to terminate it manually (e.g. ctrl-c). > > > ``` > alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" > TEST_SCFILTER=1 ./002-extended > Testing extended configuration: > non-default settings: > starting chronyd > ``` > > then it doesn't start. Yes, that's expected. Press ctrl-c after few seconds and check the log file for ioctls. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 13:31, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 01:16:17PM +0200, jvoisin wrote: >> is there a way to tell the strace wrapper to follow children? > > Try CHRONYD_WRAPPER="strace -f" ./002-extended > > but you will need to terminate it manually (e.g. ctrl-c). > ``` alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER="strace -f" TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd ``` then it doesn't start. -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 01:16:17PM +0200, jvoisin wrote: > is there a way to tell the strace wrapper to follow children? Try CHRONYD_WRAPPER="strace -f" ./002-extended but you will need to terminate it manually (e.g. ctrl-c). -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 13:10, Miroslav Lichvar wrote: > On Thu, Jun 01, 2023 at 01:04:43PM +0200, jvoisin wrote: >> Albeit we might want to restrict the parameters passed to ioctl, instead >> of allowing it unconditionally. > > Can you please run it under strace and see what ioctl it needs? > > # CHRONYD_WRAPPER=strace ./002-extended > # grep ioctl tmp/chronyd.out > ``` alpine:/home/jvoisin/chrony/test/system# CHRONYD_WRAPPER=strace TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd OK waiting for synchronization OK stopping chronyd OK checking chronyd messages OK checking chronyd filesOK PASS alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.out execve("../../chronyd", ["../../chronyd", "-x", "-l", "/home/jvoisin/chrony/test/system"..., "-f", "/home/jvoisin/chrony/test/system"..., "-u", "root", "-F", "1"], 0x7ffec16cb668 /* 21 vars */) = 0 arch_prctl(ARCH_SET_FS, 0x7f86c2428b48) = 0 set_tid_address(0x7f86c2428fb8) = 11587 brk(NULL) = 0x5588bd75a000 brk(0x5588bd75c000) = 0x5588bd75c000 mmap(0x5588bd75a000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x5588bd75a000 open("/etc/ld-musl-x86_64.path", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/local/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/usr/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat(3, {st_mode=S_IFREG|0755, st_size=108528, ...}) = 0 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 960) = 960 mmap(NULL, 114688, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f86c2373000 mmap(0x7f86c2375000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0x2000) = 0x7f86c2375000 mmap(0x7f86c237f000, 57344, PROT_READ, MAP_PRIVATE|MAP_FIXED, 3, 0xc000) = 0x7f86c237f000 mmap(0x7f86c238d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x19000) = 0x7f86c238d000 close(3)= 0 mprotect(0x7f86c238d000, 4096, PROT_READ) = 0 mprotect(0x7f86c2425000, 4096, PROT_READ) = 0 mprotect(0x5588bd00e000, 4096, PROT_READ) = 0 getuid()= 0 pipe([3, 4])= 0 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1 RT_2], 8) = 0 fork() = 11588 rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN RT_1 RT_2], NULL, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 close(4)= 0 read(3, "", 1024) = 0 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=11588, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- exit_group(0) = ? +++ exited with 0 +++ alpine:/home/jvoisin/chrony/test/system# ``` is there a way to tell the strace wrapper to follow children? -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Thu, Jun 01, 2023 at 01:04:43PM +0200, jvoisin wrote: > Albeit we might want to restrict the parameters passed to ioctl, instead > of allowing it unconditionally. Can you please run it under strace and see what ioctl it needs? # CHRONYD_WRAPPER=strace ./002-extended # grep ioctl tmp/chronyd.out -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 01/06/2023 08:37, Miroslav Lichvar wrote: > On Wed, May 31, 2023 at 04:54:09PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log >> 2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP >> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 >> -DEBUG) >> 2023-05-31T14:51:14Z Disabled control of system clock >> 2023-05-31T14:51:14Z World-readable permissions on >> /home/jvoisin/chrony/test/system/tmp/keys >> 2023-05-31T14:51:14Z Loaded 1 symmetric keys >> 2023-05-31T14:51:14Z Running with root privileges >> 2023-05-31T14:51:14Z Frequency 0.000 +/- 1.000 ppm read from >> /home/jvoisin/chrony/test/system/tmp/driftfile >> 2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring >> 2023-05-31T14:51:14Z Loaded seccomp filter (level 1) >> alpine:/home/jvoisin/chrony/test/system# >> ``` > > The log is missing the "chronyd exiting" message. It might have > crashed due to seccomp filter. If you run "TEST_SCFILTER=1 > ./002-extended", do you see the offending syscall in the system log? > alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd OK waiting for synchronization ERROR FAIL stopping chronyd ERROR alpine:/home/jvoisin/chrony/test/system# dmesg | tail -n 1 [74805.395129] audit: type=1326 audit(1685617027.470:7): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4596 comm="chronyd" exe="/home/jvoisin/chrony/chronyd" sig=31 arch=c03e syscall=16 compat=0 ip=0x7ff195e5ce76 code=0x0 alpine:/home/jvoisin/chrony/test/system# vim ../../sys_linux.c alpine:/home/jvoisin/chrony/test/system# git diff diff --git a/sys_linux.c b/sys_linux.c index c6cb453..d248de0 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -603,11 +603,13 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write), +SCMP_SYS(writev), /* Miscellaneous */ SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname), +SCMP_SYS(ioctl), }; const int denied_any[] = { diff --git a/test/system/test.common b/test/system/test.common index 7005c9e..0660351 100644 --- a/test/system/test.common +++ b/test/system/test.common @@ -42,6 +42,8 @@ test_start() { su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null || \ test_skip "$user cannot access $TEST_DIR" rm "$TEST_DIR/test" + else +chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR" fi echo "Testing $*:" alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./002-extended Testing extended configuration: non-default settings: starting chronyd OK waiting for synchronization OK stopping chronyd OK checking chronyd messages OK checking chronyd filesOK PASS alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./099-scfilter Testing system call filter in non-destructive tests: level -1: 001-minimal OK 002-extendedOK 003-memlock OK 004-priorityOK 006-privdropOK 007-cmdmon OK 008-confloadOK 009-binddevice OK 010-nts OK level 1: 001-minimal OK 002-extendedOK 003-memlock OK 004-priorityOK 006-privdropOK 007-cmdmon OK 008-confloadOK 009-binddevice OK 010-nts OK level -2: 001-minimal OK 002-extendedOK 003-memlock OK 004-priorityOK 006-privdropOK 007-cmdmon
Re: [chrony-dev] Seccomp issue on Alpine linux
On Wed, May 31, 2023 at 04:54:09PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log > 2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP > +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 > -DEBUG) > 2023-05-31T14:51:14Z Disabled control of system clock > 2023-05-31T14:51:14Z World-readable permissions on > /home/jvoisin/chrony/test/system/tmp/keys > 2023-05-31T14:51:14Z Loaded 1 symmetric keys > 2023-05-31T14:51:14Z Running with root privileges > 2023-05-31T14:51:14Z Frequency 0.000 +/- 1.000 ppm read from > /home/jvoisin/chrony/test/system/tmp/driftfile > 2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring > 2023-05-31T14:51:14Z Loaded seccomp filter (level 1) > alpine:/home/jvoisin/chrony/test/system# > ``` The log is missing the "chronyd exiting" message. It might have crashed due to seccomp filter. If you run "TEST_SCFILTER=1 ./002-extended", do you see the offending syscall in the system log? -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 31/05/2023 16:42, Miroslav Lichvar wrote: > On Wed, May 31, 2023 at 04:28:51PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log >> 2023-05-31T14:28:33Z chronyd version DEVELOPMENT starting (+CMDMON +NTP >> +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 >> -DEBUG) >> 2023-05-31T14:28:33Z Wrong owner of /home/jvoisin/chrony/test/system/tmp >> (GID != 0) >> 2023-05-31T14:28:33Z Disabled command socket >> /home/jvoisin/chrony/test/system/tmp/chronyd.sock > > It seems the tmp directory is being created with a different group than 0 > (root). Is it a wheel group? yes, root is part of wheel: ``` alpine:/home/jvoisin/chrony/test/system# groups root bin daemon sys adm disk wheel floppy dialout tape video alpine:/home/jvoisin/chrony/test/system# ``` > > Can you please try it again with this patch? > > diff --git a/test/system/test.common b/test/system/test.common > index 7005c9e1..aa48ac67 100644 > --- a/test/system/test.common > +++ b/test/system/test.common > @@ -42,6 +42,8 @@ test_start() { > su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null > || \ > test_skip "$user cannot access $TEST_DIR" > rm "$TEST_DIR/test" > + else > + chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR" > fi > > echo "Testing $*:" > ``` alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronyd OK stopping chronyd OK checking chronyd messages OK PASS alpine:/home/jvoisin/chrony/test/system# ./099-scfilter Testing system call filter in non-destructive tests: level -1: 001-minimal OK 002-extendedBAD FAIL alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log 2023-05-31T14:51:14Z chronyd version DEVELOPMENT starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG) 2023-05-31T14:51:14Z Disabled control of system clock 2023-05-31T14:51:14Z World-readable permissions on /home/jvoisin/chrony/test/system/tmp/keys 2023-05-31T14:51:14Z Loaded 1 symmetric keys 2023-05-31T14:51:14Z Running with root privileges 2023-05-31T14:51:14Z Frequency 0.000 +/- 1.000 ppm read from /home/jvoisin/chrony/test/system/tmp/driftfile 2023-05-31T14:51:14Z Timezone right/UTC failed leap second check, ignoring 2023-05-31T14:51:14Z Loaded seccomp filter (level 1) alpine:/home/jvoisin/chrony/test/system# ``` -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Wed, May 31, 2023 at 04:28:51PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log > 2023-05-31T14:28:33Z chronyd version DEVELOPMENT starting (+CMDMON +NTP > +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 > -DEBUG) > 2023-05-31T14:28:33Z Wrong owner of /home/jvoisin/chrony/test/system/tmp > (GID != 0) > 2023-05-31T14:28:33Z Disabled command socket > /home/jvoisin/chrony/test/system/tmp/chronyd.sock It seems the tmp directory is being created with a different group than 0 (root). Is it a wheel group? Can you please try it again with this patch? diff --git a/test/system/test.common b/test/system/test.common index 7005c9e1..aa48ac67 100644 --- a/test/system/test.common +++ b/test/system/test.common @@ -42,6 +42,8 @@ test_start() { su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null || \ test_skip "$user cannot access $TEST_DIR" rm "$TEST_DIR/test" + else + chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR" fi echo "Testing $*:" -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 31/05/2023 16:26, Miroslav Lichvar wrote: > On Wed, May 31, 2023 at 04:22:09PM +0200, jvoisin wrote: >> alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal >> Testing minimal configuration: >> non-default settings: >> minimal_config=1 >> starting chronyd OK >> stopping chronyd OK >> checking chronyd messages BAD >> FAIL > > What do you see in tmp/chronyd.log after this test? > ``` alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronyd OK stopping chronyd OK checking chronyd messages BAD FAIL alpine:/home/jvoisin/chrony/test/system# cat tmp/chronyd.log 2023-05-31T14:28:33Z chronyd version DEVELOPMENT starting (+CMDMON +NTP +REFCLOCK +RTC -PRIVDROP +SCFILTER +SIGND +ASYNCDNS -NTS -SECHASH +IPV6 -DEBUG) 2023-05-31T14:28:33Z Wrong owner of /home/jvoisin/chrony/test/system/tmp (GID != 0) 2023-05-31T14:28:33Z Disabled command socket /home/jvoisin/chrony/test/system/tmp/chronyd.sock 2023-05-31T14:28:33Z Disabled control of system clock 2023-05-31T14:28:33Z Running with root privileges 2023-05-31T14:28:33Z Loaded seccomp filter (level 1) 2023-05-31T14:28:33Z chronyd exiting alpine:/home/jvoisin/chrony/test/system# ``` -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Wed, May 31, 2023 at 04:22:09PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal > Testing minimal configuration: > non-default settings: > minimal_config=1 > starting chronydOK > stopping chronydOK > checking chronyd messages BAD > FAIL What do you see in tmp/chronyd.log after this test? -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
> Try running the failing test as "TEST_SCFILTER=1 ./001-minimal" and see the > failing syscall number in the system or audit log. Unfortunately, Alpine uses busybox' ps: ``` alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronydps: unrecognized option: p BusyBox v1.36.1 (2023-05-25 05:48:21 UTC) multi-call binary. Usage: ps [-o COL1,COL2=HEADER] [-T] Show list of processes -o COL1,COL2=HEADER Select columns for display -T Show threads ERROR FAIL stopping chronyd ERROR alpine:/home/jvoisin/chrony/test/system# ``` This can be fixed with `apk add procps`. ``` alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronyd ERROR FAIL stopping chronyd ERROR alpine:/home/jvoisin/chrony/test/system# dmesg | tail -n 2 [ 120.059165] audit: type=1326 audit(1685542342.126:5): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=2388 comm="chronyd" exe="/home/jvoisin/chrony/chronyd" sig=31 arch=c03e syscall=20 compat=0 ip=0x7fe0b3e4d306 code=0x0 alpine:/home/jvoisin/chrony/test/system# vim sys_linux.c alpine:/home/jvoisin/chrony/test/system# git diff diff --git a/sys_linux.c b/sys_linux.c index c6cb453..04e3a86 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -603,6 +603,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write), +SCMP_SYS(writev), /* Miscellaneous */ SCMP_SYS(getrandom), alpine:/home/jvoisin/chrony/test/system# make alpine:/home/jvoisin/chrony/test/system# cd test/system alpine:/home/jvoisin/chrony/test/system# TEST_SCFILTER=1 ./001-minimal Testing minimal configuration: non-default settings: minimal_config=1 starting chronyd OK stopping chronyd OK checking chronyd messages BAD FAIL alpine:/home/jvoisin/chrony/test/system# ./099-scfilter Testing system call filter in non-destructive tests: level -1: 001-minimal BAD FAIL alpine:/home/jvoisin/chrony/test/system# alpine:/home/jvoisin/chrony/test/system# ./199-scfilter Testing system call filter in destructive tests: level -1: 100-clockupdate BAD FAIL alpine:/home/jvoisin/chrony/test/system# ``` so there are some failings, but nothing more in the dmesg about seccomp violation. -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Mon, May 29, 2023 at 04:07:37PM +0200, jvoisin wrote: > alpine:/home/jvoisin/chrony/test/system# ./099-scfilter > Testing system call filter in non-destructive tests: > level -1: > 001-minimal BAD > FAIL > alpine:/home/jvoisin/chrony/test/system# > ``` > > What would be the best way to find the root cause/blacklisted syscalls? Try running the failing test as "TEST_SCFILTER=1 ./001-minimal" and see the failing syscall number in the system or audit log. Thanks, -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On 29/05/2023 09:16, Miroslav Lichvar wrote: > On Sun, May 28, 2023 at 07:32:12PM +0200, jvoisin wrote: >>> If you have extracted source code, can you please run these two tests >>> to confirm there are no other seccomp failures on musl? >>> >>> # cd test/system >>> # ./099-scfilter >>> # ./199-scfilter >>> >> >> I'd love to, but the latest master doesn't compile here: > > Compiling from git requires bison installed, or you can copy getdate.c > from a released tarball. It would be nice for `./configure` to check for this :/ Anyway, here are the results: ``` alpine:/home/jvoisin/chrony/test/system# ./199-scfilter Testing system call filter in destructive tests: level -1: 100-clockupdate BAD FAIL alpine:/home/jvoisin/chrony/test/system# ./099-scfilter Testing system call filter in non-destructive tests: level -1: 001-minimal BAD FAIL alpine:/home/jvoisin/chrony/test/system# ``` What would be the best way to find the root cause/blacklisted syscalls? -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Sun, May 28, 2023 at 07:32:12PM +0200, jvoisin wrote: > > If you have extracted source code, can you please run these two tests > > to confirm there are no other seccomp failures on musl? > > > > # cd test/system > > # ./099-scfilter > > # ./199-scfilter > > > > I'd love to, but the latest master doesn't compile here: Compiling from git requires bison installed, or you can copy getdate.c from a released tarball. -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
> If you have extracted source code, can you please run these two tests > to confirm there are no other seccomp failures on musl? > > # cd test/system > # ./099-scfilter > # ./199-scfilter > I'd love to, but the latest master doesn't compile here: ``` $ make […] gcc -O2 -g -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -Wmissing-prototypes -Wall -pthread -o chronyd array.o cmdparse.o conf.o local.o logging.o main.o memory.o quantiles.o reference.o regress.o rtc.o samplefilt.o sched.o socket.o sources.o sourcestats.o stubs.o smooth.o sys.o sys_null.o tempcomp.o util.o sys_generic.o sys_linux.o sys_timex.o sys_posix.o cmdmon.o manual.o pktlength.o ntp_auth.o ntp_core.o ntp_ext.o ntp_io.o ntp_sources.o addrfilt.o clientlog.o keys.o nameserv.o refclock.o refclock_phc.o refclock_pps.o refclock_shm.o refclock_sock.o nameserv_async.o hash_intmd5.o -pie -Wl,-z,relro,-z,now gcc -O2 -g -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -Wmissing-prototypes -Wall -pthread -c client.c make: *** No rule to make target 'getdate.c', needed by 'getdate.o'. Stop. $ ``` -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-dev] Seccomp issue on Alpine linux
On Sun, May 21, 2023 at 10:41:30PM +0200, jvoisin wrote: > Hello, > > it seems that chrony's seccomp policy doesn't play nice with Alpine > Linux, likely due to the fact that there is a call to `membarrier` > somewhere that the latter does and that the former doesn't like. > > See https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/47087 > for details. Thanks for the report. Does it work for you if you apply this patch? --- a/sys_linux.c +++ b/sys_linux.c @@ -498,6 +498,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(getrlimit), SCMP_SYS(getuid), SCMP_SYS(getuid32), +#ifdef __NR_membarrier +SCMP_SYS(membarrier), +#endif #ifdef __NR_rseq SCMP_SYS(rseq), #endif If you have extracted source code, can you please run these two tests to confirm there are no other seccomp failures on musl? # cd test/system # ./099-scfilter # ./199-scfilter -- Miroslav Lichvar -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.