diff options
author | Ambroz Bizjak <ambrop7@gmail.com> | 2017-04-02 20:29:30 +0200 |
---|---|---|
committer | Ambroz Bizjak <ambrop7@gmail.com> | 2017-04-02 21:44:06 +0200 |
commit | 35e0eea053d81f7aa933cd2747f43d3b4524c326 (patch) | |
tree | 985b3a7c5c4bd7e6cfcf476da06cedca471a7e95 /pkgs/tools/networking/ntp | |
parent | a77571399d71167bf16b4183090a6f7e203d7e0f (diff) | |
download | nixpkgs-35e0eea053d81f7aa933cd2747f43d3b4524c326.tar nixpkgs-35e0eea053d81f7aa933cd2747f43d3b4524c326.tar.gz nixpkgs-35e0eea053d81f7aa933cd2747f43d3b4524c326.tar.bz2 nixpkgs-35e0eea053d81f7aa933cd2747f43d3b4524c326.tar.lz nixpkgs-35e0eea053d81f7aa933cd2747f43d3b4524c326.tar.xz nixpkgs-35e0eea053d81f7aa933cd2747f43d3b4524c326.tar.zst nixpkgs-35e0eea053d81f7aa933cd2747f43d3b4524c326.zip |
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136. The problem is that the seccomp system call filter configured by ntpd did not include some system calls that were apparently needed. For example the program hanged in getpid just after the filter was installed: prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument) seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0 getpid() = ? I do not know exactly why this is a problem on NixOS only, perhaps we have getpid caching disabled. The fcntl and setsockopt system calls also had to be added.
Diffstat (limited to 'pkgs/tools/networking/ntp')
-rw-r--r-- | pkgs/tools/networking/ntp/default.nix | 4 | ||||
-rw-r--r-- | pkgs/tools/networking/ntp/seccomp.patch | 44 |
2 files changed, 48 insertions, 0 deletions
diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 64f4b9008b1..37078d39fe6 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -15,6 +15,10 @@ stdenv.mkDerivation rec { sha256 = "0whbyf82lrczbri4adbsa4hg1ppfa6c7qcj7nhjwdfp1g1vjh95p"; }; + # The hardcoded list of allowed system calls for seccomp is + # insufficient for NixOS, add more to make it work (issue #21136). + patches = [ ./seccomp.patch ]; + configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" diff --git a/pkgs/tools/networking/ntp/seccomp.patch b/pkgs/tools/networking/ntp/seccomp.patch new file mode 100644 index 00000000000..28de2f01d07 --- /dev/null +++ b/pkgs/tools/networking/ntp/seccomp.patch @@ -0,0 +1,44 @@ +diff -urN ntp-4.2.8p10.orig/ntpd/ntpd.c ntp-4.2.8p10/ntpd/ntpd.c +--- ntp-4.2.8p10.orig/ntpd/ntpd.c 2017-04-02 20:21:17.371319663 +0200 ++++ ntp-4.2.8p10/ntpd/ntpd.c 2017-04-02 21:26:02.766178723 +0200 +@@ -1157,10 +1157,12 @@ + SCMP_SYS(close), + SCMP_SYS(connect), + SCMP_SYS(exit_group), ++ SCMP_SYS(fcntl), + SCMP_SYS(fstat), + SCMP_SYS(fsync), + SCMP_SYS(futex), + SCMP_SYS(getitimer), ++ SCMP_SYS(getpid), + SCMP_SYS(getsockname), + SCMP_SYS(ioctl), + SCMP_SYS(lseek), +@@ -1179,6 +1181,7 @@ + SCMP_SYS(sendto), + SCMP_SYS(setitimer), + SCMP_SYS(setsid), ++ SCMP_SYS(setsockopt), + SCMP_SYS(socket), + SCMP_SYS(stat), + SCMP_SYS(time), +@@ -1195,9 +1198,11 @@ + SCMP_SYS(clock_settime), + SCMP_SYS(close), + SCMP_SYS(exit_group), ++ SCMP_SYS(fcntl), + SCMP_SYS(fsync), + SCMP_SYS(futex), + SCMP_SYS(getitimer), ++ SCMP_SYS(getpid), + SCMP_SYS(madvise), + SCMP_SYS(mmap), + SCMP_SYS(mmap2), +@@ -1211,6 +1216,7 @@ + SCMP_SYS(select), + SCMP_SYS(setitimer), + SCMP_SYS(setsid), ++ SCMP_SYS(setsockopt), + SCMP_SYS(sigprocmask), + SCMP_SYS(sigreturn), + SCMP_SYS(socketcall), |