434faeecb8
The Linux secure computing (seccomp) facility allows a process to install a filter in the kernel that will allow only specific system calls to be made. The process is killed when trying to make other system calls. This is useful to reduce the kernel attack surface and possibly prevent kernel exploits when the process is compromised. Use the libseccomp library to add rules and load the filter into the kernel. Keep a list of system calls that are always allowed after chronyd is initialized. Restrict arguments that may be passed to the socket(), setsockopt(), fcntl(), and ioctl() system calls. Arguments to socketcall(), which is used on some architectures as a multiplexer instead of separate socket system calls, are not restricted for now. The mailonchange directive is not allowed as it calls sendmail. Calls made by the libraries that chronyd is using have to be covered too. It's difficult to determine which system calls they need as it may change after an upgrade and it may depend on their configuration (e.g. resolver in libc). There are also differences between architectures. It can all break very easily and is therefore disabled by default. It can be enabled with the new -F option. This is based on a patch from Andrew Griffiths <agriffit@redhat.com>.
158 lines
3.3 KiB
C
158 lines
3.3 KiB
C
/*
|
|
chronyd/chronyc - Programs for keeping computer clocks accurate.
|
|
|
|
**********************************************************************
|
|
* Copyright (C) Richard P. Curnow 1997-2002
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of version 2 of the GNU General Public License as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
*
|
|
**********************************************************************
|
|
|
|
=======================================================================
|
|
|
|
This file contains all the conditionally compiled bits that pull
|
|
in the various operating-system specific modules
|
|
*/
|
|
|
|
#include "config.h"
|
|
|
|
#include "sysincl.h"
|
|
|
|
#include "sys.h"
|
|
#include "logging.h"
|
|
|
|
#if defined (LINUX)
|
|
#include "sys_linux.h"
|
|
#endif
|
|
|
|
#if defined (SOLARIS)
|
|
#include "sys_solaris.h"
|
|
#endif
|
|
|
|
#if defined (SUNOS)
|
|
#include "sys_sunos.h"
|
|
#endif
|
|
|
|
#if defined (NETBSD)
|
|
#include "sys_netbsd.h"
|
|
#endif
|
|
|
|
#if defined (MACOSX)
|
|
#include "sys_macosx.h"
|
|
#endif
|
|
|
|
/* ================================================== */
|
|
|
|
void
|
|
SYS_Initialise(void)
|
|
{
|
|
|
|
#if defined(LINUX)
|
|
SYS_Linux_Initialise();
|
|
#endif
|
|
|
|
#if defined(SOLARIS)
|
|
SYS_Solaris_Initialise();
|
|
#endif
|
|
|
|
#if defined(SUNOS)
|
|
SYS_SunOS_Initialise();
|
|
#endif
|
|
|
|
#if defined(NETBSD)
|
|
SYS_NetBSD_Initialise();
|
|
#endif
|
|
|
|
#if defined(MACOSX)
|
|
SYS_MacOSX_Initialise();
|
|
#endif
|
|
|
|
}
|
|
|
|
/* ================================================== */
|
|
|
|
void
|
|
SYS_Finalise(void)
|
|
{
|
|
|
|
#if defined(LINUX)
|
|
SYS_Linux_Finalise();
|
|
#endif
|
|
|
|
#if defined(SOLARIS)
|
|
SYS_Solaris_Finalise();
|
|
#endif
|
|
|
|
#if defined(SUNOS)
|
|
SYS_SunOS_Finalise();
|
|
#endif
|
|
|
|
#if defined(NETBSD)
|
|
SYS_NetBSD_Finalise();
|
|
#endif
|
|
|
|
#if defined(MACOSX)
|
|
SYS_MacOSX_Finalise();
|
|
#endif
|
|
}
|
|
|
|
/* ================================================== */
|
|
|
|
void SYS_DropRoot(uid_t uid, gid_t gid)
|
|
{
|
|
#if defined(LINUX) && defined (FEAT_PRIVDROP)
|
|
SYS_Linux_DropRoot(uid, gid);
|
|
#elif defined(NETBSD) && defined(FEAT_PRIVDROP)
|
|
SYS_NetBSD_DropRoot(uid, gid);
|
|
#else
|
|
LOG_FATAL(LOGF_Sys, "dropping root privileges not supported");
|
|
#endif
|
|
}
|
|
|
|
/* ================================================== */
|
|
|
|
void SYS_EnableSystemCallFilter(int level)
|
|
{
|
|
#if defined(LINUX) && defined(FEAT_SCFILTER)
|
|
SYS_Linux_EnableSystemCallFilter(level);
|
|
#else
|
|
LOG_FATAL(LOGF_Sys, "system call filter not supported");
|
|
#endif
|
|
}
|
|
|
|
/* ================================================== */
|
|
|
|
void SYS_SetScheduler(int SchedPriority)
|
|
{
|
|
#if defined(LINUX) && defined(HAVE_SCHED_SETSCHEDULER)
|
|
SYS_Linux_SetScheduler(SchedPriority);
|
|
#elif defined(MACOSX)
|
|
SYS_MacOSX_SetScheduler(SchedPriority);
|
|
#else
|
|
LOG_FATAL(LOGF_Sys, "scheduler priority setting not supported");
|
|
#endif
|
|
}
|
|
|
|
/* ================================================== */
|
|
|
|
void SYS_LockMemory(void)
|
|
{
|
|
#if defined(LINUX) && defined(HAVE_MLOCKALL)
|
|
SYS_Linux_MemLockAll(1);
|
|
#else
|
|
LOG_FATAL(LOGF_Sys, "memory locking not supported");
|
|
#endif
|
|
}
|
|
|
|
/* ================================================== */
|