[prev in list] [next in list] [prev in thread] [next in thread]
List: nix-commits
Subject: [Nix-commits] [NixOS/nixpkgs] 3069f7: ntpd: Allow additional syscalls in seccomp filter.
From: Ambroz Bizjak <ambrop7 () gmail ! com>
Date: 2017-04-17 11:36:33
Message-ID: 58f4a8c1358f7_58583fa0b7b2fc2c1675d0 () hookshot-fe6-cp1-prd ! iad ! github ! net ! mail
[Download RAW message or body]
Branch: refs/heads/release-17.03
Home: https://github.com/NixOS/nixpkgs
Commit: 3069f721ece8156d0b41ac3b9b577f78e74b8eaa
https://github.com/NixOS/nixpkgs/commit/3069f721ece8156d0b41ac3b9b577f78e74b8eaa
Author: Ambroz Bizjak <ambrop7@gmail.com>
Date: 2017-04-17 (Mon, 17 Apr 2017)
Changed paths:
M pkgs/tools/networking/ntp/default.nix
A pkgs/tools/networking/ntp/seccomp.patch
Log Message:
-----------
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
(cherry picked from commit 35e0eea053d81f7aa933cd2747f43d3b4524c326)
_______________________________________________
nix-commits mailing list
nix-commits@lists.science.uu.nl
https://mailman.science.uu.nl/mailman/listinfo/nix-commits
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic