On Mon, 2016-01-18 at 14:15 +0100, Miroslav Lichvar wrote:
On Mon, Jan 18, 2016 at 11:02:44AM +0100, Nikos Mavrogiannopoulos wrote:
As Florian suggested it makes more sense to compartmentalize chrony so that only a small controlled part of it needs to run with seccomp. My recommendation, if you want to use libraries in the filtered code, make their authors aware of that, so that they document any changes in the used system calls, and if possible ask them to document the existing system calls used (e.g., similarly to: http://www.gnutls.org/manual/html_node/Running-in-a-sandbox.html%C2%A0)
chronyd doesn't use libc for much more than that. There is memory allocation, reading/writing system clock, reading/writing/moving files, creating/connecting/binding sockets, receiving/sending packets, and select(). Name resolving is now out of the filter. The only other library that's currently used after the seccomp filter is loaded is freebl3 from NSS.
I guess some of that could be moved to the helper process. If only the most dangerous code (whatever that is) should run with seccomp, I'm not sure if there is a layer where a clean small cut could be made. I suspect the interface between the two processes would be huge and it would bloat the code significantly.
If you have complex structures to be transfered you may want to rely on something automated to serialize/deserialize requests. That will increase the code, but reduce the complexity. I've used protocol buffers over unix sockets for that exact reason and I'm pretty happy with it.
regards, Nikos