Odds and ends...

Hal Murray hmurray at megapathdsl.net
Mon Jul 18 02:09:50 UTC 2016 

There is some ugly code in ntp_loopfilter that's setting up a signal handler 
in case ntp_adjtime doesn't work.  It's the sort of stuff Eric loves to rip 
out.

I can't figure out why that code would be useful.  I expect we should figure 
that out at build time.

I've commented it out.  It's still working on all of the systems I have 
access to.
If it blows up for you, please tell us what type of system you are running on.

------------

Does anybody have any experience with seccomp?  How useful is it?

I think it's Linux only.  The idea is to tell the kernel what system calls the program uses so that if a bad guy finds something like a stack overflow, the program will die if his exploit uses any other syscall.

We inherited code from ntp classic, but it didn't work.  I poked around.  It needs a library.  I've got it working on Intel.  It builds on ARM, but gets an Invalid argument error at runtime.

I've pushed two configure time options that let us test seccomp.  The catch is that it's not simple to figure out which syscalls are actually used.  A lot of that stuff is hidden in libc and friends.  I've been adding them as I discover them.  It's working on all the systems i can test on.
  --enable_seccomp 
turns on that code.

Testing encouraged.  If it crashes for you, please run it from gdb and send be a backtrace.

DNS lookup uses a blizzard of syscalls, many involved with threads.  Normally, the DNS helper thread gets started before seccomp is activated.  That makes it hard to test the syscalls needed by pthread_create.  You have to wait for the thread to time out and then for the pool logic to try again which starts a new thread.
  --enable-early-droproot
does the drop root before reading the config file.  That turns on seccomp early enough to catch creating the first DNS helper thread.  User ntp has to be able to access refclocks and append to existing log/stats files which may be owned by root.  That's probably a good idea anyway.

There are two known cases where early drop root doesn't work.  On is on NetBSD.  Opening sockets doesn't work.  I haven't checked carefully.  I assume it's checking for port numbers less than 1024 or such.

The other is SHM.  It can't access the first two slots.  That can be fixed, but I don't know of a quick workaround.



-- 
These are my opinions.  I hate spam.

More information about the devel mailing list