Should we dump seccomp?

Hal Murray hmurray at megapathdsl.net
Mon May 8 22:12:50 UTC 2017


In case anybody isn't familiar with this area...  The idea is to tell the 
system that this program will only use a specified list of system calls.  If 
a bad guy finds something like a stack overflow, their evil code can only use 
those calls.  Seems like a useful tool to add to the collection.

It's Linux only.  apropos seccomp has details.  We only use seccomp_init, 
seccomp_rule_add, and seccomp_load.

The problem is that there is no simple way to translate a POSIX call to a 
kernel call.  There is libc and friends between what ntpd does and the actual 
system calls.  Sometimes, that's simple.  Sometimes it's complicated.  If 
varies between distros and releases.

The current list is collected by trial and error.  When I found a syscall 
that was legitimately used, I added it to the list.  For any given system, 
there are probably some calls allowed that are not used.

There may be edge cases that just haven't been tested yet - either new 
versions of libc or corners of the code on familiar systems.  For an example, 
see issue #275.

It seems unlikely to me that this will ever converge.  Most of the time it is 
easy to fix.

On the other hand, maybe it is a useful tool.  We can probably get it working 
well enough for any distro with a significant number of users/testers.

There are 2 chunks of code that account for a lot of the problems.  If 
somebody is looking for more security, we could run with fewer syscalls 
enabled by disabling some features.

One is DNS lookup.  We could trim the list if we disabled DNS lookups, or did 
them early.  This would mean no support for the pool command in ntp.conf.  
But it would be reasonable for a low stratum carefully managed server.

The other area is interfaces coming and going.  This is normal for a laptop 
using wifi which goes to sleep with one IP Address and gets a new one when it 
wakes up in a new location.  I think Fedora and/or Debian restart ntpd in 
that case, but that shouldn't be necessary.

It also happens if you unplug an ethernet cable, and presumable if the switch 
gets power cycled.  I think we should be able to fix this, probably as part 
of a great interface cleanup.

In case it isn't obvious, I think this is pretty far down in the weeds. 

>From unplugging and replugging an ethernet cable:

 8 May 14:47:22 ntpd[28281]: Deleting interface #3 eth0, 192.168.1.30#123, 
interface stats: received=45188, sent=45289, dropped=0, active_time=217285 
secs
 8 May 14:47:22 ntpd[28281]: Deleting interface #5 eth0, 
fe80::21d:72ff:feb3:a5d2%2#123, interface stats: received=8816, sent=8816, 
dropped=0, active_time=217285 secs
 8 May 14:47:22 ntpd[28281]: fe80::226:2dff:fe20:30%2 local addr 
fe80::21d:72ff:feb3:a5d2%2 -> <null>
 8 May 14:47:22 ntpd[28281]: fe80::21e:c9ff:fe46:dc31%2 local addr 
fe80::21d:72ff:feb3:a5d2%2 -> <null>

 8 May 14:47:35 ntpd[28281]: Listen normally on 6 eth0 192.168.1.30:123
 8 May 14:47:35 ntpd[28281]: Listen normally on 7 eth0 
[fe80::21d:72ff:feb3:a5d2%2]:123



-- 
These are my opinions.  I hate spam.





More information about the devel mailing list