Is it time to drop seccomp?

Richard Laager rlaager at wiktel.com
Fri Feb 15 01:02:48 UTC 2019


On 2/13/19 11:44 AM, Achim Gratz via devel wrote:
> Richard Laager via devel writes:
>> FWIW, I don't enable seccomp in the Debian package. It seems like a lot
>> of risk of breakage. We have an Apparmor policy, from Novell/SUSE by way
>> of Ubuntu for the ntp (NTP Classic) package.
> 
> Just a word of caution: this AppArmor policy is geared towards an NTP
> client and you will need to do some (poorly documented) configuration
> changes when configuring a server so the adaemon can get at the device
> files for the refclock.

Indeed, a couple changes can be necessary. README.Debian has these bits:

If your ntpd configuration needs access to a device (e.g. a local DCF
clock), you need to add this device to: /etc/apparmor.d/tunables/ntpd

For use with clocks that report via shared memory (e.g. gpsd), you may
need to give ntpd access to all of shared memory, though this can be
considered dangerous.  See https://launchpad.net/bugs/722815 for
details.  To enable, add this to /etc/apparmor.d/local/usr.sbin.ntpd:
    capability ipc_owner,

-- 
Richard


More information about the devel mailing list