[ntpsec commit] Refactor ntpd.c, separating privilege containment into ntp_sandbox.c.
Eric S. Raymond
esr at ntpsec.org
Tue Oct 20 07:16:20 UTC 2015
Module: ntpsec
Branch: master
Commit: 0b4486b13a06d590e52422b9fd7b39cda824c8f6
Changeset: http://git.ntpsec.org/ntpsec/commit/?id=0b4486b13a06d590e52422b9fd7b39cda824c8f6
Author: Eric S. Raymond <esr at thyrsus.com>
Date: Tue Oct 20 03:15:31 2015 -0400
Refactor ntpd.c, separating privilege containment into ntp_sandbox.c.
---
ntpd/ntp_sandbox.c | 341 +++++++++++++++++++++++++++++++++++++++++++++++++++++
ntpd/ntpd.c | 324 ++------------------------------------------------
ntpd/wscript | 1 +
3 files changed, 350 insertions(+), 316 deletions(-)
diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
new file mode 100644
index 0000000..ec609b0
--- /dev/null
+++ b/ntpd/ntp_sandbox.c
@@ -0,0 +1,341 @@
+/*
+ * ntp_sandbox.c - privilege containment for the NTP daemon
+ *
+ * SPDX-License-Identifier: BSD-2-clause
+ */
+
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <config.h>
+
+#ifdef ENABLE_DROPROOT
+# include <ctype.h>
+# include <grp.h>
+# include <pwd.h>
+# ifdef HAVE_LINUX_CAPABILITY
+# include <sys/capability.h>
+# include <sys/prctl.h>
+# endif /* HAVE_LINUX_CAPABILITY */
+# if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
+# include <priv.h>
+# endif /* HAVE_PRIV_H */
+#endif /* ENABLE_DROPROOT */
+
+#ifdef HAVE_SOLARIS_PRIVS
+# define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
+static priv_set_t *lowprivs = NULL;
+static priv_set_t *highprivs = NULL;
+#endif /* HAVE_SOLARIS_PRIVS */
+
+#ifdef HAVE_LINUX_SECCOMP_H
+# include <linux/seccomp.h>
+# include <linux/filter.h>
+# include <linux/audit.h>
+#endif /* HAVE_LINUX_SECCOMP_H */
+
+#ifdef ENABLE_DROPROOT
+bool root_dropped;
+uid_t sw_uid;
+gid_t sw_gid;
+char *endp;
+struct group *gr;
+struct passwd *pw;
+#endif /* ENABLE_DROPROOT */
+
+#include "ntp_syslog.h"
+#include "ntp_stdlib.h"
+
+bool sandbox(const bool droproot,
+ const char *user, const char *group,
+ const char *chrootdir)
+{
+ bool nonroot = false;
+# ifdef ENABLE_DROPROOT
+ if (droproot) {
+ /* Drop super-user privileges and chroot now if the OS supports this */
+
+# ifdef HAVE_LINUX_CAPABILITY
+ /* set flag: keep privileges accross setuid() call (we only really need cap_sys_time): */
+ if (prctl( PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L ) == -1) {
+ msyslog( LOG_ERR, "prctl( PR_SET_KEEPCAPS, 1L ) failed: %m" );
+ exit(-1);
+ }
+# elif HAVE_SOLARIS_PRIVS
+ /* Nothing to do here */
+# else
+ /* we need a user to switch to */
+ if (user == NULL) {
+ msyslog(LOG_ERR, "Need user name to drop root privileges (see -u flag!)" );
+ exit(-1);
+ }
+# endif /* HAVE_LINUX_CAPABILITY || HAVE_SOLARIS_PRIVS */
+
+ if (user != NULL) {
+ if (isdigit((unsigned char)*user)) {
+ sw_uid = (uid_t)strtoul(user, &endp, 0);
+ if (*endp != '\0')
+ goto getuser;
+
+ if ((pw = getpwuid(sw_uid)) != NULL) {
+ free((void *)user);
+ user = estrdup(pw->pw_name);
+ sw_gid = pw->pw_gid;
+ } else {
+ errno = 0;
+ msyslog(LOG_ERR, "Cannot find user ID %s", user);
+ exit (-1);
+ }
+
+ } else {
+getuser:
+ errno = 0;
+ if ((pw = getpwnam(user)) != NULL) {
+ sw_uid = pw->pw_uid;
+ sw_gid = pw->pw_gid;
+ } else {
+ if (errno)
+ msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user);
+ else
+ msyslog(LOG_ERR, "Cannot find user `%s'", user);
+ exit (-1);
+ }
+ }
+ }
+ if (group != NULL) {
+ if (isdigit((unsigned char)*group)) {
+ sw_gid = (gid_t)strtoul(group, &endp, 0);
+ if (*endp != '\0')
+ goto getgroup;
+ } else {
+getgroup:
+ if ((gr = getgrnam(group)) != NULL) {
+ sw_gid = gr->gr_gid;
+ } else {
+ errno = 0;
+ msyslog(LOG_ERR, "Cannot find group `%s'", group);
+ exit (-1);
+ }
+ }
+ }
+
+ if (chrootdir ) {
+ /* make sure cwd is inside the jail: */
+ if (chdir(chrootdir)) {
+ msyslog(LOG_ERR, "Cannot chdir() to `%s': %m", chrootdir);
+ exit (-1);
+ }
+ if (chroot(chrootdir)) {
+ msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir);
+ exit (-1);
+ }
+ if (chdir("/")) {
+ msyslog(LOG_ERR, "Cannot chdir() to`root after chroot(): %m");
+ exit (-1);
+ }
+ }
+# ifdef HAVE_SOLARIS_PRIVS
+ if ((lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) {
+ msyslog(LOG_ERR, "priv_str_to_set() failed:%m");
+ exit(-1);
+ }
+ if ((highprivs = priv_allocset()) == NULL) {
+ msyslog(LOG_ERR, "priv_allocset() failed:%m");
+ exit(-1);
+ }
+ (void) getppriv(PRIV_PERMITTED, highprivs);
+ (void) priv_intersect(highprivs, lowprivs);
+ if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
+ msyslog(LOG_ERR, "setppriv() failed:%m");
+ exit(-1);
+ }
+# endif /* HAVE_SOLARIS_PRIVS */
+ if (user && initgroups(user, sw_gid)) {
+ msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user);
+ exit (-1);
+ }
+ if (group && setgid(sw_gid)) {
+ msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group);
+ exit (-1);
+ }
+ if (group && setegid(sw_gid)) {
+ msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group);
+ exit (-1);
+ }
+ if (group)
+ setgroups(1, &sw_gid);
+ else
+ initgroups(pw->pw_name, pw->pw_gid);
+ if (user && setuid(sw_uid)) {
+ msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user);
+ exit (-1);
+ }
+ if (user && seteuid(sw_uid)) {
+ msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user);
+ exit (-1);
+ }
+
+# if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)
+ /*
+ * for now assume that the privilege to bind to privileged ports
+ * is associated with running with uid 0 - should be refined on
+ * ports that allow binding to NTP_PORT with uid != 0
+ */
+ nonroot |= (sw_uid != 0); /* also notifies routing message listener */
+# endif /* !HAVE_LINUX_CAPABILITY && !HAVE_SOLARIS_PRIVS */
+
+# ifdef HAVE_LINUX_CAPABILITY
+ {
+ /*
+ * We may be running under non-root uid now, but we still hold full root privileges!
+ * We drop all of them, except for the crucial one or two: cap_sys_time and
+ * cap_net_bind_service if doing dynamic interface tracking.
+ */
+ cap_t caps;
+ char *captext;
+
+ captext = (0 != interface_interval)
+ ? "cap_sys_time,cap_net_bind_service=pe"
+ : "cap_sys_time=pe";
+ caps = cap_from_text(captext);
+ if (!caps) {
+ msyslog(LOG_ERR,
+ "cap_from_text(%s) failed: %m",
+ captext);
+ exit(-1);
+ }
+ if (-1 == cap_set_proc(caps)) {
+ msyslog(LOG_ERR,
+ "cap_set_proc() failed to drop root privs: %m");
+ exit(-1);
+ }
+ cap_free(caps);
+ }
+# endif /* HAVE_LINUX_CAPABILITY */
+# ifdef HAVE_SOLARIS_PRIVS
+ if (priv_delset(lowprivs, "proc_setid") == -1) {
+ msyslog(LOG_ERR, "priv_delset() failed:%m");
+ exit(-1);
+ }
+ if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
+ msyslog(LOG_ERR, "setppriv() failed:%m");
+ exit(-1);
+ }
+ priv_freeset(lowprivs);
+ priv_freeset(highprivs);
+# endif /* HAVE_SOLARIS_PRIVS */
+ root_dropped = true;
+ } /* if (droproot) */
+# endif /* ENABLE_DROPROOT */
+
+/* libssecomp sandboxing */
+#if defined(HAVE_LINUX_SECCOMP_H) && (defined(__x86_64__) || defined(__i386__))
+ scmp_filter_ctx ctx;
+
+ if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
+ msyslog(LOG_ERR, "%s: seccomp_init(SCMP_ACT_KILL) failed: %m", __func__);
+ else {
+ msyslog(LOG_DEBUG, "%s: seccomp_init(SCMP_ACT_KILL) succeeded", __func__);
+ }
+
+#ifdef __x86_64__
+int scmp_sc[] = {
+ SCMP_SYS(adjtimex),
+ SCMP_SYS(bind),
+ SCMP_SYS(brk),
+ SCMP_SYS(chdir),
+ SCMP_SYS(clock_gettime),
+ SCMP_SYS(clock_settime),
+ SCMP_SYS(close),
+ SCMP_SYS(connect),
+ SCMP_SYS(exit_group),
+ SCMP_SYS(fstat),
+ SCMP_SYS(fsync),
+ SCMP_SYS(futex),
+ SCMP_SYS(getitimer),
+ SCMP_SYS(getsockname),
+ SCMP_SYS(ioctl),
+ SCMP_SYS(lseek),
+ SCMP_SYS(madvise),
+ SCMP_SYS(mmap),
+ SCMP_SYS(munmap),
+ SCMP_SYS(open),
+ SCMP_SYS(poll),
+ SCMP_SYS(read),
+ SCMP_SYS(recvmsg),
+ SCMP_SYS(rename),
+ SCMP_SYS(rt_sigaction),
+ SCMP_SYS(rt_sigprocmask),
+ SCMP_SYS(rt_sigreturn),
+ SCMP_SYS(select),
+ SCMP_SYS(sendto),
+ SCMP_SYS(setitimer),
+ SCMP_SYS(setsid),
+ SCMP_SYS(socket),
+ SCMP_SYS(stat),
+ SCMP_SYS(time),
+ SCMP_SYS(write),
+};
+#endif
+#ifdef __i386__
+int scmp_sc[] = {
+ SCMP_SYS(_newselect),
+ SCMP_SYS(adjtimex),
+ SCMP_SYS(brk),
+ SCMP_SYS(chdir),
+ SCMP_SYS(clock_gettime),
+ SCMP_SYS(clock_settime),
+ SCMP_SYS(close),
+ SCMP_SYS(exit_group),
+ SCMP_SYS(fsync),
+ SCMP_SYS(futex),
+ SCMP_SYS(getitimer),
+ SCMP_SYS(madvise),
+ SCMP_SYS(mmap),
+ SCMP_SYS(mmap2),
+ SCMP_SYS(munmap),
+ SCMP_SYS(open),
+ SCMP_SYS(poll),
+ SCMP_SYS(read),
+ SCMP_SYS(rename),
+ SCMP_SYS(rt_sigaction),
+ SCMP_SYS(rt_sigprocmask),
+ SCMP_SYS(select),
+ SCMP_SYS(setitimer),
+ SCMP_SYS(setsid),
+ SCMP_SYS(sigprocmask),
+ SCMP_SYS(sigreturn),
+ SCMP_SYS(socketcall),
+ SCMP_SYS(stat64),
+ SCMP_SYS(time),
+ SCMP_SYS(write),
+};
+#endif
+ {
+ int i;
+
+ for (i = 0; i < COUNTOF(scmp_sc); i++) {
+ if (seccomp_rule_add(ctx,
+ SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) {
+ msyslog(LOG_ERR,
+ "%s: seccomp_rule_add() failed: %m",
+ __func__);
+ }
+ }
+ }
+
+ if (seccomp_load(ctx) < 0)
+ msyslog(LOG_ERR, "%s: seccomp_load() failed: %m",
+ __func__);
+ else {
+ msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__);
+ }
+#endif /* HAVE_LINUX_SECCOMP_H */
+
+ return nonroot;
+}
+
+/* end */
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 9354cb4..4e363e3 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -40,39 +40,19 @@
#include "recvbuff.h"
+extern bool sandbox(const bool droproot,
+ const char *user, const char *group,
+ const char *chrootdir);
+
#ifdef SIGDANGER
# include <ulimit.h>
#endif /* SIGDANGER */
-#ifdef ENABLE_DROPROOT
-# include <ctype.h>
-# include <grp.h>
-# include <pwd.h>
-# ifdef HAVE_LINUX_CAPABILITY
-# include <sys/capability.h>
-# include <sys/prctl.h>
-# endif /* HAVE_LINUX_CAPABILITY */
-# if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
-# include <priv.h>
-# endif /* HAVE_PRIV_H */
-#endif /* ENABLE_DROPROOT */
-
-#ifdef HAVE_LINUX_SECCOMP_H
-# include <linux/seccomp.h>
-# include <linux/filter.h>
-# include <linux/audit.h>
-#endif /* HAVE_LINUX_SECCOMP_H */
-
#if defined(HAVE_DNS_SD_H) && defined(ENABLE_MDNS_REGISTRATION)
# include <dns_sd.h>
DNSServiceRef mdns;
#endif
-#ifdef HAVE_SOLARIS_PRIVS
-# define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
-static priv_set_t *lowprivs = NULL;
-static priv_set_t *highprivs = NULL;
-#endif /* HAVE_SOLARIS_PRIVS */
/*
* Scheduling priority we run at
*/
@@ -108,15 +88,9 @@ int mdnstries = 5;
#ifdef ENABLE_DROPROOT
bool droproot;
-bool root_dropped;
char *user; /* User to switch to */
char *group; /* group to switch to */
const char *chrootdir; /* directory to chroot to */
-uid_t sw_uid;
-gid_t sw_gid;
-char *endp;
-struct group *gr;
-struct passwd *pw;
#endif /* ENABLE_DROPROOT */
#ifdef HAVE_WORKING_FORK
@@ -941,293 +915,11 @@ ntpdmain(
else if (opt_ipv6 && !ipv6_works)
msyslog(LOG_WARNING, "-6/--ipv6 ignored, IPv6 networking not found.");
-
-
-# ifdef ENABLE_DROPROOT
- if (droproot) {
- /* Drop super-user privileges and chroot now if the OS supports this */
-
-# ifdef HAVE_LINUX_CAPABILITY
- /* set flag: keep privileges accross setuid() call (we only really need cap_sys_time): */
- if (prctl( PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L ) == -1) {
- msyslog( LOG_ERR, "prctl( PR_SET_KEEPCAPS, 1L ) failed: %m" );
- exit(-1);
- }
-# elif HAVE_SOLARIS_PRIVS
- /* Nothing to do here */
-# else
- /* we need a user to switch to */
- if (user == NULL) {
- msyslog(LOG_ERR, "Need user name to drop root privileges (see -u flag!)" );
- exit(-1);
- }
-# endif /* HAVE_LINUX_CAPABILITY || HAVE_SOLARIS_PRIVS */
-
- if (user != NULL) {
- if (isdigit((unsigned char)*user)) {
- sw_uid = (uid_t)strtoul(user, &endp, 0);
- if (*endp != '\0')
- goto getuser;
-
- if ((pw = getpwuid(sw_uid)) != NULL) {
- free(user);
- user = estrdup(pw->pw_name);
- sw_gid = pw->pw_gid;
- } else {
- errno = 0;
- msyslog(LOG_ERR, "Cannot find user ID %s", user);
- exit (-1);
- }
-
- } else {
-getuser:
- errno = 0;
- if ((pw = getpwnam(user)) != NULL) {
- sw_uid = pw->pw_uid;
- sw_gid = pw->pw_gid;
- } else {
- if (errno)
- msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user);
- else
- msyslog(LOG_ERR, "Cannot find user `%s'", user);
- exit (-1);
- }
- }
- }
- if (group != NULL) {
- if (isdigit((unsigned char)*group)) {
- sw_gid = (gid_t)strtoul(group, &endp, 0);
- if (*endp != '\0')
- goto getgroup;
- } else {
-getgroup:
- if ((gr = getgrnam(group)) != NULL) {
- sw_gid = gr->gr_gid;
- } else {
- errno = 0;
- msyslog(LOG_ERR, "Cannot find group `%s'", group);
- exit (-1);
- }
- }
- }
-
- if (chrootdir ) {
- /* make sure cwd is inside the jail: */
- if (chdir(chrootdir)) {
- msyslog(LOG_ERR, "Cannot chdir() to `%s': %m", chrootdir);
- exit (-1);
- }
- if (chroot(chrootdir)) {
- msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir);
- exit (-1);
- }
- if (chdir("/")) {
- msyslog(LOG_ERR, "Cannot chdir() to`root after chroot(): %m");
- exit (-1);
- }
- }
-# ifdef HAVE_SOLARIS_PRIVS
- if ((lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) {
- msyslog(LOG_ERR, "priv_str_to_set() failed:%m");
- exit(-1);
- }
- if ((highprivs = priv_allocset()) == NULL) {
- msyslog(LOG_ERR, "priv_allocset() failed:%m");
- exit(-1);
- }
- (void) getppriv(PRIV_PERMITTED, highprivs);
- (void) priv_intersect(highprivs, lowprivs);
- if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
- msyslog(LOG_ERR, "setppriv() failed:%m");
- exit(-1);
- }
-# endif /* HAVE_SOLARIS_PRIVS */
- if (user && initgroups(user, sw_gid)) {
- msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user);
- exit (-1);
- }
- if (group && setgid(sw_gid)) {
- msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group);
- exit (-1);
- }
- if (group && setegid(sw_gid)) {
- msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group);
- exit (-1);
- }
- if (group)
- setgroups(1, &sw_gid);
- else
- initgroups(pw->pw_name, pw->pw_gid);
- if (user && setuid(sw_uid)) {
- msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user);
- exit (-1);
- }
- if (user && seteuid(sw_uid)) {
- msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user);
- exit (-1);
- }
-
-# if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)
- /*
- * for now assume that the privilege to bind to privileged ports
- * is associated with running with uid 0 - should be refined on
- * ports that allow binding to NTP_PORT with uid != 0
- */
- disable_dynamic_updates |= (sw_uid != 0); /* also notifies routing message listener */
-# endif /* !HAVE_LINUX_CAPABILITY && !HAVE_SOLARIS_PRIVS */
-
- if (disable_dynamic_updates && interface_interval) {
- interface_interval = 0;
- msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking");
- }
-
-# ifdef HAVE_LINUX_CAPABILITY
- {
- /*
- * We may be running under non-root uid now, but we still hold full root privileges!
- * We drop all of them, except for the crucial one or two: cap_sys_time and
- * cap_net_bind_service if doing dynamic interface tracking.
- */
- cap_t caps;
- char *captext;
-
- captext = (0 != interface_interval)
- ? "cap_sys_time,cap_net_bind_service=pe"
- : "cap_sys_time=pe";
- caps = cap_from_text(captext);
- if (!caps) {
- msyslog(LOG_ERR,
- "cap_from_text(%s) failed: %m",
- captext);
- exit(-1);
- }
- if (-1 == cap_set_proc(caps)) {
- msyslog(LOG_ERR,
- "cap_set_proc() failed to drop root privs: %m");
- exit(-1);
- }
- cap_free(caps);
- }
-# endif /* HAVE_LINUX_CAPABILITY */
-# ifdef HAVE_SOLARIS_PRIVS
- if (priv_delset(lowprivs, "proc_setid") == -1) {
- msyslog(LOG_ERR, "priv_delset() failed:%m");
- exit(-1);
- }
- if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
- msyslog(LOG_ERR, "setppriv() failed:%m");
- exit(-1);
- }
- priv_freeset(lowprivs);
- priv_freeset(highprivs);
-# endif /* HAVE_SOLARIS_PRIVS */
- root_dropped = true;
- } /* if (droproot) */
-# endif /* ENABLE_DROPROOT */
-
-/* libssecomp sandboxing */
-#if defined(HAVE_LINUX_SECCOMP_H) && (defined(__x86_64__) || defined(__i386__))
- scmp_filter_ctx ctx;
-
- if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
- msyslog(LOG_ERR, "%s: seccomp_init(SCMP_ACT_KILL) failed: %m", __func__);
- else {
- msyslog(LOG_DEBUG, "%s: seccomp_init(SCMP_ACT_KILL) succeeded", __func__);
- }
-
-#ifdef __x86_64__
-int scmp_sc[] = {
- SCMP_SYS(adjtimex),
- SCMP_SYS(bind),
- SCMP_SYS(brk),
- SCMP_SYS(chdir),
- SCMP_SYS(clock_gettime),
- SCMP_SYS(clock_settime),
- SCMP_SYS(close),
- SCMP_SYS(connect),
- SCMP_SYS(exit_group),
- SCMP_SYS(fstat),
- SCMP_SYS(fsync),
- SCMP_SYS(futex),
- SCMP_SYS(getitimer),
- SCMP_SYS(getsockname),
- SCMP_SYS(ioctl),
- SCMP_SYS(lseek),
- SCMP_SYS(madvise),
- SCMP_SYS(mmap),
- SCMP_SYS(munmap),
- SCMP_SYS(open),
- SCMP_SYS(poll),
- SCMP_SYS(read),
- SCMP_SYS(recvmsg),
- SCMP_SYS(rename),
- SCMP_SYS(rt_sigaction),
- SCMP_SYS(rt_sigprocmask),
- SCMP_SYS(rt_sigreturn),
- SCMP_SYS(select),
- SCMP_SYS(sendto),
- SCMP_SYS(setitimer),
- SCMP_SYS(setsid),
- SCMP_SYS(socket),
- SCMP_SYS(stat),
- SCMP_SYS(time),
- SCMP_SYS(write),
-};
-#endif
-#ifdef __i386__
-int scmp_sc[] = {
- SCMP_SYS(_newselect),
- SCMP_SYS(adjtimex),
- SCMP_SYS(brk),
- SCMP_SYS(chdir),
- SCMP_SYS(clock_gettime),
- SCMP_SYS(clock_settime),
- SCMP_SYS(close),
- SCMP_SYS(exit_group),
- SCMP_SYS(fsync),
- SCMP_SYS(futex),
- SCMP_SYS(getitimer),
- SCMP_SYS(madvise),
- SCMP_SYS(mmap),
- SCMP_SYS(mmap2),
- SCMP_SYS(munmap),
- SCMP_SYS(open),
- SCMP_SYS(poll),
- SCMP_SYS(read),
- SCMP_SYS(rename),
- SCMP_SYS(rt_sigaction),
- SCMP_SYS(rt_sigprocmask),
- SCMP_SYS(select),
- SCMP_SYS(setitimer),
- SCMP_SYS(setsid),
- SCMP_SYS(sigprocmask),
- SCMP_SYS(sigreturn),
- SCMP_SYS(socketcall),
- SCMP_SYS(stat64),
- SCMP_SYS(time),
- SCMP_SYS(write),
-};
-#endif
- {
- int i;
-
- for (i = 0; i < COUNTOF(scmp_sc); i++) {
- if (seccomp_rule_add(ctx,
- SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) {
- msyslog(LOG_ERR,
- "%s: seccomp_rule_add() failed: %m",
- __func__);
- }
- }
- }
-
- if (seccomp_load(ctx) < 0)
- msyslog(LOG_ERR, "%s: seccomp_load() failed: %m",
- __func__);
- else {
- msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__);
+ /* drop root privileges */
+ if (sandbox(droproot, user, group, chrootdir) && interface_interval) {
+ interface_interval = 0;
+ msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking");
}
-#endif /* HAVE_LINUX_SECCOMP_H */
# ifdef HAVE_IO_COMPLETION_PORT
diff --git a/ntpd/wscript b/ntpd/wscript
index 839b3c7..1b833af 100644
--- a/ntpd/wscript
+++ b/ntpd/wscript
@@ -61,6 +61,7 @@ def build(ctx):
"ntp_peer.c",
"ntp_proto.c",
"ntp_restrict.c",
+ "ntp_sandbox.c",
"ntp_signd.c",
"ntp_timer.c",
"ntp_util.c",
More information about the vc
mailing list