[ntpsec commit] Refactor ntpd.c, separating privilege containment into ntp_sandbox.c.

Eric S. Raymond esr at ntpsec.org
Tue Oct 20 07:16:20 UTC 2015


Module:    ntpsec
Branch:    master
Commit:    0b4486b13a06d590e52422b9fd7b39cda824c8f6
Changeset: http://git.ntpsec.org/ntpsec/commit/?id=0b4486b13a06d590e52422b9fd7b39cda824c8f6

Author:    Eric S. Raymond <esr at thyrsus.com>
Date:      Tue Oct 20 03:15:31 2015 -0400

Refactor ntpd.c, separating privilege containment into ntp_sandbox.c.

---

 ntpd/ntp_sandbox.c | 341 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 ntpd/ntpd.c        | 324 ++------------------------------------------------
 ntpd/wscript       |   1 +
 3 files changed, 350 insertions(+), 316 deletions(-)

diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
new file mode 100644
index 0000000..ec609b0
--- /dev/null
+++ b/ntpd/ntp_sandbox.c
@@ -0,0 +1,341 @@
+/*
+ * ntp_sandbox.c - privilege containment for the NTP daemon
+ *
+ * SPDX-License-Identifier: BSD-2-clause
+ */
+
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <config.h>
+
+#ifdef ENABLE_DROPROOT
+# include <ctype.h>
+# include <grp.h>
+# include <pwd.h>
+# ifdef HAVE_LINUX_CAPABILITY
+#  include <sys/capability.h>
+#  include <sys/prctl.h>
+# endif /* HAVE_LINUX_CAPABILITY */
+# if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
+#  include <priv.h>
+# endif /* HAVE_PRIV_H */
+#endif /* ENABLE_DROPROOT */
+
+#ifdef HAVE_SOLARIS_PRIVS
+# define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
+static priv_set_t *lowprivs = NULL;
+static priv_set_t *highprivs = NULL;
+#endif /* HAVE_SOLARIS_PRIVS */
+
+#ifdef HAVE_LINUX_SECCOMP_H
+# include <linux/seccomp.h>
+# include <linux/filter.h>
+# include <linux/audit.h>
+#endif /* HAVE_LINUX_SECCOMP_H */
+
+#ifdef ENABLE_DROPROOT
+bool root_dropped;
+uid_t sw_uid;
+gid_t sw_gid;
+char *endp;
+struct group *gr;
+struct passwd *pw;
+#endif /* ENABLE_DROPROOT */
+
+#include "ntp_syslog.h"
+#include "ntp_stdlib.h"
+
+bool sandbox(const bool droproot,
+	     const char *user, const char *group,
+	     const char *chrootdir)
+{
+	bool nonroot = false;
+# ifdef ENABLE_DROPROOT
+	if (droproot) {
+		/* Drop super-user privileges and chroot now if the OS supports this */
+
+#  ifdef HAVE_LINUX_CAPABILITY
+		/* set flag: keep privileges accross setuid() call (we only really need cap_sys_time): */
+		if (prctl( PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L ) == -1) {
+			msyslog( LOG_ERR, "prctl( PR_SET_KEEPCAPS, 1L ) failed: %m" );
+			exit(-1);
+		}
+#  elif HAVE_SOLARIS_PRIVS
+		/* Nothing to do here */
+#  else
+		/* we need a user to switch to */
+		if (user == NULL) {
+			msyslog(LOG_ERR, "Need user name to drop root privileges (see -u flag!)" );
+			exit(-1);
+		}
+#  endif	/* HAVE_LINUX_CAPABILITY || HAVE_SOLARIS_PRIVS */
+
+		if (user != NULL) {
+			if (isdigit((unsigned char)*user)) {
+				sw_uid = (uid_t)strtoul(user, &endp, 0);
+				if (*endp != '\0')
+					goto getuser;
+
+				if ((pw = getpwuid(sw_uid)) != NULL) {
+					free((void *)user);
+					user = estrdup(pw->pw_name);
+					sw_gid = pw->pw_gid;
+				} else {
+					errno = 0;
+					msyslog(LOG_ERR, "Cannot find user ID %s", user);
+					exit (-1);
+				}
+
+			} else {
+getuser:
+				errno = 0;
+				if ((pw = getpwnam(user)) != NULL) {
+					sw_uid = pw->pw_uid;
+					sw_gid = pw->pw_gid;
+				} else {
+					if (errno)
+						msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user);
+					else
+						msyslog(LOG_ERR, "Cannot find user `%s'", user);
+					exit (-1);
+				}
+			}
+		}
+		if (group != NULL) {
+			if (isdigit((unsigned char)*group)) {
+				sw_gid = (gid_t)strtoul(group, &endp, 0);
+				if (*endp != '\0')
+					goto getgroup;
+			} else {
+getgroup:
+				if ((gr = getgrnam(group)) != NULL) {
+					sw_gid = gr->gr_gid;
+				} else {
+					errno = 0;
+					msyslog(LOG_ERR, "Cannot find group `%s'", group);
+					exit (-1);
+				}
+			}
+		}
+
+		if (chrootdir ) {
+			/* make sure cwd is inside the jail: */
+			if (chdir(chrootdir)) {
+				msyslog(LOG_ERR, "Cannot chdir() to `%s': %m", chrootdir);
+				exit (-1);
+			}
+			if (chroot(chrootdir)) {
+				msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir);
+				exit (-1);
+			}
+			if (chdir("/")) {
+				msyslog(LOG_ERR, "Cannot chdir() to`root after chroot(): %m");
+				exit (-1);
+			}
+		}
+#  ifdef HAVE_SOLARIS_PRIVS
+		if ((lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) {
+			msyslog(LOG_ERR, "priv_str_to_set() failed:%m");
+			exit(-1);
+		}
+		if ((highprivs = priv_allocset()) == NULL) {
+			msyslog(LOG_ERR, "priv_allocset() failed:%m");
+			exit(-1);
+		}
+		(void) getppriv(PRIV_PERMITTED, highprivs);
+		(void) priv_intersect(highprivs, lowprivs);
+		if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
+			msyslog(LOG_ERR, "setppriv() failed:%m");
+			exit(-1);
+		}
+#  endif /* HAVE_SOLARIS_PRIVS */
+		if (user && initgroups(user, sw_gid)) {
+			msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user);
+			exit (-1);
+		}
+		if (group && setgid(sw_gid)) {
+			msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group);
+			exit (-1);
+		}
+		if (group && setegid(sw_gid)) {
+			msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group);
+			exit (-1);
+		}
+		if (group)
+			setgroups(1, &sw_gid);
+		else
+			initgroups(pw->pw_name, pw->pw_gid);
+		if (user && setuid(sw_uid)) {
+			msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user);
+			exit (-1);
+		}
+		if (user && seteuid(sw_uid)) {
+			msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user);
+			exit (-1);
+		}
+
+#  if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)
+		/*
+		 * for now assume that the privilege to bind to privileged ports
+		 * is associated with running with uid 0 - should be refined on
+		 * ports that allow binding to NTP_PORT with uid != 0
+		 */
+		nonroot |= (sw_uid != 0);  /* also notifies routing message listener */
+#  endif /* !HAVE_LINUX_CAPABILITY && !HAVE_SOLARIS_PRIVS */
+
+#  ifdef HAVE_LINUX_CAPABILITY
+		{
+			/*
+			 *  We may be running under non-root uid now, but we still hold full root privileges!
+			 *  We drop all of them, except for the crucial one or two: cap_sys_time and
+			 *  cap_net_bind_service if doing dynamic interface tracking.
+			 */
+			cap_t caps;
+			char *captext;
+			
+			captext = (0 != interface_interval)
+				      ? "cap_sys_time,cap_net_bind_service=pe"
+				      : "cap_sys_time=pe";
+			caps = cap_from_text(captext);
+			if (!caps) {
+				msyslog(LOG_ERR,
+					"cap_from_text(%s) failed: %m",
+					captext);
+				exit(-1);
+			}
+			if (-1 == cap_set_proc(caps)) {
+				msyslog(LOG_ERR,
+					"cap_set_proc() failed to drop root privs: %m");
+				exit(-1);
+			}
+			cap_free(caps);
+		}
+#  endif	/* HAVE_LINUX_CAPABILITY */
+#  ifdef HAVE_SOLARIS_PRIVS
+		if (priv_delset(lowprivs, "proc_setid") == -1) {
+			msyslog(LOG_ERR, "priv_delset() failed:%m");
+			exit(-1);
+		}
+		if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
+			msyslog(LOG_ERR, "setppriv() failed:%m");
+			exit(-1);
+		}
+		priv_freeset(lowprivs);
+		priv_freeset(highprivs);
+#  endif /* HAVE_SOLARIS_PRIVS */
+		root_dropped = true;
+	}	/* if (droproot) */
+# endif	/* ENABLE_DROPROOT */
+
+/* libssecomp sandboxing */
+#if defined(HAVE_LINUX_SECCOMP_H) && (defined(__x86_64__) || defined(__i386__))
+	scmp_filter_ctx ctx;
+
+	if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
+		msyslog(LOG_ERR, "%s: seccomp_init(SCMP_ACT_KILL) failed: %m", __func__);
+	else {
+		msyslog(LOG_DEBUG, "%s: seccomp_init(SCMP_ACT_KILL) succeeded", __func__);
+	}
+
+#ifdef __x86_64__
+int scmp_sc[] = {
+	SCMP_SYS(adjtimex),
+	SCMP_SYS(bind),
+	SCMP_SYS(brk),
+	SCMP_SYS(chdir),
+	SCMP_SYS(clock_gettime),
+	SCMP_SYS(clock_settime),
+	SCMP_SYS(close),
+	SCMP_SYS(connect),
+	SCMP_SYS(exit_group),
+	SCMP_SYS(fstat),
+	SCMP_SYS(fsync),
+	SCMP_SYS(futex),
+	SCMP_SYS(getitimer),
+	SCMP_SYS(getsockname),
+	SCMP_SYS(ioctl),
+	SCMP_SYS(lseek),
+	SCMP_SYS(madvise),
+	SCMP_SYS(mmap),
+	SCMP_SYS(munmap),
+	SCMP_SYS(open),
+	SCMP_SYS(poll),
+	SCMP_SYS(read),
+	SCMP_SYS(recvmsg),
+	SCMP_SYS(rename),
+	SCMP_SYS(rt_sigaction),
+	SCMP_SYS(rt_sigprocmask),
+	SCMP_SYS(rt_sigreturn),
+	SCMP_SYS(select),
+	SCMP_SYS(sendto),
+	SCMP_SYS(setitimer),
+	SCMP_SYS(setsid),
+	SCMP_SYS(socket),
+	SCMP_SYS(stat),
+	SCMP_SYS(time),
+	SCMP_SYS(write),
+};
+#endif
+#ifdef __i386__
+int scmp_sc[] = {
+	SCMP_SYS(_newselect),
+	SCMP_SYS(adjtimex),
+	SCMP_SYS(brk),
+	SCMP_SYS(chdir),
+	SCMP_SYS(clock_gettime),
+	SCMP_SYS(clock_settime),
+	SCMP_SYS(close),
+	SCMP_SYS(exit_group),
+	SCMP_SYS(fsync),
+	SCMP_SYS(futex),
+	SCMP_SYS(getitimer),
+	SCMP_SYS(madvise),
+	SCMP_SYS(mmap),
+	SCMP_SYS(mmap2),
+	SCMP_SYS(munmap),
+	SCMP_SYS(open),
+	SCMP_SYS(poll),
+	SCMP_SYS(read),
+	SCMP_SYS(rename),
+	SCMP_SYS(rt_sigaction),
+	SCMP_SYS(rt_sigprocmask),
+	SCMP_SYS(select),
+	SCMP_SYS(setitimer),
+	SCMP_SYS(setsid),
+	SCMP_SYS(sigprocmask),
+	SCMP_SYS(sigreturn),
+	SCMP_SYS(socketcall),
+	SCMP_SYS(stat64),
+	SCMP_SYS(time),
+	SCMP_SYS(write),
+};
+#endif
+	{
+		int i;
+
+		for (i = 0; i < COUNTOF(scmp_sc); i++) {
+			if (seccomp_rule_add(ctx,
+			    SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) {
+				msyslog(LOG_ERR,
+				    "%s: seccomp_rule_add() failed: %m",
+				    __func__);
+			}
+		}
+	}
+
+	if (seccomp_load(ctx) < 0)
+		msyslog(LOG_ERR, "%s: seccomp_load() failed: %m",
+		    __func__);	
+	else {
+		msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__);
+	}
+#endif /* HAVE_LINUX_SECCOMP_H */
+
+	return nonroot;
+}
+
+/* end */
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 9354cb4..4e363e3 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -40,39 +40,19 @@
 
 #include "recvbuff.h"
 
+extern bool sandbox(const bool droproot,
+		    const char *user, const char *group,
+		    const char *chrootdir);
+
 #ifdef SIGDANGER
 # include <ulimit.h>
 #endif /* SIGDANGER */
 
-#ifdef ENABLE_DROPROOT
-# include <ctype.h>
-# include <grp.h>
-# include <pwd.h>
-# ifdef HAVE_LINUX_CAPABILITY
-#  include <sys/capability.h>
-#  include <sys/prctl.h>
-# endif /* HAVE_LINUX_CAPABILITY */
-# if defined(HAVE_PRIV_H) && defined(HAVE_SOLARIS_PRIVS)
-#  include <priv.h>
-# endif /* HAVE_PRIV_H */
-#endif /* ENABLE_DROPROOT */
-
-#ifdef HAVE_LINUX_SECCOMP_H
-# include <linux/seccomp.h>
-# include <linux/filter.h>
-# include <linux/audit.h>
-#endif /* HAVE_LINUX_SECCOMP_H */
-
 #if defined(HAVE_DNS_SD_H) && defined(ENABLE_MDNS_REGISTRATION)
 # include <dns_sd.h>
 DNSServiceRef mdns;
 #endif
 
-#ifdef HAVE_SOLARIS_PRIVS
-# define LOWPRIVS "basic,sys_time,net_privaddr,proc_setid,!proc_info,!proc_session,!proc_exec"
-static priv_set_t *lowprivs = NULL;
-static priv_set_t *highprivs = NULL;
-#endif /* HAVE_SOLARIS_PRIVS */
 /*
  * Scheduling priority we run at
  */
@@ -108,15 +88,9 @@ int mdnstries = 5;
 
 #ifdef ENABLE_DROPROOT
 bool droproot;
-bool root_dropped;
 char *user;		/* User to switch to */
 char *group;		/* group to switch to */
 const char *chrootdir;	/* directory to chroot to */
-uid_t sw_uid;
-gid_t sw_gid;
-char *endp;
-struct group *gr;
-struct passwd *pw;
 #endif /* ENABLE_DROPROOT */
 
 #ifdef HAVE_WORKING_FORK
@@ -941,293 +915,11 @@ ntpdmain(
 	else if (opt_ipv6 && !ipv6_works)
 		msyslog(LOG_WARNING, "-6/--ipv6 ignored, IPv6 networking not found.");
 
-
-
-# ifdef ENABLE_DROPROOT
-	if (droproot) {
-		/* Drop super-user privileges and chroot now if the OS supports this */
-
-#  ifdef HAVE_LINUX_CAPABILITY
-		/* set flag: keep privileges accross setuid() call (we only really need cap_sys_time): */
-		if (prctl( PR_SET_KEEPCAPS, 1L, 0L, 0L, 0L ) == -1) {
-			msyslog( LOG_ERR, "prctl( PR_SET_KEEPCAPS, 1L ) failed: %m" );
-			exit(-1);
-		}
-#  elif HAVE_SOLARIS_PRIVS
-		/* Nothing to do here */
-#  else
-		/* we need a user to switch to */
-		if (user == NULL) {
-			msyslog(LOG_ERR, "Need user name to drop root privileges (see -u flag!)" );
-			exit(-1);
-		}
-#  endif	/* HAVE_LINUX_CAPABILITY || HAVE_SOLARIS_PRIVS */
-
-		if (user != NULL) {
-			if (isdigit((unsigned char)*user)) {
-				sw_uid = (uid_t)strtoul(user, &endp, 0);
-				if (*endp != '\0')
-					goto getuser;
-
-				if ((pw = getpwuid(sw_uid)) != NULL) {
-					free(user);
-					user = estrdup(pw->pw_name);
-					sw_gid = pw->pw_gid;
-				} else {
-					errno = 0;
-					msyslog(LOG_ERR, "Cannot find user ID %s", user);
-					exit (-1);
-				}
-
-			} else {
-getuser:
-				errno = 0;
-				if ((pw = getpwnam(user)) != NULL) {
-					sw_uid = pw->pw_uid;
-					sw_gid = pw->pw_gid;
-				} else {
-					if (errno)
-						msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user);
-					else
-						msyslog(LOG_ERR, "Cannot find user `%s'", user);
-					exit (-1);
-				}
-			}
-		}
-		if (group != NULL) {
-			if (isdigit((unsigned char)*group)) {
-				sw_gid = (gid_t)strtoul(group, &endp, 0);
-				if (*endp != '\0')
-					goto getgroup;
-			} else {
-getgroup:
-				if ((gr = getgrnam(group)) != NULL) {
-					sw_gid = gr->gr_gid;
-				} else {
-					errno = 0;
-					msyslog(LOG_ERR, "Cannot find group `%s'", group);
-					exit (-1);
-				}
-			}
-		}
-
-		if (chrootdir ) {
-			/* make sure cwd is inside the jail: */
-			if (chdir(chrootdir)) {
-				msyslog(LOG_ERR, "Cannot chdir() to `%s': %m", chrootdir);
-				exit (-1);
-			}
-			if (chroot(chrootdir)) {
-				msyslog(LOG_ERR, "Cannot chroot() to `%s': %m", chrootdir);
-				exit (-1);
-			}
-			if (chdir("/")) {
-				msyslog(LOG_ERR, "Cannot chdir() to`root after chroot(): %m");
-				exit (-1);
-			}
-		}
-#  ifdef HAVE_SOLARIS_PRIVS
-		if ((lowprivs = priv_str_to_set(LOWPRIVS, ",", NULL)) == NULL) {
-			msyslog(LOG_ERR, "priv_str_to_set() failed:%m");
-			exit(-1);
-		}
-		if ((highprivs = priv_allocset()) == NULL) {
-			msyslog(LOG_ERR, "priv_allocset() failed:%m");
-			exit(-1);
-		}
-		(void) getppriv(PRIV_PERMITTED, highprivs);
-		(void) priv_intersect(highprivs, lowprivs);
-		if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
-			msyslog(LOG_ERR, "setppriv() failed:%m");
-			exit(-1);
-		}
-#  endif /* HAVE_SOLARIS_PRIVS */
-		if (user && initgroups(user, sw_gid)) {
-			msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user);
-			exit (-1);
-		}
-		if (group && setgid(sw_gid)) {
-			msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group);
-			exit (-1);
-		}
-		if (group && setegid(sw_gid)) {
-			msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group);
-			exit (-1);
-		}
-		if (group)
-			setgroups(1, &sw_gid);
-		else
-			initgroups(pw->pw_name, pw->pw_gid);
-		if (user && setuid(sw_uid)) {
-			msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user);
-			exit (-1);
-		}
-		if (user && seteuid(sw_uid)) {
-			msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user);
-			exit (-1);
-		}
-
-#  if !defined(HAVE_LINUX_CAPABILITY) && !defined(HAVE_SOLARIS_PRIVS)
-		/*
-		 * for now assume that the privilege to bind to privileged ports
-		 * is associated with running with uid 0 - should be refined on
-		 * ports that allow binding to NTP_PORT with uid != 0
-		 */
-		disable_dynamic_updates |= (sw_uid != 0);  /* also notifies routing message listener */
-#  endif /* !HAVE_LINUX_CAPABILITY && !HAVE_SOLARIS_PRIVS */
-
-		if (disable_dynamic_updates && interface_interval) {
-			interface_interval = 0;
-			msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking");
-		}
-
-#  ifdef HAVE_LINUX_CAPABILITY
-		{
-			/*
-			 *  We may be running under non-root uid now, but we still hold full root privileges!
-			 *  We drop all of them, except for the crucial one or two: cap_sys_time and
-			 *  cap_net_bind_service if doing dynamic interface tracking.
-			 */
-			cap_t caps;
-			char *captext;
-			
-			captext = (0 != interface_interval)
-				      ? "cap_sys_time,cap_net_bind_service=pe"
-				      : "cap_sys_time=pe";
-			caps = cap_from_text(captext);
-			if (!caps) {
-				msyslog(LOG_ERR,
-					"cap_from_text(%s) failed: %m",
-					captext);
-				exit(-1);
-			}
-			if (-1 == cap_set_proc(caps)) {
-				msyslog(LOG_ERR,
-					"cap_set_proc() failed to drop root privs: %m");
-				exit(-1);
-			}
-			cap_free(caps);
-		}
-#  endif	/* HAVE_LINUX_CAPABILITY */
-#  ifdef HAVE_SOLARIS_PRIVS
-		if (priv_delset(lowprivs, "proc_setid") == -1) {
-			msyslog(LOG_ERR, "priv_delset() failed:%m");
-			exit(-1);
-		}
-		if (setppriv(PRIV_SET, PRIV_PERMITTED, lowprivs) == -1) {
-			msyslog(LOG_ERR, "setppriv() failed:%m");
-			exit(-1);
-		}
-		priv_freeset(lowprivs);
-		priv_freeset(highprivs);
-#  endif /* HAVE_SOLARIS_PRIVS */
-		root_dropped = true;
-	}	/* if (droproot) */
-# endif	/* ENABLE_DROPROOT */
-
-/* libssecomp sandboxing */
-#if defined(HAVE_LINUX_SECCOMP_H) && (defined(__x86_64__) || defined(__i386__))
-	scmp_filter_ctx ctx;
-
-	if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
-		msyslog(LOG_ERR, "%s: seccomp_init(SCMP_ACT_KILL) failed: %m", __func__);
-	else {
-		msyslog(LOG_DEBUG, "%s: seccomp_init(SCMP_ACT_KILL) succeeded", __func__);
-	}
-
-#ifdef __x86_64__
-int scmp_sc[] = {
-	SCMP_SYS(adjtimex),
-	SCMP_SYS(bind),
-	SCMP_SYS(brk),
-	SCMP_SYS(chdir),
-	SCMP_SYS(clock_gettime),
-	SCMP_SYS(clock_settime),
-	SCMP_SYS(close),
-	SCMP_SYS(connect),
-	SCMP_SYS(exit_group),
-	SCMP_SYS(fstat),
-	SCMP_SYS(fsync),
-	SCMP_SYS(futex),
-	SCMP_SYS(getitimer),
-	SCMP_SYS(getsockname),
-	SCMP_SYS(ioctl),
-	SCMP_SYS(lseek),
-	SCMP_SYS(madvise),
-	SCMP_SYS(mmap),
-	SCMP_SYS(munmap),
-	SCMP_SYS(open),
-	SCMP_SYS(poll),
-	SCMP_SYS(read),
-	SCMP_SYS(recvmsg),
-	SCMP_SYS(rename),
-	SCMP_SYS(rt_sigaction),
-	SCMP_SYS(rt_sigprocmask),
-	SCMP_SYS(rt_sigreturn),
-	SCMP_SYS(select),
-	SCMP_SYS(sendto),
-	SCMP_SYS(setitimer),
-	SCMP_SYS(setsid),
-	SCMP_SYS(socket),
-	SCMP_SYS(stat),
-	SCMP_SYS(time),
-	SCMP_SYS(write),
-};
-#endif
-#ifdef __i386__
-int scmp_sc[] = {
-	SCMP_SYS(_newselect),
-	SCMP_SYS(adjtimex),
-	SCMP_SYS(brk),
-	SCMP_SYS(chdir),
-	SCMP_SYS(clock_gettime),
-	SCMP_SYS(clock_settime),
-	SCMP_SYS(close),
-	SCMP_SYS(exit_group),
-	SCMP_SYS(fsync),
-	SCMP_SYS(futex),
-	SCMP_SYS(getitimer),
-	SCMP_SYS(madvise),
-	SCMP_SYS(mmap),
-	SCMP_SYS(mmap2),
-	SCMP_SYS(munmap),
-	SCMP_SYS(open),
-	SCMP_SYS(poll),
-	SCMP_SYS(read),
-	SCMP_SYS(rename),
-	SCMP_SYS(rt_sigaction),
-	SCMP_SYS(rt_sigprocmask),
-	SCMP_SYS(select),
-	SCMP_SYS(setitimer),
-	SCMP_SYS(setsid),
-	SCMP_SYS(sigprocmask),
-	SCMP_SYS(sigreturn),
-	SCMP_SYS(socketcall),
-	SCMP_SYS(stat64),
-	SCMP_SYS(time),
-	SCMP_SYS(write),
-};
-#endif
-	{
-		int i;
-
-		for (i = 0; i < COUNTOF(scmp_sc); i++) {
-			if (seccomp_rule_add(ctx,
-			    SCMP_ACT_ALLOW, scmp_sc[i], 0) < 0) {
-				msyslog(LOG_ERR,
-				    "%s: seccomp_rule_add() failed: %m",
-				    __func__);
-			}
-		}
-	}
-
-	if (seccomp_load(ctx) < 0)
-		msyslog(LOG_ERR, "%s: seccomp_load() failed: %m",
-		    __func__);	
-	else {
-		msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__);
+	/* drop root privileges */
+	if (sandbox(droproot, user, group, chrootdir) && interface_interval) {
+		interface_interval = 0;
+		msyslog(LOG_INFO, "running as non-root disables dynamic interface tracking");
 	}
-#endif /* HAVE_LINUX_SECCOMP_H */
 
 # ifdef HAVE_IO_COMPLETION_PORT
 
diff --git a/ntpd/wscript b/ntpd/wscript
index 839b3c7..1b833af 100644
--- a/ntpd/wscript
+++ b/ntpd/wscript
@@ -61,6 +61,7 @@ def build(ctx):
 		"ntp_peer.c",
 		"ntp_proto.c",
 		"ntp_restrict.c",
+		"ntp_sandbox.c",
 		"ntp_signd.c",
 		"ntp_timer.c",
 		"ntp_util.c",



More information about the vc mailing list