[Git][NTPsec/ntpsec][master] 3 commits: Add message when closing lots of files

Mon May 15 09:24:28 UTC 2017

Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
eb3c8a5c by Hal Murray at 2017-05-15T02:23:24-07:00
Add message when closing lots of files

- - - - -
c0377578 by Hal Murray at 2017-05-15T02:23:24-07:00
Update seccomp to work on ARM

- - - - -
aadc8354 by Hal Murray at 2017-05-15T02:23:24-07:00
seccomp additions for Arch Linux, Issue #275

- - - - -


2 changed files:

- ntpd/ntp_sandbox.c
- ntpd/ntpd.c


Changes:

=====================================
ntpd/ntp_sandbox.c
=====================================

--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -383,13 +383,21 @@ int scmp_sc[] = {
 	SCMP_SYS(fcntl64),
 	SCMP_SYS(fstat64),
 
+/* Arch Linux */
+	SCMP_SYS(getpid),
+	SCMP_SYS(gettid),
+	SCMP_SYS(geteuid),
+	SCMP_SYS(ppoll),
+	SCMP_SYS(sendmsg),
+
 #ifdef __x86_64__
 	SCMP_SYS(mmap),
 #endif
-#ifdef __i386__
+#if defined(__i386__) || defined(__arm__)
 	SCMP_SYS(_newselect),
 	SCMP_SYS(_llseek),
 	SCMP_SYS(mmap2),
+	SCMP_SYS(send),
 	SCMP_SYS(stat64),
 #endif
 };
@@ -421,6 +429,21 @@ int scmp_sc[] = {
 /*
  * catchTrap - get here if something missing from list above
  * (or a bad guy finds a way in)
+ *
+ * The list above is a moving target.  Most syscalls will be
+ * obvious but libc (and friends) can remap things and
+ * getaddrinfo does all sorts of syscalls.
+ *
+ * To track down a missing call:
+ *
+ * Option one:
+ *  use gdb, break on catchTrap, get a trace.
+ *
+ * Optin two:
+ *  use strace
+ *  sudo strace -t -f -o<filename> <path-to-ntpd> <args>
+ *  when it crashes, the last syscall will be at the end of the log file
+ *
  */
 static void catchTrap(int sig)
 {


=====================================
ntpd/ntpd.c
=====================================
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -1391,6 +1391,8 @@ close_all_beyond(
 
 	/* includes POSIX case */
 	max_fd = sysconf(_SC_OPEN_MAX);
+	if (10000 < max_fd)
+		msyslog(LOG_ERR, "close_all_beyond: closing %d files", max_fd);
 	for (fd = keep_fd + 1; fd < max_fd; fd++)
 		close(fd);
 # endif /* !HAVE_CLOSEFROM && !F_CLOSEM */



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6589c3db9c54f715bb4d73f97d1eca3d9a8220ea...aadc835451bef4bf0eebcb4d2a72e1171d20beb7

---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6589c3db9c54f715bb4d73f97d1eca3d9a8220ea...aadc835451bef4bf0eebcb4d2a72e1171d20beb7
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170515/f32d10c0/attachment.html>
