[Git][NTPsec/ntpsec][master] 2 commits: Restore EVNT_SYSRESTART logging

Tue Feb 27 12:57:28 UTC 2018

Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
97dd720a by Hal Murray at 2018-02-26T23:45:57-08:00
Restore EVNT_SYSRESTART logging

- - - - -
8c34d988 by Hal Murray at 2018-02-27T01:28:36-08:00
Minor cleanups in ntpd/ntp_sandbox
	remove root_dropped (not used)
	comments for seccomp when early droproot

- - - - -


2 changed files:

- ntpd/ntp_sandbox.c
- ntpd/ntpd.c


Changes:

=====================================
ntpd/ntp_sandbox.c
=====================================

--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -40,7 +40,6 @@ static void catchTrap(int sig, siginfo_t *, void *);
 #endif
 
 #ifdef ENABLE_DROPROOT
-static bool root_dropped;
 static uid_t sw_uid;
 static gid_t sw_gid;
 static char *endp;
@@ -260,7 +259,6 @@ getgroup:
 		priv_freeset(lowprivs);
 		priv_freeset(highprivs);
 #  endif /* HAVE_SOLARIS_PRIVS */
-		root_dropped = true;
 	}	/* if (droproot) */
 # endif	/* ENABLE_DROPROOT */
 
@@ -282,6 +280,25 @@ getgroup:
 		}
 
 int scmp_sc[] = {
+
+#ifdef ENABLE_EARLY_DROPROOT
+/* Initialization uses a few syscalls that are not otherwise used.
+ * Collect them here.
+ * There are probably a few below that were added before we
+ * understood the need for this section.
+ * We could make a second pass after initialization to remove
+ * these from the list.
+ */
+
+#ifndef ENABLE_DNS_LOOKUP
+	/* libcrypto uses pthread_once() */
+	/* We could avoid this by calling ssl_init() first. */
+	SCMP_SYS(futex),	/* sem_xxx, used by threads */
+#endif
+
+	SCMP_SYS(getdents),	/* Scanning /etc/ntp.d/ */
+#endif
+
 	SCMP_SYS(adjtimex),
 	SCMP_SYS(bind),
 	SCMP_SYS(brk),
@@ -296,17 +313,9 @@ int scmp_sc[] = {
 	SCMP_SYS(fstat),
 	SCMP_SYS(fsync),
 
-#ifdef ENABLE_EARLY_DROPROOT
-	SCMP_SYS(getdents),
-#endif
-
-#ifndef ENABLE_DNS_LOOKUP
-	/* libcrypto uses pthread_once() */
-	SCMP_SYS(futex),	/* sem_xxx, used by threads */
-#endif
 
 #ifdef __NR_getrandom
-	SCMP_SYS(getrandom),	/* 3.17 kernel */
+	SCMP_SYS(getrandom),	/* Added in 3.17 kernel */
 #endif
 	SCMP_SYS(getitimer),
 #ifdef __NR_ugetrlimit


=====================================
ntpd/ntpd.c
=====================================
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -896,7 +896,7 @@ ntpdmain(
         }
 
 	loop_config(LOOP_DRIFTINIT, 0);
-	/* report_event(EVNT_SYSRESTART, NULL, NULL); */
+	report_event(EVNT_SYSRESTART, NULL, NULL);
 
 #ifndef ENABLE_EARLY_DROPROOT
 	/* drop root privileges */



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/eef92d6217da03ad2ae41e298d110bdb05031381...8c34d988b8889ea5209f42e44776136164f5893b

---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/eef92d6217da03ad2ae41e298d110bdb05031381...8c34d988b8889ea5209f42e44776136164f5893b
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20180227/1ce7d9c6/attachment.html>
