[Git][NTPsec/ntpsec][master] 4 commits: More work on seccomp for Arch #633

Mon Feb 24 02:39:57 UTC 2020


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
39a880bb by Hal Murray at 2020-02-23T14:36:41-08:00
More work on seccomp for Arch #633

I think the root of the issue is an ommision in
  /usr/include/seccomp-syscalls.h
Fedora seems fixed.  The same issue has poped up on Alpine Linux.
Editing the above header file fixed it.

- - - - -
089c4a73 by Hal Murray at 2020-02-23T14:43:29-08:00
Avoid bogus attempts to find local interface

If DNS or NTS-KE hasn't worked, the local address
hasn't been setup yet.

This was causing calls to socket() that were getting error returns.
That looked ugly on strace output.

- - - - -
cf9ad859 by Hal Murray at 2020-02-23T15:08:27-08:00
Tweaks to SIGHUP documentation.

- - - - -
63be8972 by Hal Murray at 2020-02-23T15:20:26-08:00
Cleanup findlocalinterface, from James Browning

- - - - -


4 changed files:

- docs/includes/ntpd-body.adoc
- ntpd/ntp_io.c
- ntpd/ntp_proto.c
- ntpd/ntp_sandbox.c


Changes:

=====================================
docs/includes/ntpd-body.adoc
=====================================
@@ -532,10 +532,17 @@ Configuration files are parsed according to the following rules:
 
 SIGQUIT, SIGINT, and SIGTERM will cause ntpd to clean up and exit.
 
-SIGHUP will reopen the log file if it has changed and
+SIGHUP checks various things that would otherwise
+require restarting ntpd.
+
+It will reopen the log file if it has changed and
 check for a new leapseconds file if one was specified.
+
 If the NTS server is enabled, it will reload the
-certificate file if it has changed.
+certificate file if it has changed.  (It doesn't check
+for a new key file, but reloads it when it reloads
+the certificate file.)
+
 It will also retry any pending DNS or NTS lookups.
 
 On most systems, you can send SIGHUP to +ntpd+ with


=====================================
ntpd/ntp_io.c
=====================================
@@ -233,7 +233,7 @@ static void	delete_interface_from_list(endpt *);
 static void	close_and_delete_fd_from_list(SOCKET);
 static void	add_addr_to_list	(sockaddr_u *, endpt *);
 static void	create_wildcards	(unsigned short);
-static endpt *	findlocalinterface	(sockaddr_u *, int, int);
+static endpt *	findlocalinterface	(sockaddr_u *, int);
 static endpt *	findclosestinterface	(sockaddr_u *, int);
 
 #ifdef DEBUG
@@ -2473,7 +2473,7 @@ findinterface(
 {
 	endpt *iface;
 
-	iface = findlocalinterface(addr, INT_WILDCARD, 0);
+	iface = findlocalinterface(addr, INT_WILDCARD);
 
 	if (NULL == iface) {
 		DPRINT(4, ("Found no interface for address %s - returning wildcard\n",
@@ -2505,8 +2505,7 @@ findinterface(
 static endpt *
 findlocalinterface(
 	sockaddr_u *	addr,
-	int		flags,
-	int		bcast
+	int		flags
 	)
 {
 	socklen_t	sockaddrlen;
@@ -2514,7 +2513,6 @@ findlocalinterface(
 	sockaddr_u	saddr;
 	SOCKET		s;
 	int		rtn;
-	int		on;
 
 	DPRINT(4, ("Finding interface for addr %s in list of addresses\n",
 		   socktoa(addr)));
@@ -2523,21 +2521,6 @@ findlocalinterface(
 	if (INVALID_SOCKET == s)
 		return NULL;
 
-	/*
-	 * If we are looking for broadcast interface we need to set this
-	 * socket to allow broadcast
-	 */
-	if (bcast) {
-		on = 1;
-		if (SOCKET_ERROR == setsockopt(s, SOL_SOCKET,
-						SO_BROADCAST,
-						(char *)&on,
-						sizeof(on))) {
-			close(s);
-			return NULL;
-		}
-	}
-
 	rtn = connect(s, &addr->sa, SOCKLEN(addr));
 	if (SOCKET_ERROR == rtn) {
 		close(s);


=====================================
ntpd/ntp_proto.c
=====================================
@@ -1575,6 +1575,8 @@ clock_select(void)
 		 * Leave the island immediately if the peer is
 		 * unfit to synchronize.
 		 */
+		if (FLAG_LOOKUP & peer->cfg.flags)
+			continue;
 		if (peer_unfit(peer)) {
 			continue;
 }


=====================================
ntpd/ntp_sandbox.c
=====================================
@@ -416,9 +416,10 @@ int scmp_sc[] = {
 /* But somebody switched to SNR vs NR so we need a way
  * to test for old/new so we can do the right ifdef. */
 // Currently broken on Arch Linux but passes GitLab CI
-// #ifdef __NR_ppoll
-//	SCMP_SYS(ppoll),
-// #endif
+#ifdef __NR_ppoll
+	SCMP_SYS(ppoll),
+	SCMP_SYS(clock_adjtime),
+#endif
 	SCMP_SYS(sendmsg),
 #ifdef __NR_geteuid32
 	SCMP_SYS(geteuid32),



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/2e0d90c35788dcd76ed9072013be3b540c243eea...63be8972a9dc8b75ddf958ba74b372c682305a57

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/2e0d90c35788dcd76ed9072013be3b540c243eea...63be8972a9dc8b75ddf958ba74b372c682305a57
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200224/74380c1e/attachment-0001.htm>
