35e0eea053
Fixes issue #21136. The problem is that the seccomp system call filter configured by ntpd did not include some system calls that were apparently needed. For example the program hanged in getpid just after the filter was installed: prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument) seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0 getpid() = ? I do not know exactly why this is a problem on NixOS only, perhaps we have getpid caching disabled. The fcntl and setsockopt system calls also had to be added.
44 lines
1.1 KiB
Diff
44 lines
1.1 KiB
Diff
diff -urN ntp-4.2.8p10.orig/ntpd/ntpd.c ntp-4.2.8p10/ntpd/ntpd.c
|
|
--- ntp-4.2.8p10.orig/ntpd/ntpd.c 2017-04-02 20:21:17.371319663 +0200
|
|
+++ ntp-4.2.8p10/ntpd/ntpd.c 2017-04-02 21:26:02.766178723 +0200
|
|
@@ -1157,10 +1157,12 @@
|
|
SCMP_SYS(close),
|
|
SCMP_SYS(connect),
|
|
SCMP_SYS(exit_group),
|
|
+ SCMP_SYS(fcntl),
|
|
SCMP_SYS(fstat),
|
|
SCMP_SYS(fsync),
|
|
SCMP_SYS(futex),
|
|
SCMP_SYS(getitimer),
|
|
+ SCMP_SYS(getpid),
|
|
SCMP_SYS(getsockname),
|
|
SCMP_SYS(ioctl),
|
|
SCMP_SYS(lseek),
|
|
@@ -1179,6 +1181,7 @@
|
|
SCMP_SYS(sendto),
|
|
SCMP_SYS(setitimer),
|
|
SCMP_SYS(setsid),
|
|
+ SCMP_SYS(setsockopt),
|
|
SCMP_SYS(socket),
|
|
SCMP_SYS(stat),
|
|
SCMP_SYS(time),
|
|
@@ -1195,9 +1198,11 @@
|
|
SCMP_SYS(clock_settime),
|
|
SCMP_SYS(close),
|
|
SCMP_SYS(exit_group),
|
|
+ SCMP_SYS(fcntl),
|
|
SCMP_SYS(fsync),
|
|
SCMP_SYS(futex),
|
|
SCMP_SYS(getitimer),
|
|
+ SCMP_SYS(getpid),
|
|
SCMP_SYS(madvise),
|
|
SCMP_SYS(mmap),
|
|
SCMP_SYS(mmap2),
|
|
@@ -1211,6 +1216,7 @@
|
|
SCMP_SYS(select),
|
|
SCMP_SYS(setitimer),
|
|
SCMP_SYS(setsid),
|
|
+ SCMP_SYS(setsockopt),
|
|
SCMP_SYS(sigprocmask),
|
|
SCMP_SYS(sigreturn),
|
|
SCMP_SYS(socketcall),
|