Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp: Whitelist clock_adjtime #40929

Merged
merged 1 commit into from
May 15, 2020
Merged

seccomp: Whitelist clock_adjtime #40929

merged 1 commit into from
May 15, 2020
+4 −0

Conversation

stanislavlevin
Copy link
Contributor

@stanislavlevin stanislavlevin commented May 8, 2020
edited
Loading

- What I did
fixes #40919

- How I did it
Allow making the syscall by default seccomp filter.
CAP_SYS_TIME is still required for time adjustment (enforced by the kernel):

kernel/time/posix-timers.c:

1112 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
1113                 struct __kernel_timex __user *, utx)
...
1121         err = do_clock_adjtime(which_clock, &ktx);

1100 int do_clock_adjtime(const clockid_t which_clock, struct __kernel_timex * ktx)
1101 {
...
1109         return kc->clock_adj(which_clock, ktx);

1299 static const struct k_clock clock_realtime = {
...
1304         .clock_adj              = posix_clock_realtime_adj,

188 static int posix_clock_realtime_adj(const clockid_t which_clock,
189                                     struct __kernel_timex *t)
190 {
191         return do_adjtimex(t);

kernel/time/timekeeping.c:

2312 int do_adjtimex(struct __kernel_timex *txc)
2313 {
...
2321         /* Validate the data before disabling interrupts */
2322         ret = timekeeping_validate_timex(txc);

2246 static int timekeeping_validate_timex(const struct __kernel_timex *txc)
2247 {
2248         if (txc->modes & ADJ_ADJTIME) {
...
2252                 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
2253                     !capable(CAP_SYS_TIME))
2254                         return -EPERM;
2255         } else {
2256                 /* In order to modify anything, you gotta be super-user! */
2257                 if (txc->modes && !capable(CAP_SYS_TIME))
2258                         return -EPERM;

- How to verify it
without cap:

  1. glibc 2.31 within container
  2. run container without CAP_SYS_TIME
  3. run chronyd -d within container

Expected result: chronyd should fail to make adjtimex.

with cap:

  1. glibc 2.31 within container
  2. run container with --cap-add CAP_SYS_TIME
  3. run chronyd -d within container

Expected result: chronyd should not fail to make adjtimex.

- Description for the changelog

Whitelist clock_adjtime. CAP_SYS_TIME is still required for time adjustment.

- A picture of a cute animal (not mandatory but encouraged)

@stanislavlevin stanislavlevin requested a review from tianon as a code owner May 8, 2020 08:27
@thaJeztah
Copy link
Member

thaJeztah commented May 8, 2020
edited
Loading

Allow making the syscall by default seccomp filter.
CAP_SYS_TIME is still required for time adjustment (enforced by the kernel).

Should this use the same approach as (added in #31966) ?

moby/profiles/seccomp/seccomp_default.go

Lines 641 to 652 in cdf49f3

{
Names: []string{
"settimeofday",
"stime",
"clock_settime",
},
Action: types.ActAllow,
Args: []*types.Arg{},
Includes: types.Filter{
Caps: []string{"CAP_SYS_TIME"},
},
},

IIRC, with that approach seccomp by default blocks these (so both CAP_SYS_TIME and seccomp are blocking them, but once CAP_SYS_TIME is enabled for the container, they're unblocked.

/cc @justincormack

thaJeztah
thaJeztah requested changes May 8, 2020
View reviewed changes
@stanislavlevin stanislavlevin force-pushed the seccomp_allow_clock_adjtime branch from 99a4b53 to eb66264 Compare May 8, 2020 08:59
@stanislavlevin
Copy link
Contributor Author

Allow making the syscall by default seccomp filter.
CAP_SYS_TIME is still required for time adjustment (enforced by the kernel).

Should this use the same approach as (added in #31966) ?

IIRC, with that approach seccomp by default blocks these (so both CAP_SYS_TIME and seccomp are blocking them, but once CAP_SYS_TIME is enabled for the container, they're unblocked.

Related issue: #33126

@stanislavlevin
seccomp: Whitelist clock_adjtime

Verified

This commit was signed with the committer’s verified signature.
stanislavlevin Stanislav Levin
GPG key ID: ABABFE8D5D9A19E8
Verified
Learn about vigilant mode
5d3a9e4 
This only allows making the syscall. CAP_SYS_TIME is still required
for time adjustment (enforced by the kernel):

```
kernel/time/posix-timers.c:

1112 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
1113                 struct __kernel_timex __user *, utx)
...
1121         err = do_clock_adjtime(which_clock, &ktx);

1100 int do_clock_adjtime(const clockid_t which_clock, struct __kernel_timex * ktx)
1101 {
...
1109         return kc->clock_adj(which_clock, ktx);

1299 static const struct k_clock clock_realtime = {
...
1304         .clock_adj              = posix_clock_realtime_adj,

188 static int posix_clock_realtime_adj(const clockid_t which_clock,
189                                     struct __kernel_timex *t)
190 {
191         return do_adjtimex(t);

kernel/time/timekeeping.c:

2312 int do_adjtimex(struct __kernel_timex *txc)
2313 {
...
2321         /* Validate the data before disabling interrupts */
2322         ret = timekeeping_validate_timex(txc);

2246 static int timekeeping_validate_timex(const struct __kernel_timex *txc)
2247 {
2248         if (txc->modes & ADJ_ADJTIME) {
...
2252                 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
2253                     !capable(CAP_SYS_TIME))
2254                         return -EPERM;
2255         } else {
2256                 /* In order to modify anything, you gotta be super-user! */
2257                 if (txc->modes && !capable(CAP_SYS_TIME))
2258                         return -EPERM;

```

Fixes: moby#40919
Signed-off-by: Stanislav Levin <slev@altlinux.org>
@stanislavlevin stanislavlevin force-pushed the seccomp_allow_clock_adjtime branch from eb66264 to 5d3a9e4 Compare May 8, 2020 09:34
@thaJeztah
Copy link
Member

Related issue: #33126

Ah, thanks for linking that one 👍

@thaJeztah thaJeztah added this to the 20.03.0 milestone May 8, 2020
thaJeztah
thaJeztah approved these changes May 15, 2020
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@thaJeztah
Copy link
Member

@tonistiigi @cpuguy83 good to go?

@thaJeztah thaJeztah merged commit dd16f2f into moby:master May 15, 2020
@thaJeztah thaJeztah mentioned this pull request May 17, 2020
Merged
@thaJeztah thaJeztah mentioned this pull request Aug 24, 2020
Closed
@achimnol achimnol mentioned this pull request Feb 24, 2021
Open
@thaJeztah thaJeztah mentioned this pull request Dec 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justincormack justincormack

@tonistiigi tonistiigi

@thaJeztah thaJeztah

@tianon tianon

Assignees
No one assigned
Labels
area/security/seccomp area/security impact/changelog process/cherry-picked status/2-code-review
Projects
None yet
Milestone
20.10.0
Development

Successfully merging this pull request may close these issues.

seccomp: allow write clock_adjtime under CAP_SYS_TIME
4 participants
@stanislavlevin @thaJeztah @justincormack @tonistiigi