nixos/chrony: allow @chown syscall set
The module was allowing specific chown syscalls, which is brittle because there are several and different ones are used by glibc on different architectures. For example, fchownat was already added to the allowlist for aarch64, while on armv6l chrony crashes because chown32 is not in the allowlist. systemd provides the @chown syscall set, which includes all the chown syscalls and avoids this brittleness. I believe the syscalls would all be equivalent from an attacker's perspective, so there is unlikely to be any security impact.
This commit is contained in:
parent
ccd250410e
commit
b92dae961c
|
@ -203,7 +203,7 @@ in
|
|||
PrivateMounts = true;
|
||||
# System Call Filtering
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "chown" ] ++ lib.optional pkgs.stdenv.hostPlatform.isAarch64 "fchownat";
|
||||
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "@chown" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue