nixos/chrony: allow @chown syscall set

The module was allowing specific chown syscalls, which is brittle because there are several and different ones are used by glibc on different architectures. For example, fchownat was already added to the allowlist for aarch64, while on armv6l chrony crashes because chown32 is not in the allowlist. systemd provides the @chown syscall set, which includes all the chown syscalls and avoids this brittleness. I believe the syscalls would all be equivalent from an attacker's perspective, so there is unlikely to be any security impact.
2023-03-11 14:39:55 -05:00 · 2023-03-11 14:39:55 -05:00 · b92dae961c
parent ccd250410e
commit b92dae961c
1 changed files with 1 additions and 1 deletions
--- a/nixos/modules/services/networking/ntp/chrony.nix
+++ b/nixos/modules/services/networking/ntp/chrony.nix
@ -203,7 +203,7 @@ in
          PrivateMounts = true;
          # System Call Filtering
          SystemCallArchitectures = "native";
-          SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "chown" ] ++ lib.optional pkgs.stdenv.hostPlatform.isAarch64 "fchownat";
+          SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "@chown" ];
        };
      };
  };