From b92dae961c9be770133215d5d9bdc15ba66a249b Mon Sep 17 00:00:00 2001 From: Ben Wolsieffer Date: Sat, 11 Mar 2023 14:39:55 -0500 Subject: [PATCH] nixos/chrony: allow @chown syscall set The module was allowing specific chown syscalls, which is brittle because there are several and different ones are used by glibc on different architectures. For example, fchownat was already added to the allowlist for aarch64, while on armv6l chrony crashes because chown32 is not in the allowlist. systemd provides the @chown syscall set, which includes all the chown syscalls and avoids this brittleness. I believe the syscalls would all be equivalent from an attacker's perspective, so there is unlikely to be any security impact. --- nixos/modules/services/networking/ntp/chrony.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix index 6c8d7b985d5..2d421abc8be 100644 --- a/nixos/modules/services/networking/ntp/chrony.nix +++ b/nixos/modules/services/networking/ntp/chrony.nix @@ -203,7 +203,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "chown" ] ++ lib.optional pkgs.stdenv.hostPlatform.isAarch64 "fchownat"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "@chown" ]; }; }; };