net-misc/chrony is packaged so that the default args on a fresh installation of chrony add -F 0 in /etc/conf.d/chrony. This is a security feature and I don't see why it shouldn't be turned on by default. Especially if the seccomp use flag is enabled by default by the gentoo profile itself.
change -F 0 to -F 1 in the default config conf.d
We’ve had a whole thing about this in the past and I agree, but upstream specifically say in the man page it shouldn’t be enabled by default. It was enabled for a while (I enabled it and I wasn’t the one to turn it off, but I’m the actual maintainer now). I’m happy to reconsider enabling it again with perhaps an elog for people to report needed syscall whitelist changes.
I just switched it on now and it seems to be running fine, however I'll give it a go for a few weeks and report back if there's any problems. Thanks for the history.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=becfaac19ad2b782a18eae112d64ffe1b59bd75c commit becfaac19ad2b782a18eae112d64ffe1b59bd75c Author: Sam James <sam@gentoo.org> AuthorDate: 2021-04-22 21:54:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-04-22 22:24:55 +0000 net-misc/chrony: add 4.1_pre1 (unkeyworded) * Bump to 4.1_pre1 * Tidy up IUSE, *DEPEND * Unrestrict tests * Add useful bug references re seccomp and caps. May restore turning on seccomp automatically in a revbump or next pre-release. * Dependency changes/fixes: ** Depend on sys-libs/readline when not using libedit ** NTS requires GnuTLS, not Nettle ** Add more cases for virtual/pkgconfig BDEPEND ** Move html? ( asciidoctor ) dependency to BDEPEND Bug: https://bugs.gentoo.org/783915 Signed-off-by: Sam James <sam@gentoo.org> net-misc/chrony/Manifest | 2 + net-misc/chrony/chrony-4.1_pre1.ebuild | 230 +++++++++++++++++++++++++++++++++ net-misc/chrony/chrony-9999.ebuild | 88 +++++++------ 3 files changed, 282 insertions(+), 38 deletions(-)
I've been running it with seccomp for a while now and have had no problems. Recommend you turn it on for everyone else too.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8aa0d8a92ee4568de9d6c431b5fa8c2263f750ee commit 8aa0d8a92ee4568de9d6c431b5fa8c2263f750ee Author: Sam James <sam@gentoo.org> AuthorDate: 2021-05-13 14:24:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-13 16:14:07 +0000 net-misc/chrony: add 4.1 Enables seccomp by default with the new upstream limited filter range (-F 2). Please use -F 1 if you can test it and it works on your system. Bug: https://bugs.gentoo.org/783915 Signed-off-by: Sam James <sam@gentoo.org> net-misc/chrony/Manifest | 2 + net-misc/chrony/chrony-4.1.ebuild | 252 +++++++++++++++++++++ .../chrony/files/chrony-4.1-systemd-gentoo.patch | 12 + net-misc/chrony/files/chronyd.conf-r3 | 12 + 4 files changed, 278 insertions(+)
The ebuild says to use `systemctl edit chronyd` to change the level if using systemd, but systemd doesn't allow overriding ExecStart. Instead, the service should use `EnvironmentFile=/etc/conf.d/chronyd` to read the arguments, like www-servers/apache and others.
(In reply to Thomas Arnett from comment #7) > The ebuild says to use `systemctl edit chronyd` to change the level if using > systemd, but systemd doesn't allow overriding ExecStart. Instead, the > service should use `EnvironmentFile=/etc/conf.d/chronyd` to read the > arguments, like www-servers/apache and others. Could you file a bug for this please?
(In reply to Thomas Arnett from comment #7) > The ebuild says to use `systemctl edit chronyd` to change the level if using > systemd, but systemd doesn't allow overriding ExecStart. systemd does in fact allow overriding ExecStart. You need to set it to empty first to clear it. For example: > [Service] > ExecStart= > ExecStart=/usr/sbin/chronyd -u ntp -F 1
(In reply to Thomas Arnett from comment #7) > Instead, the > service should use `EnvironmentFile=/etc/conf.d/chronyd` to read the > arguments, like www-servers/apache and others. Setting EnvironmentFile=/etc/conf.d/chronyd is a violation of systemd ebuild policy. https://wiki.gentoo.org/wiki/Project:Systemd/Ebuild_policy#Unit_file_guidelines Per my previous comment, using any environment file is unnecessary in the first place.
(In reply to Mike Gilbert from comment #9) > systemd does in fact allow overriding ExecStart. You need to set it to empty > first to clear it. Thanks. I'd suggest clarifying this in the ebuild log, as systemd's error message for multiple ExecStart lines can give the opposite impression if somebody doesn't already know this.
(In reply to Thomas Arnett from comment #11) > (In reply to Mike Gilbert from comment #9) > > systemd does in fact allow overriding ExecStart. You need to set it to empty > > first to clear it. > > Thanks. I'd suggest clarifying this in the ebuild log, as systemd's error > message for multiple ExecStart lines can give the opposite impression if > somebody doesn't already know this. This feels a bit out of scope for chrony to me. Maybe suggest it to upstream (systemd) to change the comments?
(In reply to Thomas Groman from comment #5) > I've been running it with seccomp for a while now and have had no problems. > Recommend you turn it on for everyone else too. FWIW, the main issue with doing this in the first place is that my system (and yours) are not the same as everybody else's. But we've got this less restrictive filter on by default now, so I think we're good.