seccomp: allow adjtimex get time operation

thaJeztah · thaJeztah · commit 1746a195e9dc · 2020-08-24T12:16:23.000+02:00
Enabled adjtimex in the default profile without requiring CAP_SYS_TIME privilege.
The kernel will check CAP_SYS_TIME and won't allow setting the time.

Fixes: Getting the system time with ntptime returns an error in an unprivileged
container

To verify, inside a CentOS 7 container:

    yum install -y ntp
    ntptime
    # ntp_gettime() returns code 0 (OK)

    ntpdate -v time.nist.gov
    # ntpdate[84]: Can't adjust the time of day: Operation not permitted

Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
@@ -55,6 +55,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"accept",
 				"accept4",
 				"access",
+				"adjtimex",
 				"alarm",
 				"bind",
 				"brk",
@@ -555,7 +556,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				Names: []string{
 					"settimeofday",
 					"stime",
-					"adjtimex",
 				},
 				Action: specs.ActAllow,
 				Args:   []specs.LinuxSeccompArg{},
