seccomp: allow adjtimex get time operation

thaJeztah · thaJeztah · commit caa461167ca6 · 2020-08-26T14:02:46.000+02:00
Enabled adjtimex in the default profile without requiring CAP_SYS_TIME privilege. The kernel will check CAP_SYS_TIME and won't allow setting the time. Fixes: Getting the system time with ntptime returns an error in an unprivileged container To verify, inside a CentOS 7 container: yum install -y ntp ntptime # ntp_gettime() returns code 0 (OK) ntpdate -v time.nist.gov # ntpdate[84]: Can't adjust the time of day: Operation not permitted Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 1746a19) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
@@ -55,6 +55,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"accept",
 				"accept4",
 				"access",
+				"adjtimex",
 				"alarm",
 				"bind",
 				"brk",
@@ -553,7 +554,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				Names: []string{
 					"settimeofday",
 					"stime",
-					"adjtimex",
 				},
 				Action: specs.ActAllow,
 				Args:   []specs.LinuxSeccompArg{},
