Skip to content

seccomp: allow write clock_adjtime under CAP_SYS_TIME #40919

Closed
#40929
Closed
seccomp: allow write clock_adjtime under CAP_SYS_TIME#40919
#40929
Labels
area/security/seccompkind/enhancementEnhancements are not bugs or new features but can improve usability or performance.
@stanislavlevin

Description

@stanislavlevin
stanislavlevin
opened on May 6, 2020

Description
With the recent glibc 2.31 I have the chronyd (containerized) error:

details 
strace -f -vv -y chronyd -d
...
fstat(5</run/chrony/chronyd.pid>, {st_dev=makedev(0xfd, 0x2), st_ino=403464, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_size=0, st_atime=1588773723 /* 2020-05-06T14:02:03.384790676+0000 */, st_atime_nsec=384790676, st_mtime=1588773723 /* 2020-05-06T14:02:03.393790684+0000 */, st_mtime_nsec=393790684, st_ctime=1588773723 /* 2020-05-06T14:02:03.393790684+0000 */, st_ctime_nsec=393790684}) = 0
write(5</run/chrony/chronyd.pid>, "229\n", 4) = 4
close(5</run/chrony/chronyd.pid>)       = 0
uname({sysname="Linux", nodename="c719b2c6036a", release="5.5.19-un-def-alt1", version="#1 SMP PREEMPT Fri Apr 24 08:59:34 UTC 2020", machine="x86_64", domainname="(none)"}) = 0
prctl(PR_CAPBSET_READ, CAP_SYS_TIME)    = 1
prctl(PR_CAPBSET_READ, CAP_SYS_TIME)    = 1
clock_adjtime(CLOCK_REALTIME, 0x7fffa6c9e5e0) = -1 EPERM (Operation not permitted)
write(2</dev/pts/0>, "2020-05-06T14:02:03Z ", 212020-05-06T14:02:03Z ) = 21
write(2</dev/pts/0>, "Fatal error : adjtimex(0x8001) f"..., 64Fatal error : adjtimex(0x8001) failed : Operation not permitted
) = 64
close(4<socket:[785246]>)               = 0
exit_group(1)                           = ?
+++ exited with 1 +++

Since https://sourceware.org/git/?p=glibc.git;a=commit;h=c81aa64e81826c308c4ecbd1982fa086ca6e647b glibc changed its implementation from adjtimex to clock_adjtime.

Steps to reproduce the issue:

  1. glibc 2.31 within container
  2. run container with --cap-add CAP_SYS_TIME
  3. run chronyd -d

Describe the results you received:
Chronyd fails to adjust the time(yes, host's time).

Describe the results you expected:
Chronyd adjusts the time (yes, host's time).

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

$ docker --version
Docker version 19.03.8-ce, build
**Output of `docker info`:** 
Client:
 Debug Mode: false

Server:
 Containers: 5
  Running: 2
  Paused: 0
  Stopped: 3
 Images: 67
 Server Version: dev
 Storage Driver: overlay2
  Backing Filesystem: <unknown>
  Supports d_type: true
  Native Overlay Diff: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: d76c121f76a5fc8a462dc64594aea72fe18e1178
 runc version: d736ef14f0288d6993a1845745d6756cfc9ddd5a
 init version: N/A (expected: fec3683b971d9c3ef73f284f176672c44b448662)
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.5.19-un-def-alt1
 Operating System: ALT 8.2 Server (december)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.77GiB
 Name: docker.test
 ID: 2YPH:FFJJ:5WV7:OPQE:JF6E:QJQ2:3FMU:7V2Z:6ERA:Z2LS:YZTK:SC66
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: stanislavlevin
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

With the custom seccomp profile, I get it.

diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index e9f54af4d4..2233a07bb0 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -65,6 +65,8 @@
                                "chmod",
                                "chown",
                                "chown32",
+                               "clock_adjtime",
+                               "clock_adjtime64",
                                "clock_getres",
                                "clock_getres_time64",
                                "clock_gettime",
@@ -813,4 +815,4 @@
                        "excludes": {}
                }
        ]
-}
\ No newline at end of file
+}
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index 8247ac5a1d..84c005ec2b 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -58,6 +58,8 @@ func DefaultProfile() *types.Seccomp {
                                "chmod",
                                "chown",
                                "chown32",
+                               "clock_adjtime",
+                               "clock_adjtime64",
                                "clock_getres",
                                "clock_getres_time64",
                                "clock_gettime",

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/security/seccompkind/enhancementEnhancements are not bugs or new features but can improve usability or performance.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions