seccomp: allow write clock_adjtime under CAP_SYS_TIME #40919
Description
Description
With the recent glibc 2.31 I have the chronyd (containerized) error:
details
strace -f -vv -y chronyd -d
...
fstat(5</run/chrony/chronyd.pid>, {st_dev=makedev(0xfd, 0x2), st_ino=403464, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_size=0, st_atime=1588773723 /* 2020-05-06T14:02:03.384790676+0000 */, st_atime_nsec=384790676, st_mtime=1588773723 /* 2020-05-06T14:02:03.393790684+0000 */, st_mtime_nsec=393790684, st_ctime=1588773723 /* 2020-05-06T14:02:03.393790684+0000 */, st_ctime_nsec=393790684}) = 0
write(5</run/chrony/chronyd.pid>, "229\n", 4) = 4
close(5</run/chrony/chronyd.pid>) = 0
uname({sysname="Linux", nodename="c719b2c6036a", release="5.5.19-un-def-alt1", version="#1 SMP PREEMPT Fri Apr 24 08:59:34 UTC 2020", machine="x86_64", domainname="(none)"}) = 0
prctl(PR_CAPBSET_READ, CAP_SYS_TIME) = 1
prctl(PR_CAPBSET_READ, CAP_SYS_TIME) = 1
clock_adjtime(CLOCK_REALTIME, 0x7fffa6c9e5e0) = -1 EPERM (Operation not permitted)
write(2</dev/pts/0>, "2020-05-06T14:02:03Z ", 212020-05-06T14:02:03Z ) = 21
write(2</dev/pts/0>, "Fatal error : adjtimex(0x8001) f"..., 64Fatal error : adjtimex(0x8001) failed : Operation not permitted
) = 64
close(4<socket:[785246]>) = 0
exit_group(1) = ?
+++ exited with 1 +++
Since https://sourceware.org/git/?p=glibc.git;a=commit;h=c81aa64e81826c308c4ecbd1982fa086ca6e647b glibc changed its implementation from adjtimex to clock_adjtime.
Steps to reproduce the issue:
- glibc 2.31 within container
- run container with
--cap-add CAP_SYS_TIME - run
chronyd -d
Describe the results you received:
Chronyd fails to adjust the time(yes, host's time).
Describe the results you expected:
Chronyd adjusts the time (yes, host's time).
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
$ docker --version
Docker version 19.03.8-ce, build
**Output of `docker info`:**
Client:
Debug Mode: false
Server:
Containers: 5
Running: 2
Paused: 0
Stopped: 3
Images: 67
Server Version: dev
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d76c121f76a5fc8a462dc64594aea72fe18e1178
runc version: d736ef14f0288d6993a1845745d6756cfc9ddd5a
init version: N/A (expected: fec3683b971d9c3ef73f284f176672c44b448662)
Security Options:
seccomp
Profile: default
Kernel Version: 5.5.19-un-def-alt1
Operating System: ALT 8.2 Server (december)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.77GiB
Name: docker.test
ID: 2YPH:FFJJ:5WV7:OPQE:JF6E:QJQ2:3FMU:7V2Z:6ERA:Z2LS:YZTK:SC66
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: stanislavlevin
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
With the custom seccomp profile, I get it.
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index e9f54af4d4..2233a07bb0 100644
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -65,6 +65,8 @@
"chmod",
"chown",
"chown32",
+ "clock_adjtime",
+ "clock_adjtime64",
"clock_getres",
"clock_getres_time64",
"clock_gettime",
@@ -813,4 +815,4 @@
"excludes": {}
}
]
-}
\ No newline at end of file
+}
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index 8247ac5a1d..84c005ec2b 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -58,6 +58,8 @@ func DefaultProfile() *types.Seccomp {
"chmod",
"chown",
"chown32",
+ "clock_adjtime",
+ "clock_adjtime64",
"clock_getres",
"clock_getres_time64",
"clock_gettime",