github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

seccomp: allow adjtimex get time operation

Browse Source 
Enabled adjtimex in the default profile without requiring CAP_SYS_TIME privilege.
The kernel will check CAP_SYS_TIME and won't allow setting the time.

Fixes: Getting the system time with ntptime returns an error in an unprivileged
container

To verify, inside a CentOS 7 container:

    yum install -y ntp
    ntptime
    # ntp_gettime() returns code 0 (OK)

    ntpdate -v time.nist.gov
    # ntpdate[84]: Can't adjust the time of day: Operation not permitted

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
2020-08-24 12:09:27 +02:00
parent 7e7545e556
commit 1746a195e9
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/seccomp/seccomp_default.go
View File

@@ -55,6 +55,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
"accept", "accept",
"accept4", "accept4",
"access", "access",
"adjtimex",
"alarm", "alarm",
"bind", "bind",
"brk", "brk",
@@ -555,7 +556,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
Names: []string{ Names: []string{
"settimeofday", "settimeofday",
"stime", "stime",
"adjtimex",
}, },
Action: specs.ActAllow, Action: specs.ActAllow,
Args: []specs.LinuxSeccompArg{}, Args: []specs.LinuxSeccompArg{},