1772053 – chronyd cannot run with the CAP_SYS_TIME with podman

Bug 1772053 - chronyd cannot run with the CAP_SYS_TIME with podman

Summary: chronyd cannot run with the CAP_SYS_TIME with podman

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	skopeo
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-13 14:24 UTC by Lukas Slebodnik
Modified:	2019-11-19 12:24 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-11-19 12:24:27 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukas Slebodnik 2019-11-13 14:24:35 UTC

Description of problem:
There seems to be some changes in glibc between glibc-2.30.9000-16.fc32 and glibc-2.30.9000-17.fc32 and therefore adding additional capabilities is not enough for running chronyd in container


Version-Release number of selected component (if applicable):
sh$ rpm -q podman containers-common
podman-1.6.2-2.fc31.x86_64
containers-common-0.1.40-3.fc31.x86_64


How reproducible:
Deterministic

Steps to Reproduce:
1. dnf install -y podman
2. cat <<EOF
FROM docker.io/fedora:rawhide
RUN dnf install -y chrony && dnf update -y glibc
EOF
3. podman build -t rawhide_chrony .
4. podman run --cap-add=SYS_TIME -ti --rm localhost/rawhide_chrony /usr/sbin/chronyd
5. echo $?

Actual results:
sh-5.0# podman run --cap-add=SYS_TIME -ti --rm localhost/rawhide_chrony /usr/sbin/chronyd
adjtimex(0x8001) failed : Operation not permitted
sh-5.0# echo $?
1

Expected results:
sh-5.0# podman run --cap-add=SYS_TIME -ti --rm localhost/rawhide_chrony /usr/sbin/chronyd
sh-5.0# echo $?
0

Additional info:

Disabling seccomp helps as well

sh-5.0# podman run --security-opt=seccomp=unconfined --cap-add=SYS_TIME -ti --rm localhost/rawhide_chrony /usr/sbin/chronyd
sh-5.0# echo $?
0

Comment 1 Lukas Slebodnik 2019-11-13 14:26:55 UTC

It should be probably moved to skopeo because the file /usr/share/containers/seccomp.json is owned by that component.

Adding glibc guys to CC

sh-5.0# podman run --cap-add=SYS_TIME -ti --rm localhost/rawhide_chrony /usr/sbin/chronyd
adjtimex(0x8001) failed : Operation not permitted
sh-5.0# echo $?
1
sh-5.0# ausearch -m SECCOMP -i
----
type=SECCOMP msg=audit(11/13/2019 09:24:57.260:702) : auid=root uid=root gid=root ses=4 subj=system_u:system_r:container_t:s0:c27,c599 pid=33840 comm=chronyd exe=/usr/sbin/chronyd sig=SIG0 arch=x86_64 syscall=clock_adjtime compat=0 ip=0x7f49a273bdcb code=errno

Comment 2 Lukas Slebodnik 2019-11-13 14:30:03 UTC

It should be probably fixed also in older distributions because it is triggered by version of glibc in container and not host.

Comment 3 Florian Weimer 2019-11-13 14:32:50 UTC

adjtimex is a legacy system call which is not implemented by all architectures, and there will be no Y2038 variant for 32-bit architectures. That's why we have switched to clock_adjtime in newer glibc versions.

Comment 4 Daniel Walsh 2019-11-16 16:19:25 UTC

It looks like the adjtimex syscall is allowed in Rawhide seccomp.json. Could you check /usr/share/containers/seccomp.json file?

Comment 5 Daniel Walsh 2019-11-16 16:19:45 UTC

This should also be blocked by SELinux.

Comment 6 Lukas Slebodnik 2019-11-18 14:03:21 UTC

(In reply to Daniel Walsh from comment #4)
> It looks like the adjtimex syscall is allowed in Rawhide seccomp.json. Could
> you check /usr/share/containers/seccomp.json file?

It is not about adjtimex but about clock_adjtime

I think it is obvious from the audit message in the comment1

Comment 7 Daniel Walsh 2019-11-19 12:24:27 UTC

Fixed in skopeo-0.1.41-2.dev.git24f4f82.fc32

Note You need to log in before you can comment on or make changes to this bug.