diff options
| author | Vincent Blut <vincent.debian@free.fr> | 2019-02-10 19:49:03 +0100 |
|---|---|---|
| committer | Vincent Blut <vincent.debian@free.fr> | 2019-02-10 19:49:03 +0100 |
| commit | 7febc5d8a61dd3f540797d30264d4f3103728203 (patch) | |
| tree | f23c29e119bb270e1440dde663fcd8d12fe48250 | |
| parent | 3913626e795ebf147631895a8d6f34dcc287d6a2 (diff) | |
d/NEWS: Report that a system call filter is enabled by default
| -rw-r--r-- | debian/NEWS | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS index 3697436..c25bd51 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,21 @@ +chrony (3.4-2) unstable; urgency=medium + + To reduce the range of operations available to chronyd, and thereby decrease + the kernel attack surface, a system call filter is now active by default + wherever¹ possible. + Please, take into account that this change prevents the use of the + “mailonchange” directive in chrony.conf as the chronyd process will not be + allowed to fork and execute the sendmail binary. Therefore, it is fundamental + to disable the system call filter to continue using this directive! + + To do so, edit the /etc/default/chrony file and substitute the “-F -1” + parameter with “-F 0”. Restart chrony afterward. + + ¹Are currently excluded alpha, ia64, m68k, riscv64, sh4 and sparc64 + architectures due to lack of support in “libseccomp” and/or the Linux kernel. + + -- Vincent Blut <vincent.debian@free.fr> Sun, 10 Feb 2019 18:44:22 +0100 + chrony (2.2.1-1) unstable; urgency=medium In chrony versions before 2.2, the 'chrony.keys' file contained a command |