From 7febc5d8a61dd3f540797d30264d4f3103728203 Mon Sep 17 00:00:00 2001 From: Vincent Blut Date: Sun, 10 Feb 2019 19:49:03 +0100 Subject: d/NEWS: Report that a system call filter is enabled by default --- debian/NEWS | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/debian/NEWS b/debian/NEWS index 3697436..c25bd51 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,21 @@ +chrony (3.4-2) unstable; urgency=medium + + To reduce the range of operations available to chronyd, and thereby decrease + the kernel attack surface, a system call filter is now active by default + wherever¹ possible. + Please, take into account that this change prevents the use of the + “mailonchange” directive in chrony.conf as the chronyd process will not be + allowed to fork and execute the sendmail binary. Therefore, it is fundamental + to disable the system call filter to continue using this directive! + + To do so, edit the /etc/default/chrony file and substitute the “-F -1” + parameter with “-F 0”. Restart chrony afterward. + + ¹Are currently excluded alpha, ia64, m68k, riscv64, sh4 and sparc64 + architectures due to lack of support in “libseccomp” and/or the Linux kernel. + + -- Vincent Blut Sun, 10 Feb 2019 18:44:22 +0100 + chrony (2.2.1-1) unstable; urgency=medium In chrony versions before 2.2, the 'chrony.keys' file contained a command -- cgit v1.2.3