Make use of chrony's seccomp-based sandbox
chronyd has a nifty -F
option:
This option configures system call filters loaded by chronyd processes if it was compiled with support for the Linux secure computing (seccomp) facility. Three levels are defined: 0, 1, 2. The filters are disabled at level 0. At levels 1 and 2, chronyd will be killed if it makes a system call which is blocked by the filters. The level can be specified as a negative number to trigger the SIGSYS signal instead of SIGKILL, which can be useful for debugging. The default value is 0.
At level 1, the filters allow only selected system calls that are normally expected to be made by chronyd. Other system calls are blocked. This level is recommended only if it is known to work on the version of the system where chrony is installed. The filters need to allow also system calls made by libraries that chronyd is using (e.g. libc), but different versions or implementations of the libraries might make different system calls. If the filters are missing a system call, chronyd could be killed even in normal operation.
At level 2, the filters block only a small number of specific system calls (e.g. fork and exec). This approach should avoid false positives, but the protection of the system against a compromised chronyd process is much more limited.
The filters cannot be enabled with the mailonchange directive.
It would be nice to enable at least level 2, and if nothing breaks, level 1. I can send an MR if this suggestion is uncontroversial.