update to 4.2-pre1
This commit is contained in:
Miroslav Lichvar
parent
8ebbcb0ef4
commit
2eeb6969c5
6
.gitignore
vendored
6
.gitignore
vendored
@ -1,3 +1,3 @@
|
||||
/chrony-4.1.tar.gz
|
||||
/chrony-4.1-tar-gz-asc.txt
|
||||
/clknetsim-f89702.tar.gz
|
||||
/chrony-4.2-pre1.tar.gz
|
||||
/chrony-4.2-pre1-tar-gz-asc.txt
|
||||
/clknetsim-470b5e.tar.gz
|
||||
|
||||
@ -1,30 +0,0 @@
|
||||
commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a
|
||||
Author: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
Date: Mon Aug 9 11:48:21 2021 +0200
|
||||
|
||||
sys_linux: allow clone3 and pread64 in seccomp filter
|
||||
|
||||
These seem to be needed with the latest glibc.
|
||||
|
||||
diff --git a/sys_linux.c b/sys_linux.c
|
||||
index 50c08431..2b53f722 100644
|
||||
--- a/sys_linux.c
|
||||
+++ b/sys_linux.c
|
||||
@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
|
||||
|
||||
/* Process */
|
||||
SCMP_SYS(clone),
|
||||
+#ifdef __NR_clone3
|
||||
+ SCMP_SYS(clone3),
|
||||
+#endif
|
||||
SCMP_SYS(exit),
|
||||
SCMP_SYS(exit_group),
|
||||
SCMP_SYS(getpid),
|
||||
@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
|
||||
#ifdef __NR_ppoll_time64
|
||||
SCMP_SYS(ppoll_time64),
|
||||
#endif
|
||||
+ SCMP_SYS(pread64),
|
||||
SCMP_SYS(pselect6),
|
||||
#ifdef __NR_pselect6_time64
|
||||
SCMP_SYS(pselect6_time64),
|
||||
@ -1,151 +0,0 @@
|
||||
commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00
|
||||
Author: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
Date: Wed Sep 29 15:25:48 2021 +0200
|
||||
|
||||
examples: harden systemd services
|
||||
|
||||
Add various settings to the example chronyd and chrony-wait services to
|
||||
decrease the exposure reported by the "systemd-analyze security"
|
||||
command. The original exposure was high as the analyzer does not check
|
||||
the actual process (e.g. that it dropped the root privileges or that it
|
||||
has its own seccomp filter).
|
||||
|
||||
Limit read-write access to /run, /var/lib/chrony, and /var/spool.
|
||||
Access to /run (instead of /run/chrony) is needed for the refclock
|
||||
socket expected by gpsd.
|
||||
|
||||
The mailonchange directive is most likely to break as it executes
|
||||
/usr/sbin/sendmail, which can do unexpected operations depending on the
|
||||
implementation. It should work with a setuid/setgid binary, but it is
|
||||
not expected to write outside of /var/spool and the private /tmp.
|
||||
|
||||
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
|
||||
index b3aa7aa2..72b028f2 100644
|
||||
--- a/examples/chrony-wait.service
|
||||
+++ b/examples/chrony-wait.service
|
||||
@@ -16,5 +16,32 @@ TimeoutStartSec=180
|
||||
RemainAfterExit=yes
|
||||
StandardOutput=null
|
||||
|
||||
+CapabilityBoundingSet=
|
||||
+DevicePolicy=closed
|
||||
+DynamicUser=yes
|
||||
+IPAddressAllow=localhost
|
||||
+IPAddressDeny=any
|
||||
+LockPersonality=yes
|
||||
+MemoryDenyWriteExecute=yes
|
||||
+PrivateDevices=yes
|
||||
+PrivateUsers=yes
|
||||
+ProcSubset=pid
|
||||
+ProtectClock=yes
|
||||
+ProtectControlGroups=yes
|
||||
+ProtectHome=yes
|
||||
+ProtectHostname=yes
|
||||
+ProtectKernelLogs=yes
|
||||
+ProtectKernelModules=yes
|
||||
+ProtectKernelTunables=yes
|
||||
+ProtectProc=invisible
|
||||
+ProtectSystem=strict
|
||||
+RestrictAddressFamilies=AF_INET AF_INET6
|
||||
+RestrictNamespaces=yes
|
||||
+RestrictRealtime=yes
|
||||
+SystemCallArchitectures=native
|
||||
+SystemCallFilter=@system-service
|
||||
+SystemCallFilter=~@privileged @resources
|
||||
+UMask=0777
|
||||
+
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
diff --git a/examples/chronyd.service b/examples/chronyd.service
|
||||
index 289548cb..2cac6026 100644
|
||||
--- a/examples/chronyd.service
|
||||
+++ b/examples/chronyd.service
|
||||
@@ -10,9 +10,40 @@ Type=forking
|
||||
PIDFile=/run/chrony/chronyd.pid
|
||||
EnvironmentFile=-/etc/sysconfig/chronyd
|
||||
ExecStart=/usr/sbin/chronyd $OPTIONS
|
||||
+
|
||||
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
||||
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
|
||||
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
|
||||
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
|
||||
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
|
||||
+DeviceAllow=char-pps rw
|
||||
+DeviceAllow=char-ptp rw
|
||||
+DeviceAllow=char-rtc rw
|
||||
+DevicePolicy=closed
|
||||
+LockPersonality=yes
|
||||
+MemoryDenyWriteExecute=yes
|
||||
+NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
+ProcSubset=pid
|
||||
+ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
-ProtectSystem=full
|
||||
+ProtectHostname=yes
|
||||
+ProtectKernelLogs=yes
|
||||
+ProtectKernelModules=yes
|
||||
+ProtectKernelTunables=yes
|
||||
+ProtectProc=invisible
|
||||
+ProtectSystem=strict
|
||||
+ReadWritePaths=/run /var/lib/chrony
|
||||
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
+RestrictNamespaces=yes
|
||||
+RestrictSUIDSGID=yes
|
||||
+SystemCallArchitectures=native
|
||||
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
|
||||
+
|
||||
+# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
|
||||
+NoNewPrivileges=no
|
||||
+ReadWritePaths=/var/spool
|
||||
+RestrictAddressFamilies=AF_NETLINK
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
Avoid a SELinux issue
|
||||
|
||||
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
|
||||
index 72b028f2..57646950 100644
|
||||
--- a/examples/chrony-wait.service
|
||||
+++ b/examples/chrony-wait.service
|
||||
@@ -18,7 +18,7 @@ StandardOutput=null
|
||||
|
||||
CapabilityBoundingSet=
|
||||
DevicePolicy=closed
|
||||
-DynamicUser=yes
|
||||
+#DynamicUser=yes
|
||||
IPAddressAllow=localhost
|
||||
IPAddressDeny=any
|
||||
LockPersonality=yes
|
||||
commit 76a905d652cafccfac1023f74d12ffa7facc4832
|
||||
Author: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
Date: Mon Oct 4 10:54:40 2021 +0200
|
||||
|
||||
examples: improve chronyd service
|
||||
|
||||
Allow writing logfiles (enabled by logdir or -l option) to /var/log and
|
||||
don't require /var/spool to exist.
|
||||
|
||||
diff --git a/examples/chronyd.service b/examples/chronyd.service
|
||||
index 2cac6026..4fb930ef 100644
|
||||
--- a/examples/chronyd.service
|
||||
+++ b/examples/chronyd.service
|
||||
@@ -33,7 +33,7 @@ ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
-ReadWritePaths=/run /var/lib/chrony
|
||||
+ReadWritePaths=/run /var/lib/chrony -/var/log
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
RestrictSUIDSGID=yes
|
||||
@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot
|
||||
|
||||
# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
|
||||
NoNewPrivileges=no
|
||||
-ReadWritePaths=/var/spool
|
||||
+ReadWritePaths=-/var/spool
|
||||
RestrictAddressFamilies=AF_NETLINK
|
||||
|
||||
[Install]
|
||||
13
chrony.spec
13
chrony.spec
@ -1,5 +1,6 @@
|
||||
%global _hardened_build 1
|
||||
%global clknetsim_ver f89702
|
||||
%global prerelease -pre1
|
||||
%global clknetsim_ver 470b5e
|
||||
%bcond_without debug
|
||||
%bcond_without nts
|
||||
|
||||
@ -8,7 +9,7 @@
|
||||
%endif
|
||||
|
||||
Name: chrony
|
||||
Version: 4.1
|
||||
Version: 4.2
|
||||
Release: 5%{?dist}
|
||||
Summary: An NTP client/server
|
||||
|
||||
@ -24,10 +25,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
|
||||
|
||||
# add distribution-specific bits to DHCP dispatcher
|
||||
Patch1: chrony-nm-dispatcher-dhcp.patch
|
||||
# update seccomp filter for new glibc
|
||||
Patch2: chrony-seccomp.patch
|
||||
# harden chronyd and chrony-wait services
|
||||
Patch3: chrony-services.patch
|
||||
|
||||
BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel
|
||||
BuildRequires: gcc gcc-c++ make bison systemd gnupg2
|
||||
@ -59,14 +56,12 @@ service to other computers in the network.
|
||||
%setup -q -n %{name}-%{version}%{?prerelease} -a 10
|
||||
%{?gitpatch:%patch0 -p1}
|
||||
%patch1 -p1 -b .nm-dispatcher-dhcp
|
||||
%patch2 -p1 -b .seccomp
|
||||
%patch3 -p1 -b .services
|
||||
|
||||
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
|
||||
|
||||
# review changes in packaged configuration files and scripts
|
||||
md5sum -c <<-EOF | (! grep -v 'OK$')
|
||||
222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service
|
||||
b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service
|
||||
2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2
|
||||
96999221eeef476bd49fe97b97503126 examples/chrony.keys.example
|
||||
6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate
|
||||
|
||||
6
sources
6
sources
@ -1,3 +1,3 @@
|
||||
SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f
|
||||
SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a
|
||||
SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65
|
||||
SHA512 (chrony-4.2-pre1.tar.gz) = 19ec6a8d66415e0c64450dcc7ea268c47db8e256d24894072a4f4c1d23803089e911c0c05ba33e4ffcb106835eac0e473e8de356ee228d480bacd6a1d217ffb2
|
||||
SHA512 (chrony-4.2-pre1-tar-gz-asc.txt) = 57a65666df1f090dba674ff47364d192f18bb2f7776ee9a26b6c60fc0aed045112f171b09c3b36e1f1b61b1f620c41ddcc687d1eaef64c10b8b4b923ba5cf9bf
|
||||
SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413
|
||||
|
||||
Loading…
Reference in New Issue
Block a user