From 2eeb6969c51c44cdadf53989aadbd523c3727b2a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 2 Dec 2021 13:14:09 +0100 Subject: [PATCH] update to 4.2-pre1 --- .gitignore | 6 +- chrony-seccomp.patch | 30 --------- chrony-services.patch | 151 ------------------------------------------ chrony.spec | 13 ++-- sources | 6 +- 5 files changed, 10 insertions(+), 196 deletions(-) delete mode 100644 chrony-seccomp.patch delete mode 100644 chrony-services.patch diff --git a/.gitignore b/.gitignore index 76dba0d..f18ac28 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.1.tar.gz -/chrony-4.1-tar-gz-asc.txt -/clknetsim-f89702.tar.gz +/chrony-4.2-pre1.tar.gz +/chrony-4.2-pre1-tar-gz-asc.txt +/clknetsim-470b5e.tar.gz diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch deleted file mode 100644 index 1cc432d..0000000 --- a/chrony-seccomp.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a -Author: Miroslav Lichvar -Date: Mon Aug 9 11:48:21 2021 +0200 - - sys_linux: allow clone3 and pread64 in seccomp filter - - These seem to be needed with the latest glibc. - -diff --git a/sys_linux.c b/sys_linux.c -index 50c08431..2b53f722 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - - /* Process */ - SCMP_SYS(clone), -+#ifdef __NR_clone3 -+ SCMP_SYS(clone3), -+#endif - SCMP_SYS(exit), - SCMP_SYS(exit_group), - SCMP_SYS(getpid), -@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - #ifdef __NR_ppoll_time64 - SCMP_SYS(ppoll_time64), - #endif -+ SCMP_SYS(pread64), - SCMP_SYS(pselect6), - #ifdef __NR_pselect6_time64 - SCMP_SYS(pselect6_time64), diff --git a/chrony-services.patch b/chrony-services.patch deleted file mode 100644 index 34aa909..0000000 --- a/chrony-services.patch +++ /dev/null @@ -1,151 +0,0 @@ -commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00 -Author: Miroslav Lichvar -Date: Wed Sep 29 15:25:48 2021 +0200 - - examples: harden systemd services - - Add various settings to the example chronyd and chrony-wait services to - decrease the exposure reported by the "systemd-analyze security" - command. The original exposure was high as the analyzer does not check - the actual process (e.g. that it dropped the root privileges or that it - has its own seccomp filter). - - Limit read-write access to /run, /var/lib/chrony, and /var/spool. - Access to /run (instead of /run/chrony) is needed for the refclock - socket expected by gpsd. - - The mailonchange directive is most likely to break as it executes - /usr/sbin/sendmail, which can do unexpected operations depending on the - implementation. It should work with a setuid/setgid binary, but it is - not expected to write outside of /var/spool and the private /tmp. - -diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service -index b3aa7aa2..72b028f2 100644 ---- a/examples/chrony-wait.service -+++ b/examples/chrony-wait.service -@@ -16,5 +16,32 @@ TimeoutStartSec=180 - RemainAfterExit=yes - StandardOutput=null - -+CapabilityBoundingSet= -+DevicePolicy=closed -+DynamicUser=yes -+IPAddressAllow=localhost -+IPAddressDeny=any -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+PrivateDevices=yes -+PrivateUsers=yes -+ProcSubset=pid -+ProtectClock=yes -+ProtectControlGroups=yes -+ProtectHome=yes -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+RestrictAddressFamilies=AF_INET AF_INET6 -+RestrictNamespaces=yes -+RestrictRealtime=yes -+SystemCallArchitectures=native -+SystemCallFilter=@system-service -+SystemCallFilter=~@privileged @resources -+UMask=0777 -+ - [Install] - WantedBy=multi-user.target -diff --git a/examples/chronyd.service b/examples/chronyd.service -index 289548cb..2cac6026 100644 ---- a/examples/chronyd.service -+++ b/examples/chronyd.service -@@ -10,9 +10,40 @@ Type=forking - PIDFile=/run/chrony/chronyd.pid - EnvironmentFile=-/etc/sysconfig/chronyd - ExecStart=/usr/sbin/chronyd $OPTIONS -+ -+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE -+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN -+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT -+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM -+DeviceAllow=char-pps rw -+DeviceAllow=char-ptp rw -+DeviceAllow=char-rtc rw -+DevicePolicy=closed -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+NoNewPrivileges=yes - PrivateTmp=yes -+ProcSubset=pid -+ProtectControlGroups=yes - ProtectHome=yes --ProtectSystem=full -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+ReadWritePaths=/run /var/lib/chrony -+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -+RestrictNamespaces=yes -+RestrictSUIDSGID=yes -+SystemCallArchitectures=native -+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap -+ -+# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) -+NoNewPrivileges=no -+ReadWritePaths=/var/spool -+RestrictAddressFamilies=AF_NETLINK - - [Install] - WantedBy=multi-user.target - -Avoid a SELinux issue - -diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service -index 72b028f2..57646950 100644 ---- a/examples/chrony-wait.service -+++ b/examples/chrony-wait.service -@@ -18,7 +18,7 @@ StandardOutput=null - - CapabilityBoundingSet= - DevicePolicy=closed --DynamicUser=yes -+#DynamicUser=yes - IPAddressAllow=localhost - IPAddressDeny=any - LockPersonality=yes -commit 76a905d652cafccfac1023f74d12ffa7facc4832 -Author: Miroslav Lichvar -Date: Mon Oct 4 10:54:40 2021 +0200 - - examples: improve chronyd service - - Allow writing logfiles (enabled by logdir or -l option) to /var/log and - don't require /var/spool to exist. - -diff --git a/examples/chronyd.service b/examples/chronyd.service -index 2cac6026..4fb930ef 100644 ---- a/examples/chronyd.service -+++ b/examples/chronyd.service -@@ -33,7 +33,7 @@ ProtectKernelModules=yes - ProtectKernelTunables=yes - ProtectProc=invisible - ProtectSystem=strict --ReadWritePaths=/run /var/lib/chrony -+ReadWritePaths=/run /var/lib/chrony -/var/log - RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX - RestrictNamespaces=yes - RestrictSUIDSGID=yes -@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot - - # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) - NoNewPrivileges=no --ReadWritePaths=/var/spool -+ReadWritePaths=-/var/spool - RestrictAddressFamilies=AF_NETLINK - - [Install] diff --git a/chrony.spec b/chrony.spec index 5a2d960..3955aa1 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver f89702 +%global prerelease -pre1 +%global clknetsim_ver 470b5e %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.1 +Version: 4.2 Release: 5%{?dist} Summary: An NTP client/server @@ -24,10 +25,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# update seccomp filter for new glibc -Patch2: chrony-seccomp.patch -# harden chronyd and chrony-wait services -Patch3: chrony-services.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,14 +56,12 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .seccomp -%patch3 -p1 -b .services %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - 222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service + b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate diff --git a/sources b/sources index 14c91b8..03b8ca6 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f -SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a -SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65 +SHA512 (chrony-4.2-pre1.tar.gz) = 19ec6a8d66415e0c64450dcc7ea268c47db8e256d24894072a4f4c1d23803089e911c0c05ba33e4ffcb106835eac0e473e8de356ee228d480bacd6a1d217ffb2 +SHA512 (chrony-4.2-pre1-tar-gz-asc.txt) = 57a65666df1f090dba674ff47364d192f18bb2f7776ee9a26b6c60fc0aed045112f171b09c3b36e1f1b61b1f620c41ddcc687d1eaef64c10b8b4b923ba5cf9bf +SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413