rpms/chrony
5
0
Fork 0
Code Issues Pull Requests Releases Activity

update to 4.2-pre1

Browse Source
This commit is contained in:
Miroslav Lichvar 2021-12-02 13:14:09 +01:00
parent 8ebbcb0ef4
commit 2eeb6969c5
5 changed files with 10 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,3 +1,3 @@
/chrony-4.1.tar.gz /chrony-4.2-pre1.tar.gz
/chrony-4.1-tar-gz-asc.txt /chrony-4.2-pre1-tar-gz-asc.txt
/clknetsim-f89702.tar.gz /clknetsim-470b5e.tar.gz

30
chrony-seccomp.patch
View File

@ -1,30 +0,0 @@
commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon Aug 9 11:48:21 2021 +0200
sys_linux: allow clone3 and pread64 in seccomp filter
These seem to be needed with the latest glibc.
diff --git a/sys_linux.c b/sys_linux.c
index 50c08431..2b53f722 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
/* Process */
SCMP_SYS(clone),
+#ifdef __NR_clone3
+ SCMP_SYS(clone3),
+#endif
SCMP_SYS(exit),
SCMP_SYS(exit_group),
SCMP_SYS(getpid),
@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
#ifdef __NR_ppoll_time64
SCMP_SYS(ppoll_time64),
#endif
+ SCMP_SYS(pread64),
SCMP_SYS(pselect6),
#ifdef __NR_pselect6_time64
SCMP_SYS(pselect6_time64),

151
chrony-services.patch
View File

@ -1,151 +0,0 @@
commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed Sep 29 15:25:48 2021 +0200
examples: harden systemd services
Add various settings to the example chronyd and chrony-wait services to
decrease the exposure reported by the "systemd-analyze security"
command. The original exposure was high as the analyzer does not check
the actual process (e.g. that it dropped the root privileges or that it
has its own seccomp filter).
Limit read-write access to /run, /var/lib/chrony, and /var/spool.
Access to /run (instead of /run/chrony) is needed for the refclock
socket expected by gpsd.
The mailonchange directive is most likely to break as it executes
/usr/sbin/sendmail, which can do unexpected operations depending on the
implementation. It should work with a setuid/setgid binary, but it is
not expected to write outside of /var/spool and the private /tmp.
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
index b3aa7aa2..72b028f2 100644
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
@@ -16,5 +16,32 @@ TimeoutStartSec=180
RemainAfterExit=yes
StandardOutput=null
+CapabilityBoundingSet=
+DevicePolicy=closed
+DynamicUser=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0777
+
[Install]
WantedBy=multi-user.target
diff --git a/examples/chronyd.service b/examples/chronyd.service
index 289548cb..2cac6026 100644
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
@@ -10,9 +10,40 @@ Type=forking
PIDFile=/run/chrony/chronyd.pid
EnvironmentFile=-/etc/sysconfig/chronyd
ExecStart=/usr/sbin/chronyd $OPTIONS
+
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+DeviceAllow=char-pps rw
+DeviceAllow=char-ptp rw
+DeviceAllow=char-rtc rw
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateTmp=yes
+ProcSubset=pid
+ProtectControlGroups=yes
ProtectHome=yes
-ProtectSystem=full
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/run /var/lib/chrony
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
+
+# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
+NoNewPrivileges=no
+ReadWritePaths=/var/spool
+RestrictAddressFamilies=AF_NETLINK
[Install]
WantedBy=multi-user.target
Avoid a SELinux issue
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
index 72b028f2..57646950 100644
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
@@ -18,7 +18,7 @@ StandardOutput=null
CapabilityBoundingSet=
DevicePolicy=closed
-DynamicUser=yes
+#DynamicUser=yes
IPAddressAllow=localhost
IPAddressDeny=any
LockPersonality=yes
commit 76a905d652cafccfac1023f74d12ffa7facc4832
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon Oct 4 10:54:40 2021 +0200
examples: improve chronyd service
Allow writing logfiles (enabled by logdir or -l option) to /var/log and
don't require /var/spool to exist.
diff --git a/examples/chronyd.service b/examples/chronyd.service
index 2cac6026..4fb930ef 100644
--- a/examples/chronyd.service
+++ b/examples/chronyd.service
@@ -33,7 +33,7 @@ ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
-ReadWritePaths=/run /var/lib/chrony
+ReadWritePaths=/run /var/lib/chrony -/var/log
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot
# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
NoNewPrivileges=no
-ReadWritePaths=/var/spool
+ReadWritePaths=-/var/spool
RestrictAddressFamilies=AF_NETLINK
[Install]

13
chrony.spec
View File

@ -1,5 +1,6 @@
%global _hardened_build 1 %global _hardened_build 1
%global clknetsim_ver f89702 %global prerelease -pre1
%global clknetsim_ver 470b5e
%bcond_without debug %bcond_without debug
%bcond_without nts %bcond_without nts
@ -8,7 +9,7 @@
%endif %endif
Name: chrony Name: chrony
Version: 4.1 Version: 4.2
Release: 5%{?dist} Release: 5%{?dist}
Summary: An NTP client/server Summary: An NTP client/server
@ -24,10 +25,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
# add distribution-specific bits to DHCP dispatcher # add distribution-specific bits to DHCP dispatcher
Patch1: chrony-nm-dispatcher-dhcp.patch Patch1: chrony-nm-dispatcher-dhcp.patch
# update seccomp filter for new glibc
Patch2: chrony-seccomp.patch
# harden chronyd and chrony-wait services
Patch3: chrony-services.patch
BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel
BuildRequires: gcc gcc-c++ make bison systemd gnupg2 BuildRequires: gcc gcc-c++ make bison systemd gnupg2
@ -59,14 +56,12 @@ service to other computers in the network.
%setup -q -n %{name}-%{version}%{?prerelease} -a 10 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
%{?gitpatch:%patch0 -p1} %{?gitpatch:%patch0 -p1}
%patch1 -p1 -b .nm-dispatcher-dhcp %patch1 -p1 -b .nm-dispatcher-dhcp
%patch2 -p1 -b .seccomp
%patch3 -p1 -b .services
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt} %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
# review changes in packaged configuration files and scripts # review changes in packaged configuration files and scripts
md5sum -c <<-EOF | (! grep -v 'OK$') md5sum -c <<-EOF | (! grep -v 'OK$')
222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service
2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2
96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example
6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate

6
sources
View File

@ -1,3 +1,3 @@
SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f SHA512 (chrony-4.2-pre1.tar.gz) = 19ec6a8d66415e0c64450dcc7ea268c47db8e256d24894072a4f4c1d23803089e911c0c05ba33e4ffcb106835eac0e473e8de356ee228d480bacd6a1d217ffb2
SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a SHA512 (chrony-4.2-pre1-tar-gz-asc.txt) = 57a65666df1f090dba674ff47364d192f18bb2f7776ee9a26b6c60fc0aed045112f171b09c3b36e1f1b61b1f620c41ddcc687d1eaef64c10b8b4b923ba5cf9bf
SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65 SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413