From 3ad37b28f0ac3318073c732c1fc999234c76f669 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 13 Mar 2017 13:59:58 +0100
Subject: [PATCH] fix seccomp filter for new glibc

---
 chrony-seccomp.patch | 26 ++++++++++++++++++++++++++
 chrony.spec          |  3 +++
 2 files changed, 29 insertions(+)
 create mode 100644 chrony-seccomp.patch

diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch
new file mode 100644
index 0000000..0e21625
--- /dev/null
+++ b/chrony-seccomp.patch
@@ -0,0 +1,26 @@
+commit 768bce799bfe009e7dbaad5742738f7d05280d6d
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Mon Mar 13 14:26:12 2017 +0100
+
+    sys_linux: allow getpid in seccomp filter
+    
+    It seems to be used by syslog() in latest glibc.
+
+diff --git a/sys_linux.c b/sys_linux.c
+index 3dd411f..c06112a 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -467,9 +467,10 @@ SYS_Linux_EnableSystemCallFilter(int level)
+     SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday),
+     SCMP_SYS(settimeofday), SCMP_SYS(time),
+     /* Process */
+-    SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getrlimit),
+-    SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
+-    SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), SCMP_SYS(wait4),
++    SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
++    SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
++    SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
++    SCMP_SYS(wait4),
+     /* Memory */
+     SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
diff --git a/chrony.spec b/chrony.spec
index b3d4e8c..eb1c6eb 100644
--- a/chrony.spec
+++ b/chrony.spec
@@ -21,6 +21,8 @@ Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
 
 # add NTP servers from DHCP when starting service
 Patch1:         chrony-service-helper.patch
+# fix seccomp filter for new glibc
+Patch2:         chrony-seccomp.patch
 
 BuildRequires:  libcap-devel libedit-devel nss-devel pps-tools-devel
 %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x
@@ -58,6 +60,7 @@ clocks, system real-time clock or manual input as time references.
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .service-helper
+%patch2 -p1 -b .seccomp
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}