update to 4.2 (#2051441)

Resolves: #2051441
This commit is contained in:
Miroslav Lichvar 2022-03-21 17:17:53 +01:00
parent 0dfb022f40
commit 3df34ef6f4
5 changed files with 75 additions and 33 deletions

6
.gitignore vendored
View File

@ -1,3 +1,3 @@
/chrony-4.1.tar.gz /chrony-4.2.tar.gz
/chrony-4.1-tar-gz-asc.txt /chrony-4.2-tar-gz-asc.txt
/clknetsim-f89702.tar.gz /clknetsim-824c48.tar.gz

View File

@ -1,30 +1,31 @@
commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d
Author: Miroslav Lichvar <mlichvar@redhat.com> Author: Michael Hudson-Doyle <michael.hudson@canonical.com>
Date: Mon Aug 9 11:48:21 2021 +0200 Date: Wed Feb 9 09:06:13 2022 +0100
sys_linux: allow clone3 and pread64 in seccomp filter sys_linux: allow rseq in seccomp filter
These seem to be needed with the latest glibc. Libc 2.35 will use rseq syscalls [1][2] by default and thereby
break chrony in seccomp isolation.
[1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
[2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
diff --git a/sys_linux.c b/sys_linux.c diff --git a/sys_linux.c b/sys_linux.c
index 50c08431..2b53f722 100644 index 9cab2efa..cc3c9311 100644
--- a/sys_linux.c --- a/sys_linux.c
+++ b/sys_linux.c +++ b/sys_linux.c
@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) @@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
SCMP_SYS(getrlimit),
/* Process */ SCMP_SYS(getuid),
SCMP_SYS(clone), SCMP_SYS(getuid32),
+#ifdef __NR_clone3 +#ifdef __NR_rseq
+ SCMP_SYS(clone3), + SCMP_SYS(rseq),
+#endif +#endif
SCMP_SYS(exit), SCMP_SYS(rt_sigaction),
SCMP_SYS(exit_group), SCMP_SYS(rt_sigreturn),
SCMP_SYS(getpid), SCMP_SYS(rt_sigprocmask),
@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
#ifdef __NR_ppoll_time64
SCMP_SYS(ppoll_time64),
#endif
+ SCMP_SYS(pread64),
SCMP_SYS(pselect6),
#ifdef __NR_pselect6_time64
SCMP_SYS(pselect6_time64),

38
chrony-services.patch Normal file
View File

@ -0,0 +1,38 @@
diff -up chrony-4.2/examples/chronyd.service.services chrony-4.2/examples/chronyd.service
--- chrony-4.2/examples/chronyd.service.services 2021-12-16 13:17:42.000000000 +0100
+++ chrony-4.2/examples/chronyd.service 2022-01-19 13:55:59.066677473 +0100
@@ -32,8 +32,7 @@ ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
-ProtectSystem=strict
-ReadWritePaths=/run /var/lib/chrony -/var/log
+ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
@@ -42,7 +41,6 @@ SystemCallFilter=~@cpu-emulation @debug
# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
NoNewPrivileges=no
-ReadWritePaths=-/var/spool
RestrictAddressFamilies=AF_NETLINK
[Install]
Avoid a SELinux issue
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
index 72b028f2..57646950 100644
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
@@ -18,7 +18,7 @@ StandardOutput=null
CapabilityBoundingSet=
DevicePolicy=closed
-DynamicUser=yes
+#DynamicUser=yes
IPAddressAllow=localhost
IPAddressDeny=any
LockPersonality=yes

View File

@ -1,5 +1,5 @@
%global _hardened_build 1 %global _hardened_build 1
%global clknetsim_ver f89702 %global clknetsim_ver 824c48
%bcond_without debug %bcond_without debug
%bcond_without nts %bcond_without nts
@ -8,7 +8,7 @@
%endif %endif
Name: chrony Name: chrony
Version: 4.1 Version: 4.2
Release: 3%{?dist} Release: 3%{?dist}
Summary: An NTP client/server Summary: An NTP client/server
@ -26,6 +26,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
Patch1: chrony-nm-dispatcher-dhcp.patch Patch1: chrony-nm-dispatcher-dhcp.patch
# update seccomp filter for new glibc # update seccomp filter for new glibc
Patch2: chrony-seccomp.patch Patch2: chrony-seccomp.patch
# revert some hardening options in service files
Patch3: chrony-services.patch
BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel
BuildRequires: gcc gcc-c++ make bison systemd gnupg2 BuildRequires: gcc gcc-c++ make bison systemd gnupg2
@ -58,18 +60,19 @@ service to other computers in the network.
%{?gitpatch:%patch0 -p1} %{?gitpatch:%patch0 -p1}
%patch1 -p1 -b .nm-dispatcher-dhcp %patch1 -p1 -b .nm-dispatcher-dhcp
%patch2 -p1 -b .seccomp %patch2 -p1 -b .seccomp
%patch3 -p1 -b .services
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt} %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
# review changes in packaged configuration files and scripts # review changes in packaged configuration files and scripts
md5sum -c <<-EOF | (! grep -v 'OK$') md5sum -c <<-EOF | (! grep -v 'OK$')
bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service 222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service
2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2
96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example
6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate
a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp
8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline
32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service 619dd00009ea312c7201beefde10341a examples/chronyd.service
EOF EOF
# don't allow packaging without vendor zone # don't allow packaging without vendor zone

View File

@ -1,3 +1,3 @@
SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f SHA512 (chrony-4.2.tar.gz) = 7f946b27de605b3ebea62cf23916dfad77c99e8b2338ba239ede6b8216ce436b3d4d87770f371c8d8e006507c51d5c831b51f067957abd2935adfdec3f5aa67d
SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a SHA512 (chrony-4.2-tar-gz-asc.txt) = d8ae4b540ce3529a5a72e10c14765a33ca6fc41529b6fdc9928fb171f25bd6fb87f930b7783638892f42f4cbcfaab4cb1064c930bae1d5204a71babad72b6e10
SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65 SHA512 (clknetsim-824c48.tar.gz) = df682f3105c8fbc8da558fa0f17011eb1125c8383179dbc81002a249ca95b7940b46f0dd7562ede44f5ba095be897e6e77d0c99ff2ad7d317217154e1265606f