From 58c4594216c9d0173a3ec753f5062d1514502142 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 9 Aug 2021 15:52:10 +0200 Subject: [PATCH] update seccomp filter for new glibc (#1990589) Resolves: #1990589 --- chrony-seccomp.patch | 30 ++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 33 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..1cc432d --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,30 @@ +commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a +Author: Miroslav Lichvar +Date: Mon Aug 9 11:48:21 2021 +0200 + + sys_linux: allow clone3 and pread64 in seccomp filter + + These seem to be needed with the latest glibc. + +diff --git a/sys_linux.c b/sys_linux.c +index 50c08431..2b53f722 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + + /* Process */ + SCMP_SYS(clone), ++#ifdef __NR_clone3 ++ SCMP_SYS(clone3), ++#endif + SCMP_SYS(exit), + SCMP_SYS(exit_group), + SCMP_SYS(getpid), +@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + #ifdef __NR_ppoll_time64 + SCMP_SYS(ppoll_time64), + #endif ++ SCMP_SYS(pread64), + SCMP_SYS(pselect6), + #ifdef __NR_pselect6_time64 + SCMP_SYS(pselect6_time64), diff --git a/chrony.spec b/chrony.spec index fa30eef..837c447 100644 --- a/chrony.spec +++ b/chrony.spec @@ -24,6 +24,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# update seccomp filter for new glibc +Patch2: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -55,6 +57,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}