update seccomp filter for new glibc (#1990589)

Resolves: #1990589
This commit is contained in:
Miroslav Lichvar 2021-08-09 15:52:10 +02:00
parent 0cde9b85df
commit 58c4594216
2 changed files with 33 additions and 0 deletions

30
chrony-seccomp.patch Normal file
View File

@ -0,0 +1,30 @@
commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon Aug 9 11:48:21 2021 +0200
sys_linux: allow clone3 and pread64 in seccomp filter
These seem to be needed with the latest glibc.
diff --git a/sys_linux.c b/sys_linux.c
index 50c08431..2b53f722 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
/* Process */
SCMP_SYS(clone),
+#ifdef __NR_clone3
+ SCMP_SYS(clone3),
+#endif
SCMP_SYS(exit),
SCMP_SYS(exit_group),
SCMP_SYS(getpid),
@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
#ifdef __NR_ppoll_time64
SCMP_SYS(ppoll_time64),
#endif
+ SCMP_SYS(pread64),
SCMP_SYS(pselect6),
#ifdef __NR_pselect6_time64
SCMP_SYS(pselect6_time64),

View File

@ -24,6 +24,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
# add distribution-specific bits to DHCP dispatcher # add distribution-specific bits to DHCP dispatcher
Patch1: chrony-nm-dispatcher-dhcp.patch Patch1: chrony-nm-dispatcher-dhcp.patch
# update seccomp filter for new glibc
Patch2: chrony-seccomp.patch
BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel
BuildRequires: gcc gcc-c++ make bison systemd gnupg2 BuildRequires: gcc gcc-c++ make bison systemd gnupg2
@ -55,6 +57,7 @@ service to other computers in the network.
%setup -q -n %{name}-%{version}%{?prerelease} -a 10 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
%{?gitpatch:%patch0 -p1} %{?gitpatch:%patch0 -p1}
%patch1 -p1 -b .nm-dispatcher-dhcp %patch1 -p1 -b .nm-dispatcher-dhcp
%patch2 -p1 -b .seccomp
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt} %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}