Merge branch 'c9-beta' into a9-beta

This commit is contained in:
eabdullin 2022-09-28 01:45:29 +00:00 committed by root
commit c28d9e94a2
8 changed files with 263 additions and 76 deletions

View File

@ -1,3 +1,3 @@
15dc1976653f17d290b65007a4779e3f4ac1833e SOURCES/chrony-4.1.tar.gz
6f953389765ec334465ebdef4199e25c0290646e SOURCES/clknetsim-f89702.tar.gz
0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz
2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz
1395afa521d2e3302a31083edcf568bbc036aafc SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc

4
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/chrony-4.1.tar.gz
SOURCES/clknetsim-f89702.tar.gz
SOURCES/chrony-4.2.tar.gz
SOURCES/clknetsim-824c48.tar.gz
SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmCdA+8ACgkQU34rdvdo
DayU8Q/9FCKZSecv//ZdhH89eVYyQZsb7AREqhiJqaWHekd08Hj8UZx9SA+0JtSl
QwnGJNOrF76gbvyvjCzVmUSnIuHWADK6tAWxm8RBXqjoIS9Qv15sIpVVvTGDWxJQ
shN2Tag5gplI6ZRp2rJAggxxtqVR2ZC3sZ+ay5LHQUhN2buxqy/v3XZXaTtfqRtI
QLq8IVXH7f08D+F0mlH+okJ0qyemP1KYMrD9XqZjmwUupAVhrVj0UCtn+wDszbbr
hWcs12brtSq13YUu2hbU5tXS++BEVJ1QM9+7OvG2V2idV6NRIsDhLjNPJwdYC4Dw
kJjN2dA1/tH9YaSUUV1vcSSSmkwYki2WJijIWMluoOlbO6aIR1+ohwkror4GztQL
0hOnVgXgTTPCS1hb5qi2nG+n6p1iKDOHudGQoyqV+qbAZYAGPGaC5jd3vDKLlI1F
TCmXL68VtTxamjI7hAUCvt1uMWtVhkogw1Y9pHU1D8PeB5iqPK6slLU0hAn1lhB9
AUlJ/AFSTXXqpWOuUnMx8mC9xLbekeE+KnM/IfO3BUm7CgUO8pOBCteCisHl/IFU
7Y7AmsB+15DjJasqLhhKiVeMTbMJBlA5a9y3kvbUJv0uhS1fl0XrYK6Ht09/6t3C
CGy+YB7OfBp1w1kKix6kmsNVjGSL9s+pODRsj/vHAxTbzzbX80Y=
=rNMW
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo
Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN
NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ
CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz
R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum
ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM
TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1
2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI
cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/
QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS
9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn
2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA=
=F4BS
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,146 @@
commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon Feb 7 13:27:25 2022 +0100
examples: support DHCPv6 NTP servers in NM dispatcher script
Latest NetworkManager code provides NTP servers from the DHCPv6 NTP
option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher
scripts.
Check for invalid characters (which can come from the FQDN suboption)
and include the servers in the interface-specific sources file.
diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
index 6ea4c370..4454f037 100644
--- a/examples/chrony.nm-dispatcher.dhcp
+++ b/examples/chrony.nm-dispatcher.dhcp
@@ -1,8 +1,7 @@
#!/bin/sh
# This is a NetworkManager dispatcher script for chronyd to update
-# its NTP sources passed from DHCP options. Note that this script is
-# specific to NetworkManager-dispatcher due to use of the
-# DHCP4_NTP_SERVERS environment variable.
+# its NTP sources with servers from DHCP options passed by NetworkManager
+# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables.
export LC_ALL=C
@@ -10,17 +9,19 @@ interface=$1
action=$2
chronyc=/usr/bin/chronyc
-default_server_options=iburst
+server_options=iburst
server_dir=/var/run/chrony-dhcp
dhcp_server_file=$server_dir/$interface.sources
-# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
-nm_dhcp_servers=$DHCP4_NTP_SERVERS
+dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
add_servers_from_dhcp() {
rm -f "$dhcp_server_file"
- for server in $nm_dhcp_servers; do
- echo "server $server $default_server_options" >> "$dhcp_server_file"
+ for server in $dhcp_ntp_servers; do
+ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
+ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
+
+ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
done
$chronyc reload sources > /dev/null 2>&1 || :
}
@@ -34,10 +35,11 @@ clear_servers_from_dhcp() {
mkdir -p $server_dir
-if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
- add_servers_from_dhcp
-elif [ "$action" = "down" ]; then
- clear_servers_from_dhcp
-fi
+case "$action" in
+ up|dhcp4-change|dhcp6-change)
+ add_servers_from_dhcp;;
+ down)
+ clear_servers_from_dhcp;;
+esac
exit 0
commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon Feb 7 13:27:48 2022 +0100
examples: handle more actions in NM dispatcher script
Run the chronyc onoffline command also when the connectivity-change
and dhcp6-change actions are reported by the NetworkManager dispatcher.
The latter should not be necessary, but there currently doesn't seem to
be any action for IPv6 becoming routable after duplicate address
detection, so at least in networks using DHCPv6, IPv6 NTP servers should
not be stuck in the offline state from a previously reported action.
diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline
index 34cfa0db..01e6fdb1 100644
--- a/examples/chrony.nm-dispatcher.onoffline
+++ b/examples/chrony.nm-dispatcher.onoffline
@@ -7,8 +7,18 @@ export LC_ALL=C
chronyc=/usr/bin/chronyc
-# For NetworkManager consider only up/down events
-[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
+# For NetworkManager consider only selected events
+if [ $# -ge 2 ]; then
+ case "$2" in
+ up|down|connectivity-change)
+ ;;
+ dhcp6-change)
+ # No other action is reported for routable IPv6
+ ;;
+ *)
+ exit 0;;
+ esac
+fi
# Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
commit fca8966adaaf8376536af86ba2afe02501463588
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed Mar 23 15:17:03 2022 +0100
examples: replace grep command in NM dispatcher script
Some grep implementations detect binary data and return success without
matching whole line. This might be an issue for the DHCPv6 NTP FQDN
check. The GNU grep in the C locale seems to check only for the NUL
character, which cannot be passed in an environment variable, but other
implementations might behave differently and there doesn't seem to be a
portable way to force matching the whole line.
Instead of the grep command, check for invalid characters by comparing
the length of the input passed through "tr -d -c".
diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
index 4454f037..547ce83f 100644
--- a/examples/chrony.nm-dispatcher.dhcp
+++ b/examples/chrony.nm-dispatcher.dhcp
@@ -19,7 +19,11 @@ add_servers_from_dhcp() {
rm -f "$dhcp_server_file"
for server in $dhcp_ntp_servers; do
# Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
- printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
+ len1=$(printf '%s' "$server" | wc -c)
+ len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c)
+ if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then
+ continue
+ fi
printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
done
From: Robert Fairley <rfairley@redhat.com>
Date: Wed, 17 Jun 2020 10:14:19 -0400
Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig
@ -11,33 +154,29 @@ diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.
index 6ea4c37..a6ad35a 100644
--- a/examples/chrony.nm-dispatcher.dhcp
+++ b/examples/chrony.nm-dispatcher.dhcp
@@ -6,16 +6,24 @@
chronyc=/usr/bin/chronyc
default_server_options=iburst
-server_dir=/var/run/chrony-dhcp
+server_dir=/run/chrony-dhcp
dhcp_server_file=$server_dir/$interface.sources
# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
nm_dhcp_servers=$DHCP4_NTP_SERVERS
@@ -8,15 +8,23 @@ export LC_ALL=C
interface=$1
action=$2
+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
+[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
+ . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
+
chronyc=/usr/bin/chronyc
-server_options=iburst
-server_dir=/var/run/chrony-dhcp
+server_options=${NTPSERVERARGS:-iburst}
+server_dir=/run/chrony-dhcp
dhcp_server_file=$server_dir/$interface.sources
dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
add_servers_from_dhcp() {
rm -f "$dhcp_server_file"
+
+ # Don't add NTP servers if PEERNTP=no specified; return early.
+ [ "$PEERNTP" = "no" ] && return
+
for server in $nm_dhcp_servers; do
- echo "server $server $default_server_options" >> "$dhcp_server_file"
+ echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file"
done
$chronyc reload sources > /dev/null 2>&1 || :
}
--
2.29.2
for server in $dhcp_ntp_servers; do
# Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
len1=$(printf '%s' "$server" | wc -c)

View File

@ -1,30 +1,31 @@
commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a
Author: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon Aug 9 11:48:21 2021 +0200
commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d
Author: Michael Hudson-Doyle <michael.hudson@canonical.com>
Date: Wed Feb 9 09:06:13 2022 +0100
sys_linux: allow clone3 and pread64 in seccomp filter
sys_linux: allow rseq in seccomp filter
These seem to be needed with the latest glibc.
Libc 2.35 will use rseq syscalls [1][2] by default and thereby
break chrony in seccomp isolation.
[1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
[2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
diff --git a/sys_linux.c b/sys_linux.c
index 50c08431..2b53f722 100644
index 9cab2efa..cc3c9311 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
/* Process */
SCMP_SYS(clone),
+#ifdef __NR_clone3
+ SCMP_SYS(clone3),
@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
SCMP_SYS(getrlimit),
SCMP_SYS(getuid),
SCMP_SYS(getuid32),
+#ifdef __NR_rseq
+ SCMP_SYS(rseq),
+#endif
SCMP_SYS(exit),
SCMP_SYS(exit_group),
SCMP_SYS(getpid),
@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
#ifdef __NR_ppoll_time64
SCMP_SYS(ppoll_time64),
#endif
+ SCMP_SYS(pread64),
SCMP_SYS(pselect6),
#ifdef __NR_pselect6_time64
SCMP_SYS(pselect6_time64),
SCMP_SYS(rt_sigaction),
SCMP_SYS(rt_sigreturn),
SCMP_SYS(rt_sigprocmask),

View File

@ -0,0 +1,38 @@
diff -up chrony-4.2/examples/chronyd.service.services chrony-4.2/examples/chronyd.service
--- chrony-4.2/examples/chronyd.service.services 2021-12-16 13:17:42.000000000 +0100
+++ chrony-4.2/examples/chronyd.service 2022-01-19 13:55:59.066677473 +0100
@@ -32,8 +32,7 @@ ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
-ProtectSystem=strict
-ReadWritePaths=/run /var/lib/chrony -/var/log
+ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
@@ -42,7 +41,6 @@ SystemCallFilter=~@cpu-emulation @debug
# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
NoNewPrivileges=no
-ReadWritePaths=-/var/spool
RestrictAddressFamilies=AF_NETLINK
[Install]
Avoid a SELinux issue
diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
index 72b028f2..57646950 100644
--- a/examples/chrony-wait.service
+++ b/examples/chrony-wait.service
@@ -18,7 +18,7 @@ StandardOutput=null
CapabilityBoundingSet=
DevicePolicy=closed
-DynamicUser=yes
+#DynamicUser=yes
IPAddressAllow=localhost
IPAddressDeny=any
LockPersonality=yes

View File

@ -1,5 +1,5 @@
%global _hardened_build 1
%global clknetsim_ver f89702
%global clknetsim_ver 824c48
%bcond_without debug
%bcond_without nts
@ -8,8 +8,8 @@
%endif
Name: chrony
Version: 4.1
Release: 3%{?dist}.alma
Version: 4.2
Release: 1%{?dist}.alma
Summary: An NTP client/server
License: GPLv2
@ -22,14 +22,16 @@ Source3: chrony.dhclient
Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
%{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
# add distribution-specific bits to DHCP dispatcher
# add IPv6 support and distribution-specific bits to DHCP dispatcher
Patch1: chrony-nm-dispatcher-dhcp.patch
# update seccomp filter for new glibc
Patch2: chrony-seccomp.patch
# revert some hardening options in service files
Patch3: chrony-services.patch
BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel
BuildRequires: gnutls-devel libcap-devel libedit-devel pps-tools-devel
BuildRequires: gcc gcc-c++ make bison systemd gnupg2
%{?with_nts:BuildRequires: gnutls-devel gnutls-utils}
%{?with_nts:BuildRequires: gnutls-utils}
%{?with_seccomp:BuildRequires: libseccomp-devel}
Requires(pre): shadow-utils
@ -58,18 +60,19 @@ service to other computers in the network.
%{?gitpatch:%patch0 -p1}
%patch1 -p1 -b .nm-dispatcher-dhcp
%patch2 -p1 -b .seccomp
%patch3 -p1 -b .services
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
# review changes in packaged configuration files and scripts
md5sum -c <<-EOF | (! grep -v 'OK$')
bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service
222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service
2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2
96999221eeef476bd49fe97b97503126 examples/chrony.keys.example
6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate
a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp
8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline
32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service
c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp
2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline
619dd00009ea312c7201beefde10341a examples/chronyd.service
EOF
# don't allow packaging without vendor zone
@ -105,7 +108,10 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim
--with-user=chrony \
--with-hwclockfile=%{_sysconfdir}/adjtime \
--with-pidfile=/run/chrony/chronyd.pid \
--with-sendmail=%{_sbindir}/sendmail
--with-sendmail=%{_sbindir}/sendmail \
--without-nettle \
--without-nss \
--without-tomcrypt
%make_build
%install
@ -161,8 +167,6 @@ getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
:
%post
# workaround for late reload of unit file (#1614751)
%{_bindir}/systemctl daemon-reload
# migrate from chrony-helper to sourcedir directive
if test -a %{_libexecdir}/chrony-helper; then
grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \
@ -202,9 +206,14 @@ fi
%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
%changelog
* Mon Jan 17 2022 Eduard Abdullin <eabdullin@almalinux.org> - 4.1-3.alma
* Wed Sep 28 2022 Eduard Abdullin <eabdullin@almalinux.org> - 4.2-1.alma.plus
- use cloudlinux ntp pool
* Wed Mar 23 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
- update to 4.2 (#2051441)
- fully switch from nettle to gnutls (#1953463 #1954483)
- use NTP servers from DHCPv6 NTP server option (#2047415)
- drop obsolete workaround in scriptlet
* Tue Aug 10 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-3
- update seccomp filter for new glibc (#1990589)
- remove unnecessary build requirement