diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..523759c --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,31 @@ +commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d +Author: Michael Hudson-Doyle +Date: Wed Feb 9 09:06:13 2022 +0100 + + sys_linux: allow rseq in seccomp filter + + Libc 2.35 will use rseq syscalls [1][2] by default and thereby + break chrony in seccomp isolation. + + [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/ + [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html + + Tested-by: Christian Ehrhardt + Reviewed-by: Christian Ehrhardt + Signed-off-by: Michael Hudson-Doyle + Signed-off-by: Christian Ehrhardt + +diff --git a/sys_linux.c b/sys_linux.c +index 9cab2efa..cc3c9311 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + SCMP_SYS(getrlimit), + SCMP_SYS(getuid), + SCMP_SYS(getuid32), ++#ifdef __NR_rseq ++ SCMP_SYS(rseq), ++#endif + SCMP_SYS(rt_sigaction), + SCMP_SYS(rt_sigreturn), + SCMP_SYS(rt_sigprocmask), diff --git a/chrony.spec b/chrony.spec index e7e57bd..79f3137 100644 --- a/chrony.spec +++ b/chrony.spec @@ -24,6 +24,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# update seccomp filter for latest glibc +Patch2: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -55,6 +57,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}