update seccomp filter for latest glibc

chrony-seccomp.patch

@@ -0,0 +1,31 @@
+commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d
+Author: Michael Hudson-Doyle <michael.hudson@canonical.com>
+Date:   Wed Feb 9 09:06:13 2022 +0100
+
+    sys_linux: allow rseq in seccomp filter
+    
+    Libc 2.35 will use rseq syscalls [1][2] by default and thereby
+    break chrony in seccomp isolation.
+    
+    [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
+    [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
+    
+    Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+    Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+    Signed-off-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
+    Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+
+diff --git a/sys_linux.c b/sys_linux.c
+index 9cab2efa..cc3c9311 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+     SCMP_SYS(getrlimit),
+     SCMP_SYS(getuid),
+     SCMP_SYS(getuid32),
++#ifdef __NR_rseq
++    SCMP_SYS(rseq),
++#endif
+     SCMP_SYS(rt_sigaction),
+     SCMP_SYS(rt_sigreturn),
+     SCMP_SYS(rt_sigprocmask),

chrony.spec

@@ -24,6 +24,8 @@ Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
 
 # add distribution-specific bits to DHCP dispatcher
 Patch1:         chrony-nm-dispatcher-dhcp.patch
+# update seccomp filter for latest glibc
+Patch2:         chrony-seccomp.patch
 
 BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
 BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
@@ -55,6 +57,7 @@ service to other computers in the network.
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .nm-dispatcher-dhcp
+%patch2 -p1 -b .seccomp
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}