4.3-1

Resolves: #2133754

.chrony.metadata

@@ -0,0 +1,3 @@
+bc7884eb4fde69478a00faee3d42092d426d57c1 chrony-4.3.tar.gz
+70d022ec86489cfc9b2284dcb1bd2fe6ed5f4c50 chrony-4.3-tar-gz-asc.txt
+9c453ae65e5c1a6983cd1121410faf1ffd2d9092 clknetsim-f00531.tar.gz

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,3 +1,3 @@
-/chrony-4.1.tar.gz
-/chrony-4.1-tar-gz-asc.txt
-/clknetsim-f89702.tar.gz
+/chrony-4.3.tar.gz
+/chrony-4.3-tar-gz-asc.txt
+/clknetsim-f00531.tar.gz

chrony-nm-dispatcher-dhcp.patch

@@ -11,33 +11,29 @@ diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.
 index 6ea4c37..a6ad35a 100644
 --- a/examples/chrony.nm-dispatcher.dhcp
 +++ b/examples/chrony.nm-dispatcher.dhcp
-@@ -6,16 +6,24 @@
- 
- chronyc=/usr/bin/chronyc
- default_server_options=iburst
--server_dir=/var/run/chrony-dhcp
-+server_dir=/run/chrony-dhcp
- 
- dhcp_server_file=$server_dir/$interface.sources
- # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
- nm_dhcp_servers=$DHCP4_NTP_SERVERS
+@@ -8,15 +8,23 @@ export LC_ALL=C
+ interface=$1
+ action=$2
  
 +[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
 +[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
 +    . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
 +
+ chronyc=/usr/bin/chronyc
+-server_options=iburst
+-server_dir=/var/run/chrony-dhcp
++server_options=${NTPSERVERARGS:-iburst}
++server_dir=/run/chrony-dhcp
+ 
+ dhcp_server_file=$server_dir/$interface.sources
+ dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
+ 
  add_servers_from_dhcp() {
      rm -f "$dhcp_server_file"
 +
 +    # Don't add NTP servers if PEERNTP=no specified; return early.
 +    [ "$PEERNTP" = "no" ] && return
 +
-     for server in $nm_dhcp_servers; do
--        echo "server $server $default_server_options" >> "$dhcp_server_file"
-+        echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file"
-     done
-     $chronyc reload sources > /dev/null 2>&1 || :
- }
--- 
-2.29.2
-
+     for server in $dhcp_ntp_servers; do
+         # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
+         len1=$(printf '%s' "$server" | wc -c)

chrony-seccomp.patch

@@ -1,30 +0,0 @@
-commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date:   Mon Aug 9 11:48:21 2021 +0200
-
-    sys_linux: allow clone3 and pread64 in seccomp filter
-    
-    These seem to be needed with the latest glibc.
-
-diff --git a/sys_linux.c b/sys_linux.c
-index 50c08431..2b53f722 100644
---- a/sys_linux.c
-+++ b/sys_linux.c
-@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
- 
-     /* Process */
-     SCMP_SYS(clone),
-+#ifdef __NR_clone3
-+    SCMP_SYS(clone3),
-+#endif
-     SCMP_SYS(exit),
-     SCMP_SYS(exit_group),
-     SCMP_SYS(getpid),
-@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
- #ifdef __NR_ppoll_time64
-     SCMP_SYS(ppoll_time64),
- #endif
-+    SCMP_SYS(pread64),
-     SCMP_SYS(pselect6),
- #ifdef __NR_pselect6_time64
-     SCMP_SYS(pselect6_time64),

chrony-services.patch

@@ -0,0 +1,38 @@
+diff -up chrony-4.2/examples/chronyd.service.services chrony-4.2/examples/chronyd.service
+--- chrony-4.2/examples/chronyd.service.services	2021-12-16 13:17:42.000000000 +0100
++++ chrony-4.2/examples/chronyd.service	2022-01-19 13:55:59.066677473 +0100
+@@ -32,8 +32,7 @@ ProtectKernelLogs=yes
+ ProtectKernelModules=yes
+ ProtectKernelTunables=yes
+ ProtectProc=invisible
+-ProtectSystem=strict
+-ReadWritePaths=/run /var/lib/chrony -/var/log
++ProtectSystem=full
+ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+ RestrictNamespaces=yes
+ RestrictSUIDSGID=yes
+@@ -42,7 +41,6 @@ SystemCallFilter=~@cpu-emulation @debug
+ 
+ # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
+ NoNewPrivileges=no
+-ReadWritePaths=-/var/spool
+ RestrictAddressFamilies=AF_NETLINK
+ 
+ [Install]
+
+Avoid a SELinux issue
+
+diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
+index 72b028f2..57646950 100644
+--- a/examples/chrony-wait.service
++++ b/examples/chrony-wait.service
+@@ -18,7 +18,7 @@ StandardOutput=null
+ 
+ CapabilityBoundingSet=
+ DevicePolicy=closed
+-DynamicUser=yes
++#DynamicUser=yes
+ IPAddressAllow=localhost
+ IPAddressDeny=any
+ LockPersonality=yes
+

chrony.spec

@@ -1,5 +1,5 @@
 %global _hardened_build 1
-%global clknetsim_ver f89702
+%global clknetsim_ver f00531
 %bcond_without debug
 %bcond_without nts
 
@@ -8,8 +8,8 @@
 %endif
 
 Name:           chrony
-Version:        4.1
-Release:        3%{?dist}
+Version:        4.3
+Release:        1%{?dist}
 Summary:        An NTP client/server
 
 License:        GPLv2
@@ -18,22 +18,23 @@ Source0:        https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerel
 Source1:        https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt
 Source2:        https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
 Source3:        chrony.dhclient
+Source4:        chrony.sysusers
 # simulator for test suite
 Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
 %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
 
 # add distribution-specific bits to DHCP dispatcher
 Patch1:         chrony-nm-dispatcher-dhcp.patch
-# update seccomp filter for new glibc
-Patch2:         chrony-seccomp.patch
+# revert some hardening options in service files
+Patch3:         chrony-services.patch
 
-BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
+BuildRequires:  gnutls-devel libcap-devel libedit-devel pps-tools-devel
 BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
-%{?with_nts:BuildRequires: gnutls-devel gnutls-utils}
+%{?with_nts:BuildRequires: gnutls-utils}
 %{?with_seccomp:BuildRequires: libseccomp-devel}
 
-Requires(pre):  shadow-utils
 %{?systemd_requires}
+%{?sysusers_requires_compat}
 
 # Old NetworkManager expects the dispatcher scripts in a different place
 Conflicts:      NetworkManager < 1.20
@@ -57,19 +58,19 @@ service to other computers in the network.
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .nm-dispatcher-dhcp
-%patch2 -p1 -b .seccomp
+%patch3 -p1 -b .services
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
 
 # review changes in packaged configuration files and scripts
 md5sum -c <<-EOF | (! grep -v 'OK$')
-        bc563c1bcf67b2da774bd8c2aef55a06  examples/chrony-wait.service
+        222e652b95027289877fa77146d3b9b1  examples/chrony-wait.service
         2d01b94bc1a7b7fb70cbee831488d121  examples/chrony.conf.example2
         96999221eeef476bd49fe97b97503126  examples/chrony.keys.example
         6a3178c4670de7de393d9365e2793740  examples/chrony.logrotate
-        a7054c9352c07384bd7ea0477e6e8a8c  examples/chrony.nm-dispatcher.dhcp
-        8f5a98fcb400a482d355b929d04b5518  examples/chrony.nm-dispatcher.onoffline
-        32c34c995c59fd1c3ad1616d063ae4a0  examples/chronyd.service
+        c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
+        2b81c60c020626165ac655b2633608eb  examples/chrony.nm-dispatcher.onoffline
+        619dd00009ea312c7201beefde10341a  examples/chronyd.service
 EOF
 
 # don't allow packaging without vendor zone
@@ -105,7 +106,10 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim
         --with-user=chrony \
         --with-hwclockfile=%{_sysconfdir}/adjtime \
         --with-pidfile=/run/chrony/chronyd.pid \
-        --with-sendmail=%{_sbindir}/sendmail
+        --with-sendmail=%{_sbindir}/sendmail \
+        --without-nettle \
+        --without-nss \
+        --without-tomcrypt
 %make_build
 
 %install
@@ -117,6 +121,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d}
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d
 mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
+mkdir -p $RPM_BUILD_ROOT%{_sysusersdir}
 mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d
 mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d}
 
@@ -137,6 +142,8 @@ install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
         $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
 install -m 644 -p examples/chrony-wait.service \
         $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service
+install -m 644 -p %{SOURCE4} \
+        $RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf
 
 cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd <<EOF
 # Command-line options for chronyd
@@ -155,9 +162,7 @@ export CLKNETSIM_RANDOM_SEED=24505
 make quickcheck
 
 %pre
-getent group chrony > /dev/null || /usr/sbin/groupadd -r chrony
-getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
-       -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony
+%sysusers_create_compat %{SOURCE4}
 :
 
 %post
@@ -193,6 +198,7 @@ fi
 %{_prefix}/lib/NetworkManager
 %{_prefix}/lib/systemd/ntp-units.d/*.list
 %{_unitdir}/chrony*.service
+%{_sysusersdir}/chrony.conf
 %{_mandir}/man[158]/%{name}*.[158]*
 %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony
 %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift
@@ -200,6 +206,16 @@ fi
 %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
 
 %changelog
+* Wed Oct 12 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.3-1
+- update to 4.3 (#2133754)
+- add sysusers.d fragment for chrony user/group (#2095374)
+
+* Wed Mar 23 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
+- update to 4.2 (#2051441)
+- fully switch from nettle to gnutls (#1953463 #1954483)
+- use NTP servers from DHCPv6 NTP server option (#2047415)
+- drop obsolete workaround in scriptlet
+
 * Tue Aug 10 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-3
 - update seccomp filter for new glibc (#1990589)
 - remove unnecessary build requirement

chrony.sysusers

@@ -0,0 +1,2 @@
+#Type Name   ID    GECOS                Home directory  Shell
+u     chrony -     "chrony system user" /var/lib/chrony /sbin/nologin

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -5,3 +5,4 @@ decision_context: osci_compose_gate
 rules:
   - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
   - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

plans/public.fmf

@@ -0,0 +1,7 @@
+summary: Test plan that runs all tests from tests repo.
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/chrony.git
+execute:
+    how: tmt
+

plans/tier1-internal.fmf

@@ -0,0 +1,15 @@
+summary: CI plan, picks Tier1 tests, runs in beakerlib.
+discover:
+  - name: rhel
+    how: fmf
+    filter: 'tier: 1'
+    url: git://pkgs.devel.redhat.com/tests/chrony
+  - name: fedora
+    how: fmf
+    filter: 'tier: 1'
+    url: "https://src.fedoraproject.org/tests/chrony.git"
+execute:
+    how: tmt
+adjust:
+    enabled: false
+    when: distro == centos-stream-9

sources

@@ -1,3 +1,3 @@
-SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f
-SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a
-SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65
+SHA512 (chrony-4.3.tar.gz) = 1394bac3ed684352fe89b7fef7da50e61f9f522abee807627ae1fc4c2dde891017bc8e5b13759fced028f3a1e875d5e4e5a4f85de65c63b5f83d0ca03bb4c5df
+SHA512 (chrony-4.3-tar-gz-asc.txt) = 300b06f253ac3727edb86a1b7c337f9529ee752bbb471b266217b6a8ac5183e827264177a3210d436425d746673bf11fbdc41da145673213e28165197c6c76b7
+SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5