From c051b7632dad8966e4705a3fd1ca078eb5f2f7fa Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 19 Jan 2022 13:58:01 +0100 Subject: [PATCH 1/2] update to 4.2 --- .gitignore | 6 +++--- chrony-seccomp.patch | 30 ------------------------------ chrony-services.patch | 21 +++++++++++++++++++++ chrony.spec | 16 ++++++++-------- sources | 6 +++--- 5 files changed, 35 insertions(+), 44 deletions(-) delete mode 100644 chrony-seccomp.patch create mode 100644 chrony-services.patch diff --git a/.gitignore b/.gitignore index 76dba0d..c143a9a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.1.tar.gz -/chrony-4.1-tar-gz-asc.txt -/clknetsim-f89702.tar.gz +/chrony-4.2.tar.gz +/chrony-4.2-tar-gz-asc.txt +/clknetsim-470b5e.tar.gz diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch deleted file mode 100644 index 1cc432d..0000000 --- a/chrony-seccomp.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a -Author: Miroslav Lichvar -Date: Mon Aug 9 11:48:21 2021 +0200 - - sys_linux: allow clone3 and pread64 in seccomp filter - - These seem to be needed with the latest glibc. - -diff --git a/sys_linux.c b/sys_linux.c -index 50c08431..2b53f722 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - - /* Process */ - SCMP_SYS(clone), -+#ifdef __NR_clone3 -+ SCMP_SYS(clone3), -+#endif - SCMP_SYS(exit), - SCMP_SYS(exit_group), - SCMP_SYS(getpid), -@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - #ifdef __NR_ppoll_time64 - SCMP_SYS(ppoll_time64), - #endif -+ SCMP_SYS(pread64), - SCMP_SYS(pselect6), - #ifdef __NR_pselect6_time64 - SCMP_SYS(pselect6_time64), diff --git a/chrony-services.patch b/chrony-services.patch new file mode 100644 index 0000000..02929e2 --- /dev/null +++ b/chrony-services.patch @@ -0,0 +1,21 @@ +diff -up chrony-4.2/examples/chronyd.service.services chrony-4.2/examples/chronyd.service +--- chrony-4.2/examples/chronyd.service.services 2021-12-16 13:17:42.000000000 +0100 ++++ chrony-4.2/examples/chronyd.service 2022-01-19 13:55:59.066677473 +0100 +@@ -32,8 +32,7 @@ ProtectKernelLogs=yes + ProtectKernelModules=yes + ProtectKernelTunables=yes + ProtectProc=invisible +-ProtectSystem=strict +-ReadWritePaths=/run /var/lib/chrony -/var/log ++ProtectSystem=full + RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + RestrictNamespaces=yes + RestrictSUIDSGID=yes +@@ -42,7 +41,6 @@ SystemCallFilter=~@cpu-emulation @debug + + # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) + NoNewPrivileges=no +-ReadWritePaths=-/var/spool + RestrictAddressFamilies=AF_NETLINK + + [Install] diff --git a/chrony.spec b/chrony.spec index 9ebf2c9..e5ab069 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver f89702 +%global clknetsim_ver 470b5e %bcond_without debug %bcond_without nts @@ -8,8 +8,8 @@ %endif Name: chrony -Version: 4.1 -Release: 3%{?dist} +Version: 4.2 +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -24,8 +24,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# update seccomp filter for new glibc -Patch2: chrony-seccomp.patch +# revert ProtectSystem in chronyd.service from strict to full +Patch2: chrony-services.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -57,19 +57,19 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .seccomp +%patch2 -p1 -b .services %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service + b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline - 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service + 619dd00009ea312c7201beefde10341a examples/chronyd.service EOF # don't allow packaging without vendor zone diff --git a/sources b/sources index 14c91b8..2cf5a81 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f -SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a -SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65 +SHA512 (chrony-4.2.tar.gz) = 7f946b27de605b3ebea62cf23916dfad77c99e8b2338ba239ede6b8216ce436b3d4d87770f371c8d8e006507c51d5c831b51f067957abd2935adfdec3f5aa67d +SHA512 (chrony-4.2-tar-gz-asc.txt) = d8ae4b540ce3529a5a72e10c14765a33ca6fc41529b6fdc9928fb171f25bd6fb87f930b7783638892f42f4cbcfaab4cb1064c930bae1d5204a71babad72b6e10 +SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413 From 9581919ccff629e0a3eb008d73e37c9bd811a17d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 19 Jan 2022 14:16:24 +0100 Subject: [PATCH 2/2] 4.2-1 --- chrony.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/chrony.spec b/chrony.spec index e5ab069..0d3b9f4 100644 --- a/chrony.spec +++ b/chrony.spec @@ -202,6 +202,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 19 2022 Miroslav Lichvar 4.2-1 +- update to 4.2 + * Mon Aug 09 2021 Miroslav Lichvar 4.1-3 - update seccomp filter for new glibc - remove unnecessary build requirement