From d17bcd6d55f045f7ea7924dcd6d4c9b060bbf9e2 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 11 Jun 2025 15:46:31 +0200 Subject: [PATCH 01/18] update to 4.7 --- .gitignore | 6 +++--- chrony.spec | 5 ++--- sources | 6 +++--- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 96c8228..2414820 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.7-pre1-tar-gz-asc.txt -/chrony-4.7-pre1.tar.gz -/clknetsim-d60afc.tar.gz +/chrony-4.7.tar.gz +/chrony-4.7-tar-gz-asc.txt +/clknetsim-83cf9c.tar.gz diff --git a/chrony.spec b/chrony.spec index 34ffc37..440c600 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver d60afc -%global prerelease -pre1 +%global clknetsim_ver 83cf9c %bcond_without debug %bcond_without nts @@ -66,7 +65,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service - 826354a2d467d6147e412d43bfe07484 examples/chrony.conf.example2 + 3f2ddca6065c3e8f4565d7422739795a examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline diff --git a/sources b/sources index 4931309..f03173e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.7-pre1-tar-gz-asc.txt) = 6180dfede6bc2d11b4b8a9f2708b306faecdf2f6c92552c52c222b8fe09210aa770ec28c9272a1105ea6716e66553e606dbb00077bce061c6faaf65e1ce2bbf9 -SHA512 (chrony-4.7-pre1.tar.gz) = 9f83887d9771a409edd812046a4b1b7e11966d02a99806d48442a52441ee41a7043a75987e29414b04ddb8ff82dedd0b7646135961f6532cc173c52c01c600c1 -SHA512 (clknetsim-d60afc.tar.gz) = 9fff0dc7c089169158926741860c933fa4fc6eda68c100a54ead137b294ec94b0a6fccb0e3f86abfed274b38621e89b49f3e1ad96fd9bed48a79fabcc0d0ba5f +SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 +SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 +SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9 From fcb1dcbf532fec8ef5dbd6d3492125d233863e3b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 11 Jun 2025 15:51:50 +0200 Subject: [PATCH 02/18] 4.7-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 440c600..775150a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 0.2.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -209,6 +209,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jun 11 2025 Miroslav Lichvar 4.7-1 +- update to 4.7 + * Thu May 22 2025 Miroslav Lichvar 4.7-0.2.pre1 - add workaround for broken build on aarch64 From 0de03083074a9787d1848551e5c44d0dd9db6814 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Wed, 18 Jun 2025 20:38:17 +0200 Subject: [PATCH 03/18] Testing moves to RH gitlab centos-stream space --- plans.fmf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/plans.fmf b/plans.fmf index 661c046..c28aa6f 100644 --- a/plans.fmf +++ b/plans.fmf @@ -1,7 +1,7 @@ /tier1-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier1/internal adjust: enabled: false @@ -11,13 +11,13 @@ /tier1-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier1/public /tier2-tier3-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier2-tier3/internal adjust: enabled: false @@ -27,13 +27,13 @@ /tier2-tier3-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier2-tier3/public /others-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/others/internal adjust: enabled: false @@ -43,5 +43,5 @@ /others-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/others/public From 70a42e2391e14b3a9294e7f7c3cd162a6c244b1d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 11:49:16 +0200 Subject: [PATCH 04/18] drop old conflict with NetworkManager --- chrony.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index 775150a..e7467b5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -37,9 +37,6 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 # Needed by the leapseclist directive in default chrony.conf Requires: tzdata -# Old NetworkManager expects the dispatcher scripts in a different place -Conflicts: NetworkManager < 1.20 - # suggest drivers for hardware reference clocks Suggests: ntp-refclock From 53321f84b8e15e39e3483fcc5f396bc4e4244e42 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 13:22:54 +0200 Subject: [PATCH 05/18] let systemd create /var/lib/chrony and /var/log/chrony (#2372944) Specify the directories in the chronyd unit file, so they don't have to exist before starting the service and rpm doesn't need to create any non-root directories/files. --- chrony-servicedirs.patch | 18 ++++++++++++++++++ chrony.spec | 9 ++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 chrony-servicedirs.patch diff --git a/chrony-servicedirs.patch b/chrony-servicedirs.patch new file mode 100644 index 0000000..e806dc9 --- /dev/null +++ b/chrony-servicedirs.patch @@ -0,0 +1,18 @@ +diff -up chrony-4.7/examples/chronyd.service.servicedirs chrony-4.7/examples/chronyd.service +--- chrony-4.7/examples/chronyd.service.servicedirs 2025-06-11 15:06:19.000000000 +0200 ++++ chrony-4.7/examples/chronyd.service 2025-07-10 12:06:57.354215498 +0200 +@@ -10,7 +10,13 @@ Type=notify + PIDFile=/run/chrony/chronyd.pid + Environment="OPTIONS=" + EnvironmentFile=-/etc/sysconfig/chronyd +-ExecStart=/usr/sbin/chronyd -n $OPTIONS ++ExecStart=!/usr/sbin/chronyd -n $OPTIONS ++ ++User=chrony ++LogsDirectory=chrony ++LogsDirectoryMode=0750 ++StateDirectory=chrony ++StateDirectoryMode=0750 + + CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE + CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE diff --git a/chrony.spec b/chrony.spec index e7467b5..c038549 100644 --- a/chrony.spec +++ b/chrony.spec @@ -25,6 +25,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# let systemd create /var/lib/chrony and /var/log/chrony +Patch2: chrony-servicedirs.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -56,6 +58,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp +%patch -P 2 -p1 -b .servicedirs %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -66,7 +69,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 274a44cd51981d6d4d3a44dfc92c94ab examples/chronyd.service + 607c82f56639486f52c31105632909eb examples/chronyd.service 5ddbb8a8055f587cb6b0b462ca73ea46 examples/chronyd-restricted.service EOF @@ -200,10 +203,10 @@ fi %{_unitdir}/chrony*.service %{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* -%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony +%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc -%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony +%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog * Wed Jun 11 2025 Miroslav Lichvar 4.7-1 From 98c501e504b72d90c688982295bfb850f955d74a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 14:02:11 +0200 Subject: [PATCH 06/18] drop workaround for broken build on aarch64 --- chrony.spec | 4 ---- 1 file changed, 4 deletions(-) diff --git a/chrony.spec b/chrony.spec index c038549..6d8a713 100644 --- a/chrony.spec +++ b/chrony.spec @@ -97,10 +97,6 @@ rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build -%ifarch aarch64 -# workaround for bug #2367978 -CFLAGS="$RPM_OPT_FLAGS -fno-inline" -%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ From 58b9f12d345dde8b0eca270f97325b4e1f6df115 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 14:02:56 +0200 Subject: [PATCH 07/18] 4.7-2 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 6d8a713..887c864 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,11 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Jul 10 2025 Miroslav Lichvar 4.7-2 +- let systemd create /var/lib/chrony and /var/log/chrony (#2372944) +- drop workaround for broken build on aarch64 +- drop old conflict with NetworkManager + * Wed Jun 11 2025 Miroslav Lichvar 4.7-1 - update to 4.7 From 71344384222ce47b080842ea020f1124d066ef7c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:17:48 +0000 Subject: [PATCH 08/18] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 887c864..410ce4b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Thu Jul 10 2025 Miroslav Lichvar 4.7-2 - let systemd create /var/lib/chrony and /var/log/chrony (#2372944) - drop workaround for broken build on aarch64 From 1db87bbe8dd549a2b29a496f63b5cb39a2000ac8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 14 Aug 2025 16:32:02 +0200 Subject: [PATCH 09/18] update to 4.8-pre1 --- .gitignore | 6 +++--- chrony.spec | 5 +++-- sources | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 2414820..bdfdbf2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.7.tar.gz -/chrony-4.7-tar-gz-asc.txt -/clknetsim-83cf9c.tar.gz +/chrony-4.8-pre1-tar-gz-asc.txt +/chrony-4.8-pre1.tar.gz +/clknetsim-a2eb0b258f8b.tar.gz diff --git a/chrony.spec b/chrony.spec index 410ce4b..aa51417 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 83cf9c +%global prerelease -pre1 +%global clknetsim_ver a2eb0b258f8b %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.7 +Version: 4.8 Release: 3%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index f03173e..bdf667b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 -SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 -SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9 +SHA512 (chrony-4.8-pre1-tar-gz-asc.txt) = 0daafd987e46d720c42bbe4de13f5a293feabb3e239c9caf90146197b8444504cf45efc2078f431e745fae52e222937f9d48da496b091372fe4301a3f8726983 +SHA512 (chrony-4.8-pre1.tar.gz) = 2e76fd523fbeaa31bcbecbe2a16105e4fa103751753f0d05e2d2fcfaed62dbd4e023b559e97a44b28756b3ae7bc5d0873a787f09eb760da6a00d8184eedc03ad +SHA512 (clknetsim-a2eb0b258f8b.tar.gz) = 88996d4652b73b603caf9387b030c8406e7bc015443bb4b348c4a626882a0b42398dbcefa971fc8ba02dcdc0a79171ea63cadc13c518961b66901fecbee7c8e3 From 283f2dad2f7e8f492a7582b83106c8bec90aa9e0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 14 Aug 2025 16:33:01 +0200 Subject: [PATCH 10/18] 4.8-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index aa51417..c5d2aaa 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.8 -Release: 3%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 +- update to 4.8-pre1 + * Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From b9e07af77919a639d95c7ae1b533c3865f6c1b9e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Aug 2025 14:47:58 +0200 Subject: [PATCH 11/18] update to 4.8 --- .gitignore | 6 +++--- chrony.spec | 3 +-- sources | 6 +++--- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index bdfdbf2..4d608e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.8-pre1-tar-gz-asc.txt -/chrony-4.8-pre1.tar.gz -/clknetsim-a2eb0b258f8b.tar.gz +/chrony-4.8-tar-gz-asc.txt +/chrony-4.8.tar.gz +/clknetsim-6ee99f50dec8.tar.gz diff --git a/chrony.spec b/chrony.spec index c5d2aaa..708d57b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global prerelease -pre1 -%global clknetsim_ver a2eb0b258f8b +%global clknetsim_ver 6ee99f50dec8 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index bdf667b..35a8415 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.8-pre1-tar-gz-asc.txt) = 0daafd987e46d720c42bbe4de13f5a293feabb3e239c9caf90146197b8444504cf45efc2078f431e745fae52e222937f9d48da496b091372fe4301a3f8726983 -SHA512 (chrony-4.8-pre1.tar.gz) = 2e76fd523fbeaa31bcbecbe2a16105e4fa103751753f0d05e2d2fcfaed62dbd4e023b559e97a44b28756b3ae7bc5d0873a787f09eb760da6a00d8184eedc03ad -SHA512 (clknetsim-a2eb0b258f8b.tar.gz) = 88996d4652b73b603caf9387b030c8406e7bc015443bb4b348c4a626882a0b42398dbcefa971fc8ba02dcdc0a79171ea63cadc13c518961b66901fecbee7c8e3 +SHA512 (chrony-4.8-tar-gz-asc.txt) = df7f4e06f74a4b8c9a49e8fe57ea02e0324c5683d036412c32192a09f08e08f33537609cef8df0b4302bfcd63332b3092f33f40c8d02857c93ecea13822b5b47 +SHA512 (chrony-4.8.tar.gz) = 949b796bb34db32a5c1b9e6b53be6a22e51c59f24a316d585b8a52a52ab1f61bdf0378dc58b282bb0ba4fac1f05e1e99fbe37cb4259aa2b359e7bf679c176aab +SHA512 (clknetsim-6ee99f50dec8.tar.gz) = 2621d1c44b84b42fcdf644f236ff90dab9f8a8407a138c8719c53dd9c4f21480db3b4ba598116aa1b9d6bd1fa02fc410d85a43baf55ddf8ad47fc09aba4c4477 From fbf4abe9539130145f2c6266b609cc388ed8eb42 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Aug 2025 14:48:58 +0200 Subject: [PATCH 12/18] 4.8-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 708d57b..afe2248 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 27 2025 Miroslav Lichvar 4.8-1 +- update to 4.8 + * Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 - update to 4.8-pre1 From 95665ab0604acc9eb35e821ae580d6af41236047 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 8 Sep 2025 10:06:24 +0200 Subject: [PATCH 13/18] drop root privileges in chronyc by default Use the new configure option added in chrony-4.8 to change the default chronyc user to chrony. If chronyc is started under root, it will switch to the chrony user automatically to minimize impact of potential security issues. This shouldn't be visible to the user, but if for some reason the original behavior is required, "-u root" can be added to the chronyc command line. --- chrony.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/chrony.spec b/chrony.spec index afe2248..02fc8a8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -105,6 +105,7 @@ mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \ + --with-chronyc-user=chrony \ --with-user=chrony \ --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-pidfile=/run/chrony/chronyd.pid \ From 9c685eb118a6f049a5a253cd9b76daf008a2dd3a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 8 Sep 2025 10:10:54 +0200 Subject: [PATCH 14/18] 4.8-2 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 02fc8a8..5da1033 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Sep 08 2025 Miroslav Lichvar 4.8-2 +- drop root privileges in chronyc by default + * Wed Aug 27 2025 Miroslav Lichvar 4.8-1 - update to 4.8 From 57f2f4a8c160f18d4a544be5ab0f216771368c1c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 21 Oct 2025 14:26:44 +0200 Subject: [PATCH 15/18] update seccomp filter for new glibc (#2405310) --- chrony-seccomp.patch | 35 +++++++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 38 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..af9f775 --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,35 @@ +commit 03875f1ea5c4c0eeeb30a7d1fc5fdd53236f4ac2 +Author: Miroslav Lichvar +Date: Tue Oct 21 14:06:38 2025 +0200 + + sys_linux: allow ioctl(TCGETS2) in seccomp filter + + Add TCGETS2 to the list of allowed ioctls. It seems to be called by the + latest glibc version from isatty(), which is called from libpcsclite + used by gnutls in an NTS-KE session. + + Include the linux termios header instead of glibc header to get a usable + definition of TCGETS2. + +diff --git a/sys_linux.c b/sys_linux.c +index ca5540f2..e20e459d 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -48,7 +48,7 @@ + #ifdef FEAT_SCFILTER + #include + #include +-#include ++#include + #ifdef FEAT_PPS + #include + #endif +@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { +- FIONREAD, TCGETS, TIOCGWINSZ, ++ FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, + #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) + PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, + #ifdef PTP_PIN_SETFUNC diff --git a/chrony.spec b/chrony.spec index 5da1033..78da102 100644 --- a/chrony.spec +++ b/chrony.spec @@ -27,6 +27,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% Patch1: chrony-nm-dispatcher-dhcp.patch # let systemd create /var/lib/chrony and /var/log/chrony Patch2: chrony-servicedirs.patch +# update seccomp filter for new glibc +Patch3: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,6 +61,7 @@ service to other computers in the network. %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp %patch -P 2 -p1 -b .servicedirs +%patch -P 3 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From ed7a59c023170d91a880b2bd979b5ac8e494e8d0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 21 Oct 2025 14:34:19 +0200 Subject: [PATCH 16/18] 4.8-3 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 78da102..66a86d5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -209,6 +209,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Oct 21 2025 Miroslav Lichvar 4.8-3 +- update seccomp filter for new glibc (#2405310) + * Mon Sep 08 2025 Miroslav Lichvar 4.8-2 - drop root privileges in chronyc by default From d146c7faa536a1a15e65bcf4270e0f098cb5fdbf Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Oct 2025 14:15:13 +0200 Subject: [PATCH 17/18] fix seccomp fix to build on ppc64 --- chrony-seccomp.patch | 159 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch index af9f775..c8f79ae 100644 --- a/chrony-seccomp.patch +++ b/chrony-seccomp.patch @@ -33,3 +33,162 @@ index ca5540f2..e20e459d 100644 #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, #ifdef PTP_PIN_SETFUNC +commit 3c39afa13c769452d4c340bfc987e229b7c9caeb +Author: Miroslav Lichvar +Date: Wed Oct 22 10:53:11 2025 +0200 + + sys_linux: fix building with older compilers and some archs + + The recent replacement of with to get + TCGETS2 seems to work only with compilers (or C standards) that allow + the same structure to be defined multiple times. There is a conflict + between and . + + Another problem is that TCGETS2 is not used on some archs like ppc64. + + Switch back to and move TCGETS2 to a list in a separate + file where it can be compiled without . + + Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter") + +diff --git a/configure b/configure +index 195b1ed7..ca64475d 100755 +--- a/configure ++++ b/configure +@@ -808,6 +808,7 @@ then + # a time and the async resolver would block the main thread + priv_ops="NAME2IPADDRESS RELOADDNS" + EXTRA_LIBS="$EXTRA_LIBS -lseccomp" ++ EXTRA_OBJECTS="$EXTRA_OBJECTS sys_linux_scmp.o" + fi + + if [ "x$priv_ops" != "x" ]; then +diff --git a/sys_linux.c b/sys_linux.c +index e20e459d..89eec950 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -48,7 +48,7 @@ + #ifdef FEAT_SCFILTER + #include + #include +-#include ++#include + #ifdef FEAT_PPS + #include + #endif +@@ -63,6 +63,7 @@ + #endif + + #include "sys_linux.h" ++#include "sys_linux_scmp.h" + #include "sys_timex.h" + #include "conf.h" + #include "local.h" +@@ -615,7 +616,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { +- FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, ++ FIONREAD, TCGETS, TIOCGWINSZ, + #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) + PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, + #ifdef PTP_PIN_SETFUNC +@@ -728,6 +729,14 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0) + goto add_failed; + } ++ ++ /* Allow selected ioctls that need to be specified in a separate ++ file to avoid conflicting headers (e.g. TCGETS2) */ ++ for (i = 0; SYS_Linux_GetExtraScmpIoctl(i) != 0; i++) { ++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, ++ SCMP_A1(SCMP_CMP_EQ, SYS_Linux_GetExtraScmpIoctl(i))) < 0) ++ goto add_failed; ++ } + } + + if (seccomp_load(ctx) < 0) +diff --git a/sys_linux_scmp.c b/sys_linux_scmp.c +new file mode 100644 +index 00000000..a907a97d +--- /dev/null ++++ b/sys_linux_scmp.c +@@ -0,0 +1,44 @@ ++/* ++ chronyd/chronyc - Programs for keeping computer clocks accurate. ++ ++ ********************************************************************** ++ * Copyright (C) Miroslav Lichvar 2025 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of version 2 of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ ********************************************************************** ++ ++ ======================================================================= ++ ++ Lists of values that are needed in seccomp filters but need to ++ be compiled separately from sys_linux.c due to conflicting headers. ++ */ ++ ++#include ++ ++#include "sys_linux_scmp.h" ++ ++unsigned long ++SYS_Linux_GetExtraScmpIoctl(int index) ++{ ++ const unsigned long ioctls[] = { ++#ifdef TCGETS2 ++ /* Conflict between and */ ++ TCGETS2, ++#endif ++ 0 ++ }; ++ ++ return ioctls[index]; ++} +diff --git a/sys_linux_scmp.h b/sys_linux_scmp.h +new file mode 100644 +index 00000000..62a9d548 +--- /dev/null ++++ b/sys_linux_scmp.h +@@ -0,0 +1,28 @@ ++/* ++ chronyd/chronyc - Programs for keeping computer clocks accurate. ++ ++ ********************************************************************** ++ * Copyright (C) Miroslav Lichvar 2025 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of version 2 of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ ********************************************************************** ++ ++ ======================================================================= ++ ++ Header file for lists that are needed in seccomp filters but need to ++ be compiled separately from sys_linux.c due to conflicting headers. ++ */ ++ ++extern unsigned long SYS_Linux_GetExtraScmpIoctl(int index); From f14345b7112621a85497b2e5e45176f6fa807ec9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Oct 2025 14:16:17 +0200 Subject: [PATCH 18/18] 4.8-3