From c6a8172473c3f554e13326390214080e482a0666 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 13 May 2021 16:35:50 +0200 Subject: [PATCH 01/91] add bcond for seccomp --- chrony.spec | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/chrony.spec b/chrony.spec index ac3d46c..0862235 100644 --- a/chrony.spec +++ b/chrony.spec @@ -3,6 +3,10 @@ %bcond_without debug %bcond_without nts +%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x +%bcond_without seccomp +%endif + Name: chrony Version: 4.1 Release: 0.1.pre1%{?dist} @@ -23,11 +27,9 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel -%ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x -BuildRequires: libseccomp-devel -%endif BuildRequires: gcc gcc-c++ make bison systemd gnupg2 net-tools %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} +%{?with_seccomp:BuildRequires: libseccomp-devel} Requires(pre): shadow-utils %{?systemd_requires} @@ -93,7 +95,7 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ - --enable-scfilter \ +%{?with_seccomp: --enable-scfilter} \ %{!?with_nts: --disable-nts} \ --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ From eeffcafda90476da2600f66fa5cd1ac5d5bacebb Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 13 May 2021 16:39:42 +0200 Subject: [PATCH 02/91] enable seccomp filter by default Add -F 2 to default /etc/sysconfig/chronyd to enable a filter blocking a small number of specific system calls. The filter is incompatible with the mailonchange directive. --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 0862235..47508e5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -138,7 +138,7 @@ install -m 644 -p examples/chrony-wait.service \ cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < Date: Thu, 13 May 2021 16:41:21 +0200 Subject: [PATCH 03/91] 4.1-1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 47508e5..55d7831 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -200,6 +200,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu May 13 2021 Miroslav Lichvar 4.1-1 +- update to 4.1 +- enable seccomp filter by default (incompatible with mailonchange directive) + * Thu Apr 22 2021 Miroslav Lichvar 4.1-0.1.pre1 - update to 4.1-pre1 - rework NM-dispatcher/dhclient detection From cdc407899bc7fc721c211921a3595958357971ba Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 13 May 2021 17:09:26 +0200 Subject: [PATCH 04/91] 4.1-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index ac3d46c..174cd8d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -5,7 +5,7 @@ Name: chrony Version: 4.1 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -198,6 +198,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu May 13 2021 Miroslav Lichvar 4.1-1 +- update to 4.1 + * Thu Apr 22 2021 Miroslav Lichvar 4.1-0.1.pre1 - update to 4.1-pre1 - rework NM-dispatcher/dhclient detection From 1fbbda2376e0c7919baa7f3cedff59f1e03e3a47 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 21 Jul 2021 14:29:32 +0000 Subject: [PATCH 05/91] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering From 41461a14e352bb2d8d901655cb18e67d9c584286 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 21 Jul 2021 19:26:44 +0000 Subject: [PATCH 06/91] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 55d7831..d5bb32e 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -200,6 +200,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 21 2021 Fedora Release Engineering - 4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Thu May 13 2021 Miroslav Lichvar 4.1-1 - update to 4.1 - enable seccomp filter by default (incompatible with mailonchange directive) From db7c1c445084118522aec2bc55c4dc0a2fa26b01 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Jun 2021 12:40:53 +0200 Subject: [PATCH 07/91] update out-of-date comment about NM DHCP script --- chrony.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/chrony.spec b/chrony.spec index d5bb32e..7c0e7ed 100644 --- a/chrony.spec +++ b/chrony.spec @@ -22,8 +22,7 @@ Source3: chrony.dhclient Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} -# add Fedora/RHEL-specific bits to DHCP dispatcher, including -# deferring to dhclient if installled, and using /etc/sysconfig +# add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel From eeb573858395f7e9f9db7432e272b1868b3218b9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Jun 2021 15:07:16 +0200 Subject: [PATCH 08/91] remove unnecessary build requirement --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 7c0e7ed..e226b88 100644 --- a/chrony.spec +++ b/chrony.spec @@ -26,7 +26,7 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel -BuildRequires: gcc gcc-c++ make bison systemd gnupg2 net-tools +BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} %{?with_seccomp:BuildRequires: libseccomp-devel} From e7d17261da096ce9bbc39f709efdbdae363c5759 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 9 Aug 2021 15:52:10 +0200 Subject: [PATCH 09/91] update seccomp filter for new glibc --- chrony-seccomp.patch | 30 ++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 33 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..1cc432d --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,30 @@ +commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a +Author: Miroslav Lichvar +Date: Mon Aug 9 11:48:21 2021 +0200 + + sys_linux: allow clone3 and pread64 in seccomp filter + + These seem to be needed with the latest glibc. + +diff --git a/sys_linux.c b/sys_linux.c +index 50c08431..2b53f722 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + + /* Process */ + SCMP_SYS(clone), ++#ifdef __NR_clone3 ++ SCMP_SYS(clone3), ++#endif + SCMP_SYS(exit), + SCMP_SYS(exit_group), + SCMP_SYS(getpid), +@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + #ifdef __NR_ppoll_time64 + SCMP_SYS(ppoll_time64), + #endif ++ SCMP_SYS(pread64), + SCMP_SYS(pselect6), + #ifdef __NR_pselect6_time64 + SCMP_SYS(pselect6_time64), diff --git a/chrony.spec b/chrony.spec index e226b88..034d007 100644 --- a/chrony.spec +++ b/chrony.spec @@ -24,6 +24,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# update seccomp filter for new glibc +Patch2: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -55,6 +57,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From 49d1a1fef3a3e9792006b4eb896c6adfd7db10fd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 9 Aug 2021 15:54:00 +0200 Subject: [PATCH 10/91] 4.1-3 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 034d007..9ebf2c9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPLv2 @@ -202,6 +202,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Aug 09 2021 Miroslav Lichvar 4.1-3 +- update seccomp filter for new glibc +- remove unnecessary build requirement + * Wed Jul 21 2021 Fedora Release Engineering - 4.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From cdae473dfcd2434d117f7144be641bd630b47ac3 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 29 Sep 2021 16:18:06 +0200 Subject: [PATCH 11/91] harden chronyd and chrony-wait services --- chrony-services.patch | 120 ++++++++++++++++++++++++++++++++++++++++++ chrony.spec | 7 ++- 2 files changed, 125 insertions(+), 2 deletions(-) create mode 100644 chrony-services.patch diff --git a/chrony-services.patch b/chrony-services.patch new file mode 100644 index 0000000..94af6fd --- /dev/null +++ b/chrony-services.patch @@ -0,0 +1,120 @@ +commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00 +Author: Miroslav Lichvar +Date: Wed Sep 29 15:25:48 2021 +0200 + + examples: harden systemd services + + Add various settings to the example chronyd and chrony-wait services to + decrease the exposure reported by the "systemd-analyze security" + command. The original exposure was high as the analyzer does not check + the actual process (e.g. that it dropped the root privileges or that it + has its own seccomp filter). + + Limit read-write access to /run, /var/lib/chrony, and /var/spool. + Access to /run (instead of /run/chrony) is needed for the refclock + socket expected by gpsd. + + The mailonchange directive is most likely to break as it executes + /usr/sbin/sendmail, which can do unexpected operations depending on the + implementation. It should work with a setuid/setgid binary, but it is + not expected to write outside of /var/spool and the private /tmp. + +diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service +index b3aa7aa2..72b028f2 100644 +--- a/examples/chrony-wait.service ++++ b/examples/chrony-wait.service +@@ -16,5 +16,32 @@ TimeoutStartSec=180 + RemainAfterExit=yes + StandardOutput=null + ++CapabilityBoundingSet= ++DevicePolicy=closed ++DynamicUser=yes ++IPAddressAllow=localhost ++IPAddressDeny=any ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++PrivateDevices=yes ++PrivateUsers=yes ++ProcSubset=pid ++ProtectClock=yes ++ProtectControlGroups=yes ++ProtectHome=yes ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++RestrictAddressFamilies=AF_INET AF_INET6 ++RestrictNamespaces=yes ++RestrictRealtime=yes ++SystemCallArchitectures=native ++SystemCallFilter=@system-service ++SystemCallFilter=~@privileged @resources ++UMask=0777 ++ + [Install] + WantedBy=multi-user.target +diff --git a/examples/chronyd.service b/examples/chronyd.service +index 289548cb..2cac6026 100644 +--- a/examples/chronyd.service ++++ b/examples/chronyd.service +@@ -10,9 +10,40 @@ Type=forking + PIDFile=/run/chrony/chronyd.pid + EnvironmentFile=-/etc/sysconfig/chronyd + ExecStart=/usr/sbin/chronyd $OPTIONS ++ ++CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE ++CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE ++CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN ++CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT ++CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM ++DeviceAllow=char-pps rw ++DeviceAllow=char-ptp rw ++DeviceAllow=char-rtc rw ++DevicePolicy=closed ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++NoNewPrivileges=yes + PrivateTmp=yes ++ProcSubset=pid ++ProtectControlGroups=yes + ProtectHome=yes +-ProtectSystem=full ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++ReadWritePaths=/run /var/lib/chrony ++RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX ++RestrictNamespaces=yes ++RestrictSUIDSGID=yes ++SystemCallArchitectures=native ++SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap ++ ++# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) ++NoNewPrivileges=no ++ReadWritePaths=/var/spool ++RestrictAddressFamilies=AF_NETLINK + + [Install] + WantedBy=multi-user.target + +Avoid a SELinux issue + +diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service +index 72b028f2..57646950 100644 +--- a/examples/chrony-wait.service ++++ b/examples/chrony-wait.service +@@ -18,7 +18,7 @@ StandardOutput=null + + CapabilityBoundingSet= + DevicePolicy=closed +-DynamicUser=yes ++#DynamicUser=yes + IPAddressAllow=localhost + IPAddressDeny=any + LockPersonality=yes diff --git a/chrony.spec b/chrony.spec index 9ebf2c9..07e6b41 100644 --- a/chrony.spec +++ b/chrony.spec @@ -26,6 +26,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch # update seccomp filter for new glibc Patch2: chrony-seccomp.patch +# harden chronyd and chrony-wait services +Patch3: chrony-services.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -58,18 +60,19 @@ service to other computers in the network. %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp %patch2 -p1 -b .seccomp +%patch3 -p1 -b .services %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - bc563c1bcf67b2da774bd8c2aef55a06 examples/chrony-wait.service + 222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline - 32c34c995c59fd1c3ad1616d063ae4a0 examples/chronyd.service + 76c8a32a5ac6692a7f15f65e2b5f3239 examples/chronyd.service EOF # don't allow packaging without vendor zone From 89973469bd2cee828ef1b4744d11b9fbea9339db Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 29 Sep 2021 16:22:20 +0200 Subject: [PATCH 12/91] 4.1-4 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 07e6b41..100f4fa 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPLv2 @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Sep 29 2021 Miroslav Lichvar 4.1-4 +- harden chronyd and chrony-wait services + * Mon Aug 09 2021 Miroslav Lichvar 4.1-3 - update seccomp filter for new glibc - remove unnecessary build requirement From a1a45e3283239a0efff5ad810012ab3591248397 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Tue, 5 Oct 2021 14:50:46 +0200 Subject: [PATCH 13/91] Adding fmf plan --- .fmf/version | 1 + plans/ci.fmf | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 .fmf/version create mode 100644 plans/ci.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/plans/ci.fmf b/plans/ci.fmf new file mode 100644 index 0000000..7834d37 --- /dev/null +++ b/plans/ci.fmf @@ -0,0 +1,6 @@ +summary: Test plan that runs all tests from tests repo. +discover: + how: fmf + url: https://src.fedoraproject.org/tests/chrony.git +execute: + how: tmt From 90ef1216ea0e211ccd63414542423c9702336a64 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 16 Nov 2021 16:45:53 +0100 Subject: [PATCH 14/91] fix hardened chronyd service to allow writing log files --- chrony-services.patch | 31 +++++++++++++++++++++++++++++++ chrony.spec | 2 +- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/chrony-services.patch b/chrony-services.patch index 94af6fd..34aa909 100644 --- a/chrony-services.patch +++ b/chrony-services.patch @@ -118,3 +118,34 @@ index 72b028f2..57646950 100644 IPAddressAllow=localhost IPAddressDeny=any LockPersonality=yes +commit 76a905d652cafccfac1023f74d12ffa7facc4832 +Author: Miroslav Lichvar +Date: Mon Oct 4 10:54:40 2021 +0200 + + examples: improve chronyd service + + Allow writing logfiles (enabled by logdir or -l option) to /var/log and + don't require /var/spool to exist. + +diff --git a/examples/chronyd.service b/examples/chronyd.service +index 2cac6026..4fb930ef 100644 +--- a/examples/chronyd.service ++++ b/examples/chronyd.service +@@ -33,7 +33,7 @@ ProtectKernelModules=yes + ProtectKernelTunables=yes + ProtectProc=invisible + ProtectSystem=strict +-ReadWritePaths=/run /var/lib/chrony ++ReadWritePaths=/run /var/lib/chrony -/var/log + RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + RestrictNamespaces=yes + RestrictSUIDSGID=yes +@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot + + # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) + NoNewPrivileges=no +-ReadWritePaths=/var/spool ++ReadWritePaths=-/var/spool + RestrictAddressFamilies=AF_NETLINK + + [Install] diff --git a/chrony.spec b/chrony.spec index 100f4fa..38df8eb 100644 --- a/chrony.spec +++ b/chrony.spec @@ -72,7 +72,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline - 76c8a32a5ac6692a7f15f65e2b5f3239 examples/chronyd.service + 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service EOF # don't allow packaging without vendor zone From 8ebbcb0ef4b80de42bdad159eae8fac950cfbb4c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 16 Nov 2021 16:47:03 +0100 Subject: [PATCH 15/91] 4.1-5 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 38df8eb..5a2d960 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.1 -Release: 4%{?dist} +Release: 5%{?dist} Summary: An NTP client/server License: GPLv2 @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Nov 16 2021 Miroslav Lichvar 4.1-5 +- fix hardened chronyd service to allow writing log files + * Wed Sep 29 2021 Miroslav Lichvar 4.1-4 - harden chronyd and chrony-wait services From 2eeb6969c51c44cdadf53989aadbd523c3727b2a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 2 Dec 2021 13:14:09 +0100 Subject: [PATCH 16/91] update to 4.2-pre1 --- .gitignore | 6 +- chrony-seccomp.patch | 30 --------- chrony-services.patch | 151 ------------------------------------------ chrony.spec | 13 ++-- sources | 6 +- 5 files changed, 10 insertions(+), 196 deletions(-) delete mode 100644 chrony-seccomp.patch delete mode 100644 chrony-services.patch diff --git a/.gitignore b/.gitignore index 76dba0d..f18ac28 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.1.tar.gz -/chrony-4.1-tar-gz-asc.txt -/clknetsim-f89702.tar.gz +/chrony-4.2-pre1.tar.gz +/chrony-4.2-pre1-tar-gz-asc.txt +/clknetsim-470b5e.tar.gz diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch deleted file mode 100644 index 1cc432d..0000000 --- a/chrony-seccomp.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a -Author: Miroslav Lichvar -Date: Mon Aug 9 11:48:21 2021 +0200 - - sys_linux: allow clone3 and pread64 in seccomp filter - - These seem to be needed with the latest glibc. - -diff --git a/sys_linux.c b/sys_linux.c -index 50c08431..2b53f722 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - - /* Process */ - SCMP_SYS(clone), -+#ifdef __NR_clone3 -+ SCMP_SYS(clone3), -+#endif - SCMP_SYS(exit), - SCMP_SYS(exit_group), - SCMP_SYS(getpid), -@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - #ifdef __NR_ppoll_time64 - SCMP_SYS(ppoll_time64), - #endif -+ SCMP_SYS(pread64), - SCMP_SYS(pselect6), - #ifdef __NR_pselect6_time64 - SCMP_SYS(pselect6_time64), diff --git a/chrony-services.patch b/chrony-services.patch deleted file mode 100644 index 34aa909..0000000 --- a/chrony-services.patch +++ /dev/null @@ -1,151 +0,0 @@ -commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00 -Author: Miroslav Lichvar -Date: Wed Sep 29 15:25:48 2021 +0200 - - examples: harden systemd services - - Add various settings to the example chronyd and chrony-wait services to - decrease the exposure reported by the "systemd-analyze security" - command. The original exposure was high as the analyzer does not check - the actual process (e.g. that it dropped the root privileges or that it - has its own seccomp filter). - - Limit read-write access to /run, /var/lib/chrony, and /var/spool. - Access to /run (instead of /run/chrony) is needed for the refclock - socket expected by gpsd. - - The mailonchange directive is most likely to break as it executes - /usr/sbin/sendmail, which can do unexpected operations depending on the - implementation. It should work with a setuid/setgid binary, but it is - not expected to write outside of /var/spool and the private /tmp. - -diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service -index b3aa7aa2..72b028f2 100644 ---- a/examples/chrony-wait.service -+++ b/examples/chrony-wait.service -@@ -16,5 +16,32 @@ TimeoutStartSec=180 - RemainAfterExit=yes - StandardOutput=null - -+CapabilityBoundingSet= -+DevicePolicy=closed -+DynamicUser=yes -+IPAddressAllow=localhost -+IPAddressDeny=any -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+PrivateDevices=yes -+PrivateUsers=yes -+ProcSubset=pid -+ProtectClock=yes -+ProtectControlGroups=yes -+ProtectHome=yes -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+RestrictAddressFamilies=AF_INET AF_INET6 -+RestrictNamespaces=yes -+RestrictRealtime=yes -+SystemCallArchitectures=native -+SystemCallFilter=@system-service -+SystemCallFilter=~@privileged @resources -+UMask=0777 -+ - [Install] - WantedBy=multi-user.target -diff --git a/examples/chronyd.service b/examples/chronyd.service -index 289548cb..2cac6026 100644 ---- a/examples/chronyd.service -+++ b/examples/chronyd.service -@@ -10,9 +10,40 @@ Type=forking - PIDFile=/run/chrony/chronyd.pid - EnvironmentFile=-/etc/sysconfig/chronyd - ExecStart=/usr/sbin/chronyd $OPTIONS -+ -+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE -+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN -+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT -+CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM -+DeviceAllow=char-pps rw -+DeviceAllow=char-ptp rw -+DeviceAllow=char-rtc rw -+DevicePolicy=closed -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+NoNewPrivileges=yes - PrivateTmp=yes -+ProcSubset=pid -+ProtectControlGroups=yes - ProtectHome=yes --ProtectSystem=full -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+ReadWritePaths=/run /var/lib/chrony -+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -+RestrictNamespaces=yes -+RestrictSUIDSGID=yes -+SystemCallArchitectures=native -+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap -+ -+# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) -+NoNewPrivileges=no -+ReadWritePaths=/var/spool -+RestrictAddressFamilies=AF_NETLINK - - [Install] - WantedBy=multi-user.target - -Avoid a SELinux issue - -diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service -index 72b028f2..57646950 100644 ---- a/examples/chrony-wait.service -+++ b/examples/chrony-wait.service -@@ -18,7 +18,7 @@ StandardOutput=null - - CapabilityBoundingSet= - DevicePolicy=closed --DynamicUser=yes -+#DynamicUser=yes - IPAddressAllow=localhost - IPAddressDeny=any - LockPersonality=yes -commit 76a905d652cafccfac1023f74d12ffa7facc4832 -Author: Miroslav Lichvar -Date: Mon Oct 4 10:54:40 2021 +0200 - - examples: improve chronyd service - - Allow writing logfiles (enabled by logdir or -l option) to /var/log and - don't require /var/spool to exist. - -diff --git a/examples/chronyd.service b/examples/chronyd.service -index 2cac6026..4fb930ef 100644 ---- a/examples/chronyd.service -+++ b/examples/chronyd.service -@@ -33,7 +33,7 @@ ProtectKernelModules=yes - ProtectKernelTunables=yes - ProtectProc=invisible - ProtectSystem=strict --ReadWritePaths=/run /var/lib/chrony -+ReadWritePaths=/run /var/lib/chrony -/var/log - RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX - RestrictNamespaces=yes - RestrictSUIDSGID=yes -@@ -42,7 +42,7 @@ SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot - - # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive) - NoNewPrivileges=no --ReadWritePaths=/var/spool -+ReadWritePaths=-/var/spool - RestrictAddressFamilies=AF_NETLINK - - [Install] diff --git a/chrony.spec b/chrony.spec index 5a2d960..3955aa1 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver f89702 +%global prerelease -pre1 +%global clknetsim_ver 470b5e %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.1 +Version: 4.2 Release: 5%{?dist} Summary: An NTP client/server @@ -24,10 +25,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# update seccomp filter for new glibc -Patch2: chrony-seccomp.patch -# harden chronyd and chrony-wait services -Patch3: chrony-services.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,14 +56,12 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .seccomp -%patch3 -p1 -b .services %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - 222e652b95027289877fa77146d3b9b1 examples/chrony-wait.service + b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate diff --git a/sources b/sources index 14c91b8..03b8ca6 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.1.tar.gz) = 5e283d6a56e6852606c681a7c29c5786b102d584178cbd7033ebbc95a8e95533605631363b850a3087cca438a5878db7a317f120aab2fd856487d02fccfbcb1f -SHA512 (chrony-4.1-tar-gz-asc.txt) = 82faf9171d782c18224d2d44b340994b0ddab141e88cc803dea83d0ffbb6468bc51e8b11c8dd9bd327220cae04f7d789b58ab23141a2bdf038ce628f9adeb57a -SHA512 (clknetsim-f89702.tar.gz) = d88d37472b99e4cc044b6c864dfcf5ebb06ef9e2e009ebce06defa07cd46961220707a69c6ec93e35623403a5b4e0683b78b388bf95bfff470fa771d69579c65 +SHA512 (chrony-4.2-pre1.tar.gz) = 19ec6a8d66415e0c64450dcc7ea268c47db8e256d24894072a4f4c1d23803089e911c0c05ba33e4ffcb106835eac0e473e8de356ee228d480bacd6a1d217ffb2 +SHA512 (chrony-4.2-pre1-tar-gz-asc.txt) = 57a65666df1f090dba674ff47364d192f18bb2f7776ee9a26b6c60fc0aed045112f171b09c3b36e1f1b61b1f620c41ddcc687d1eaef64c10b8b4b923ba5cf9bf +SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413 From 38c951ced8dc6eab718c12005934c65bf202e22f Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 2 Dec 2021 13:14:58 +0100 Subject: [PATCH 17/91] 4.2-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 3955aa1..a409943 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.2 -Release: 5%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -200,6 +200,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Dec 02 2021 Miroslav Lichvar 4.2-1 +- update to 4.2-pre1 + * Tue Nov 16 2021 Miroslav Lichvar 4.1-5 - fix hardened chronyd service to allow writing log files From 14a82308719c88c6f0f5914dcd01bc3278858f89 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 7 Dec 2021 15:49:36 +0100 Subject: [PATCH 18/91] add gating.yaml --- gating.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 gating.yaml diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..4bf1436 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,16 @@ +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_testing +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/ci.functional} + +# rawhide +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_stable +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/ci.functional} From 8f45aa322d5fa5974522e87946a43d833337e21d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 9 Dec 2021 12:37:24 +0100 Subject: [PATCH 19/91] fix gating.yaml to not rely on ci.fmf --- gating.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/gating.yaml b/gating.yaml index 4bf1436..f458db9 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,16 +1,16 @@ --- !Policy product_versions: - fedora-* -decision_context: bodhi_update_push_testing +decision_contexts: [bodhi_update_push_testing] subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/ci.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} # rawhide --- !Policy product_versions: - fedora-* -decision_context: bodhi_update_push_stable +decision_contexts: [bodhi_update_push_stable] subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/ci.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} From b410207eb69566a0adcf73f16a418b7281b09633 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 16 Dec 2021 16:22:37 +0100 Subject: [PATCH 20/91] fix changelog nvr --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index a409943..9322a17 100644 --- a/chrony.spec +++ b/chrony.spec @@ -200,7 +200,7 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog -* Thu Dec 02 2021 Miroslav Lichvar 4.2-1 +* Thu Dec 02 2021 Miroslav Lichvar 4.2-0.1.pre1 - update to 4.2-pre1 * Tue Nov 16 2021 Miroslav Lichvar 4.1-5 From 5558df92e7b47448b7f10dae423a9d99a80872f4 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 16 Dec 2021 16:21:06 +0100 Subject: [PATCH 21/91] update to 4.2 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index f18ac28..c143a9a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.2-pre1.tar.gz -/chrony-4.2-pre1-tar-gz-asc.txt +/chrony-4.2.tar.gz +/chrony-4.2-tar-gz-asc.txt /clknetsim-470b5e.tar.gz diff --git a/chrony.spec b/chrony.spec index 9322a17..36cc179 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,4 @@ %global _hardened_build 1 -%global prerelease -pre1 %global clknetsim_ver 470b5e %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 03b8ca6..2cf5a81 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.2-pre1.tar.gz) = 19ec6a8d66415e0c64450dcc7ea268c47db8e256d24894072a4f4c1d23803089e911c0c05ba33e4ffcb106835eac0e473e8de356ee228d480bacd6a1d217ffb2 -SHA512 (chrony-4.2-pre1-tar-gz-asc.txt) = 57a65666df1f090dba674ff47364d192f18bb2f7776ee9a26b6c60fc0aed045112f171b09c3b36e1f1b61b1f620c41ddcc687d1eaef64c10b8b4b923ba5cf9bf +SHA512 (chrony-4.2.tar.gz) = 7f946b27de605b3ebea62cf23916dfad77c99e8b2338ba239ede6b8216ce436b3d4d87770f371c8d8e006507c51d5c831b51f067957abd2935adfdec3f5aa67d +SHA512 (chrony-4.2-tar-gz-asc.txt) = d8ae4b540ce3529a5a72e10c14765a33ca6fc41529b6fdc9928fb171f25bd6fb87f930b7783638892f42f4cbcfaab4cb1064c930bae1d5204a71babad72b6e10 SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413 From 6ed36d01fa50c55e4e4a66dd2172b79979d0bbb9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 16 Dec 2021 16:21:49 +0100 Subject: [PATCH 22/91] 4.2-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 36cc179..09017d3 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Dec 16 2021 Miroslav Lichvar 4.2-1 +- update to 4.2 + * Thu Dec 02 2021 Miroslav Lichvar 4.2-0.1.pre1 - update to 4.2-pre1 From 585d0a7e34a147228df3b4a1adeb4bbd782d55ad Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jan 2022 23:12:23 +0000 Subject: [PATCH 23/91] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 09017d3..523d2f2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 19 2022 Fedora Release Engineering - 4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Thu Dec 16 2021 Miroslav Lichvar 4.2-1 - update to 4.2 From 33529ab184aca78e606f24d67cd567df95802c4d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Feb 2022 11:11:27 +0100 Subject: [PATCH 24/91] use NTP servers passed by NetworkManager from DHCPv6 NTP server option --- chrony-nm-dispatcher-dhcp.patch | 144 +++++++++++++++++++++++++++----- chrony.spec | 4 +- 2 files changed, 127 insertions(+), 21 deletions(-) diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch index 23087d6..d4d02c8 100644 --- a/chrony-nm-dispatcher-dhcp.patch +++ b/chrony-nm-dispatcher-dhcp.patch @@ -1,3 +1,113 @@ +commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14 +Author: Miroslav Lichvar +Date: Mon Feb 7 13:27:25 2022 +0100 + + examples: support DHCPv6 NTP servers in NM dispatcher script + + Latest NetworkManager code provides NTP servers from the DHCPv6 NTP + option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher + scripts. + + Check for invalid characters (which can come from the FQDN suboption) + and include the servers in the interface-specific sources file. + +diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp +index 6ea4c370..4454f037 100644 +--- a/examples/chrony.nm-dispatcher.dhcp ++++ b/examples/chrony.nm-dispatcher.dhcp +@@ -1,8 +1,7 @@ + #!/bin/sh + # This is a NetworkManager dispatcher script for chronyd to update +-# its NTP sources passed from DHCP options. Note that this script is +-# specific to NetworkManager-dispatcher due to use of the +-# DHCP4_NTP_SERVERS environment variable. ++# its NTP sources with servers from DHCP options passed by NetworkManager ++# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables. + + export LC_ALL=C + +@@ -10,17 +9,19 @@ interface=$1 + action=$2 + + chronyc=/usr/bin/chronyc +-default_server_options=iburst ++server_options=iburst + server_dir=/var/run/chrony-dhcp + + dhcp_server_file=$server_dir/$interface.sources +-# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. +-nm_dhcp_servers=$DHCP4_NTP_SERVERS ++dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" + + add_servers_from_dhcp() { + rm -f "$dhcp_server_file" +- for server in $nm_dhcp_servers; do +- echo "server $server $default_server_options" >> "$dhcp_server_file" ++ for server in $dhcp_ntp_servers; do ++ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) ++ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue ++ ++ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" + done + $chronyc reload sources > /dev/null 2>&1 || : + } +@@ -34,10 +35,11 @@ clear_servers_from_dhcp() { + + mkdir -p $server_dir + +-if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then +- add_servers_from_dhcp +-elif [ "$action" = "down" ]; then +- clear_servers_from_dhcp +-fi ++case "$action" in ++ up|dhcp4-change|dhcp6-change) ++ add_servers_from_dhcp;; ++ down) ++ clear_servers_from_dhcp;; ++esac + + exit 0 + +commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf +Author: Miroslav Lichvar +Date: Mon Feb 7 13:27:48 2022 +0100 + + examples: handle more actions in NM dispatcher script + + Run the chronyc onoffline command also when the connectivity-change + and dhcp6-change actions are reported by the NetworkManager dispatcher. + + The latter should not be necessary, but there currently doesn't seem to + be any action for IPv6 becoming routable after duplicate address + detection, so at least in networks using DHCPv6, IPv6 NTP servers should + not be stuck in the offline state from a previously reported action. + +diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline +index 34cfa0db..01e6fdb1 100644 +--- a/examples/chrony.nm-dispatcher.onoffline ++++ b/examples/chrony.nm-dispatcher.onoffline +@@ -7,8 +7,18 @@ export LC_ALL=C + + chronyc=/usr/bin/chronyc + +-# For NetworkManager consider only up/down events +-[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0 ++# For NetworkManager consider only selected events ++if [ $# -ge 2 ]; then ++ case "$2" in ++ up|down|connectivity-change) ++ ;; ++ dhcp6-change) ++ # No other action is reported for routable IPv6 ++ ;; ++ *) ++ exit 0;; ++ esac ++fi + + # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off + From: Robert Fairley Date: Wed, 17 Jun 2020 10:14:19 -0400 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig @@ -11,33 +121,29 @@ diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher. index 6ea4c37..a6ad35a 100644 --- a/examples/chrony.nm-dispatcher.dhcp +++ b/examples/chrony.nm-dispatcher.dhcp -@@ -6,16 +6,24 @@ - - chronyc=/usr/bin/chronyc - default_server_options=iburst --server_dir=/var/run/chrony-dhcp -+server_dir=/run/chrony-dhcp - - dhcp_server_file=$server_dir/$interface.sources - # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. - nm_dhcp_servers=$DHCP4_NTP_SERVERS +@@ -8,15 +8,23 @@ export LC_ALL=C + interface=$1 + action=$2 +[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network +[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \ + . /etc/sysconfig/network-scripts/ifcfg-"${interface}" + + chronyc=/usr/bin/chronyc +-server_options=iburst +-server_dir=/var/run/chrony-dhcp ++server_options=${NTPSERVERARGS:-iburst} ++server_dir=/run/chrony-dhcp + + dhcp_server_file=$server_dir/$interface.sources + dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" + add_servers_from_dhcp() { rm -f "$dhcp_server_file" + + # Don't add NTP servers if PEERNTP=no specified; return early. + [ "$PEERNTP" = "no" ] && return + - for server in $nm_dhcp_servers; do -- echo "server $server $default_server_options" >> "$dhcp_server_file" -+ echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file" - done - $chronyc reload sources > /dev/null 2>&1 || : - } --- -2.29.2 - + for server in $dhcp_ntp_servers; do + # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) + printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue diff --git a/chrony.spec b/chrony.spec index 523d2f2..f84fbd9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -64,8 +64,8 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - a7054c9352c07384bd7ea0477e6e8a8c examples/chrony.nm-dispatcher.dhcp - 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline + 5d0c4758207a89a9a19471177b1107b9 examples/chrony.nm-dispatcher.dhcp + 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service EOF From f7730a70df37be7a0015438e5005679f0fbd295c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Feb 2022 11:17:56 +0100 Subject: [PATCH 25/91] 4.2-3 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index f84fbd9..e7e57bd 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Feb 08 2022 Miroslav Lichvar 4.2-3 +- use NTP servers passed by NetworkManager from DHCPv6 NTP server option + * Wed Jan 19 2022 Fedora Release Engineering - 4.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From d88eefe3d025f428f056b9ed07d8c06c18d4473a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Feb 2022 11:41:07 +0100 Subject: [PATCH 26/91] update seccomp filter for latest glibc --- chrony-seccomp.patch | 31 +++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 34 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..523759c --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,31 @@ +commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d +Author: Michael Hudson-Doyle +Date: Wed Feb 9 09:06:13 2022 +0100 + + sys_linux: allow rseq in seccomp filter + + Libc 2.35 will use rseq syscalls [1][2] by default and thereby + break chrony in seccomp isolation. + + [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/ + [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html + + Tested-by: Christian Ehrhardt + Reviewed-by: Christian Ehrhardt + Signed-off-by: Michael Hudson-Doyle + Signed-off-by: Christian Ehrhardt + +diff --git a/sys_linux.c b/sys_linux.c +index 9cab2efa..cc3c9311 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + SCMP_SYS(getrlimit), + SCMP_SYS(getuid), + SCMP_SYS(getuid32), ++#ifdef __NR_rseq ++ SCMP_SYS(rseq), ++#endif + SCMP_SYS(rt_sigaction), + SCMP_SYS(rt_sigreturn), + SCMP_SYS(rt_sigprocmask), diff --git a/chrony.spec b/chrony.spec index e7e57bd..79f3137 100644 --- a/chrony.spec +++ b/chrony.spec @@ -24,6 +24,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# update seccomp filter for latest glibc +Patch2: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -55,6 +57,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From 29c4de2d7709c14394b99777302108e1950b615e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Feb 2022 11:48:14 +0100 Subject: [PATCH 27/91] 4.2-4 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 79f3137..61cc102 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPLv2 @@ -202,6 +202,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Feb 09 2022 Miroslav Lichvar 4.2-4 +- update seccomp filter for latest glibc + * Tue Feb 08 2022 Miroslav Lichvar 4.2-3 - use NTP servers passed by NetworkManager from DHCPv6 NTP server option From 043d045ae8f01842f6b543cee01b5ec2675309be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 16 Feb 2022 08:10:11 +0000 Subject: [PATCH 28/91] Drop obsolete workaround in scriptlet The bug with daemon-reload was fixed a long time ago. The direct invocation of 'systemctl daemon-reload' with no redirect of errors to /dev/null causes a user-visible message when installing into a chroot: Running scriptlet: chrony-4.2-4.fc37.x86_64 320/334 System has not been booted with systemd as init system (PID 1). Can't operate. Failed to connect to bus: Host is down ... --- chrony.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index 61cc102..16676c6 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: An NTP client/server License: GPLv2 @@ -161,8 +161,6 @@ getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \ : %post -# workaround for late reload of unit file (#1614751) -%{_bindir}/systemctl daemon-reload # migrate from chrony-helper to sourcedir directive if test -a %{_libexecdir}/chrony-helper; then grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \ @@ -202,6 +200,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Feb 16 2022 Zbigniew Jędrzejewski-Szmek - 4.2-5 +- Drop obsolete workaround in scriptlet + * Wed Feb 09 2022 Miroslav Lichvar 4.2-4 - update seccomp filter for latest glibc From e60c1652e564e5ed61ad65094b8d4fffbb8609c2 Mon Sep 17 00:00:00 2001 From: Luca BRUNO Date: Tue, 24 May 2022 14:55:50 +0000 Subject: [PATCH 29/91] Add a sysusers.d fragment for chrony user/group This installs a configuration fragment for systemd-sysusers which covers chrony user and group. For more details, see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format --- chrony.spec | 17 +++++++++++------ chrony.sysusers | 2 ++ 2 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 chrony.sysusers diff --git a/chrony.spec b/chrony.spec index 16676c6..fcbe5da 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: An NTP client/server License: GPLv2 @@ -18,6 +18,7 @@ Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerel Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc Source3: chrony.dhclient +Source4: chrony.sysusers # simulator for test suite Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} @@ -32,8 +33,8 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?with_nts:BuildRequires: gnutls-devel gnutls-utils} %{?with_seccomp:BuildRequires: libseccomp-devel} -Requires(pre): shadow-utils %{?systemd_requires} +%{?sysusers_requires_compat} # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 @@ -117,6 +118,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d} mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +mkdir -p $RPM_BUILD_ROOT%{_sysusersdir} mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d} @@ -137,6 +139,8 @@ install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp install -m 644 -p examples/chrony-wait.service \ $RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service +install -m 644 -p %{SOURCE4} \ + $RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < /dev/null || /usr/sbin/groupadd -r chrony -getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \ - -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony -: +%sysusers_create_compat %{SOURCE4} %post # migrate from chrony-helper to sourcedir directive @@ -193,6 +194,7 @@ fi %{_prefix}/lib/NetworkManager %{_prefix}/lib/systemd/ntp-units.d/*.list %{_unitdir}/chrony*.service +%{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift @@ -200,6 +202,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue May 24 2022 Luca BRUNO - 4.2-6 +- Add a sysusers.d fragment for chrony user/group + * Wed Feb 16 2022 Zbigniew Jędrzejewski-Szmek - 4.2-5 - Drop obsolete workaround in scriptlet diff --git a/chrony.sysusers b/chrony.sysusers new file mode 100644 index 0000000..b02f5fe --- /dev/null +++ b/chrony.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u chrony - "chrony system user" /var/lib/chrony /sbin/nologin From 9d18b2f3abc3d6675152489bd294e9739c001655 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 20 Jul 2022 22:54:57 +0000 Subject: [PATCH 30/91] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index fcbe5da..e95bbc8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.2 -Release: 6%{?dist} +Release: 7%{?dist} Summary: An NTP client/server License: GPLv2 @@ -202,6 +202,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 20 2022 Fedora Release Engineering - 4.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Tue May 24 2022 Luca BRUNO - 4.2-6 - Add a sysusers.d fragment for chrony user/group From 7a0122bf71a0a365e8830d2400d270ec583d95ec Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 11 Aug 2022 11:20:45 +0200 Subject: [PATCH 31/91] update to 4.3-pre1 --- .gitignore | 6 +- chrony-nm-dispatcher-dhcp.patch | 112 +------------------------------- chrony-seccomp.patch | 31 --------- chrony.spec | 10 ++- sources | 6 +- 5 files changed, 11 insertions(+), 154 deletions(-) delete mode 100644 chrony-seccomp.patch diff --git a/.gitignore b/.gitignore index c143a9a..788b938 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.2.tar.gz -/chrony-4.2-tar-gz-asc.txt -/clknetsim-470b5e.tar.gz +/chrony-4.3-pre1.tar.gz +/chrony-4.3-pre1-tar-gz-asc.txt +/clknetsim-f00531.tar.gz diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch index d4d02c8..dd9fc2a 100644 --- a/chrony-nm-dispatcher-dhcp.patch +++ b/chrony-nm-dispatcher-dhcp.patch @@ -1,113 +1,3 @@ -commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14 -Author: Miroslav Lichvar -Date: Mon Feb 7 13:27:25 2022 +0100 - - examples: support DHCPv6 NTP servers in NM dispatcher script - - Latest NetworkManager code provides NTP servers from the DHCPv6 NTP - option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher - scripts. - - Check for invalid characters (which can come from the FQDN suboption) - and include the servers in the interface-specific sources file. - -diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp -index 6ea4c370..4454f037 100644 ---- a/examples/chrony.nm-dispatcher.dhcp -+++ b/examples/chrony.nm-dispatcher.dhcp -@@ -1,8 +1,7 @@ - #!/bin/sh - # This is a NetworkManager dispatcher script for chronyd to update --# its NTP sources passed from DHCP options. Note that this script is --# specific to NetworkManager-dispatcher due to use of the --# DHCP4_NTP_SERVERS environment variable. -+# its NTP sources with servers from DHCP options passed by NetworkManager -+# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables. - - export LC_ALL=C - -@@ -10,17 +9,19 @@ interface=$1 - action=$2 - - chronyc=/usr/bin/chronyc --default_server_options=iburst -+server_options=iburst - server_dir=/var/run/chrony-dhcp - - dhcp_server_file=$server_dir/$interface.sources --# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. --nm_dhcp_servers=$DHCP4_NTP_SERVERS -+dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" - - add_servers_from_dhcp() { - rm -f "$dhcp_server_file" -- for server in $nm_dhcp_servers; do -- echo "server $server $default_server_options" >> "$dhcp_server_file" -+ for server in $dhcp_ntp_servers; do -+ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) -+ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue -+ -+ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" - done - $chronyc reload sources > /dev/null 2>&1 || : - } -@@ -34,10 +35,11 @@ clear_servers_from_dhcp() { - - mkdir -p $server_dir - --if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then -- add_servers_from_dhcp --elif [ "$action" = "down" ]; then -- clear_servers_from_dhcp --fi -+case "$action" in -+ up|dhcp4-change|dhcp6-change) -+ add_servers_from_dhcp;; -+ down) -+ clear_servers_from_dhcp;; -+esac - - exit 0 - -commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf -Author: Miroslav Lichvar -Date: Mon Feb 7 13:27:48 2022 +0100 - - examples: handle more actions in NM dispatcher script - - Run the chronyc onoffline command also when the connectivity-change - and dhcp6-change actions are reported by the NetworkManager dispatcher. - - The latter should not be necessary, but there currently doesn't seem to - be any action for IPv6 becoming routable after duplicate address - detection, so at least in networks using DHCPv6, IPv6 NTP servers should - not be stuck in the offline state from a previously reported action. - -diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline -index 34cfa0db..01e6fdb1 100644 ---- a/examples/chrony.nm-dispatcher.onoffline -+++ b/examples/chrony.nm-dispatcher.onoffline -@@ -7,8 +7,18 @@ export LC_ALL=C - - chronyc=/usr/bin/chronyc - --# For NetworkManager consider only up/down events --[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0 -+# For NetworkManager consider only selected events -+if [ $# -ge 2 ]; then -+ case "$2" in -+ up|down|connectivity-change) -+ ;; -+ dhcp6-change) -+ # No other action is reported for routable IPv6 -+ ;; -+ *) -+ exit 0;; -+ esac -+fi - - # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off - From: Robert Fairley Date: Wed, 17 Jun 2020 10:14:19 -0400 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig @@ -146,4 +36,4 @@ index 6ea4c37..a6ad35a 100644 + for server in $dhcp_ntp_servers; do # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) - printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue + len1=$(printf '%s' "$server" | wc -c) diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch deleted file mode 100644 index 523759c..0000000 --- a/chrony-seccomp.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d -Author: Michael Hudson-Doyle -Date: Wed Feb 9 09:06:13 2022 +0100 - - sys_linux: allow rseq in seccomp filter - - Libc 2.35 will use rseq syscalls [1][2] by default and thereby - break chrony in seccomp isolation. - - [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/ - [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html - - Tested-by: Christian Ehrhardt - Reviewed-by: Christian Ehrhardt - Signed-off-by: Michael Hudson-Doyle - Signed-off-by: Christian Ehrhardt - -diff --git a/sys_linux.c b/sys_linux.c -index 9cab2efa..cc3c9311 100644 ---- a/sys_linux.c -+++ b/sys_linux.c -@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) - SCMP_SYS(getrlimit), - SCMP_SYS(getuid), - SCMP_SYS(getuid32), -+#ifdef __NR_rseq -+ SCMP_SYS(rseq), -+#endif - SCMP_SYS(rt_sigaction), - SCMP_SYS(rt_sigreturn), - SCMP_SYS(rt_sigprocmask), diff --git a/chrony.spec b/chrony.spec index e95bbc8..8536a46 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 470b5e +%global prerelease -pre1 +%global clknetsim_ver f00531 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.2 +Version: 4.3 Release: 7%{?dist} Summary: An NTP client/server @@ -25,8 +26,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# update seccomp filter for latest glibc -Patch2: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -58,7 +57,6 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -68,7 +66,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate - 5d0c4758207a89a9a19471177b1107b9 examples/chrony.nm-dispatcher.dhcp + c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service EOF diff --git a/sources b/sources index 2cf5a81..e5d4b3b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.2.tar.gz) = 7f946b27de605b3ebea62cf23916dfad77c99e8b2338ba239ede6b8216ce436b3d4d87770f371c8d8e006507c51d5c831b51f067957abd2935adfdec3f5aa67d -SHA512 (chrony-4.2-tar-gz-asc.txt) = d8ae4b540ce3529a5a72e10c14765a33ca6fc41529b6fdc9928fb171f25bd6fb87f930b7783638892f42f4cbcfaab4cb1064c930bae1d5204a71babad72b6e10 -SHA512 (clknetsim-470b5e.tar.gz) = 5245414a0e2371ef22725b0cf8cf4b1f033ba9e5493a4a48ffb26e2cac6bb1975583216beb9c0800664159c52e632018ea93d36477dd520f164a55db44e89413 +SHA512 (chrony-4.3-pre1.tar.gz) = 6a97b11cd7604808aa57db8cd67ae854391ef2bca84bb0256c043464e33683e15682a8ebadec3d2fcca83203d2c731953dfd4972976fe193246ca4af7fb7e0e7 +SHA512 (chrony-4.3-pre1-tar-gz-asc.txt) = 3a9cd53fcd0f2842241817d5bdeb3c6151eec9e1d0864ae4a89a2d7b93924ac28be7d4f090a32b99ab4b229437d027c2663bb552433182a97eca347175138164 +SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5 From b580bc676c24396eba9b89a80bdcdcda0232e4f1 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 11 Aug 2022 11:23:32 +0200 Subject: [PATCH 32/91] 4.3-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 8536a46..f7b0f6a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.3 -Release: 7%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -200,6 +200,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Aug 11 2022 Miroslav Lichvar 4.3-0.1.pre1 +- update to 4.3-pre1 + * Wed Jul 20 2022 Fedora Release Engineering - 4.2-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From cd216d6ebb6c520cea8b5c8aef7bc35ee499c9ad Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 31 Aug 2022 14:54:34 +0200 Subject: [PATCH 33/91] update to 4.3 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 788b938..57bb59a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.3-pre1.tar.gz -/chrony-4.3-pre1-tar-gz-asc.txt +/chrony-4.3.tar.gz +/chrony-4.3-tar-gz-asc.txt /clknetsim-f00531.tar.gz diff --git a/chrony.spec b/chrony.spec index f7b0f6a..c1c0b58 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,4 @@ %global _hardened_build 1 -%global prerelease -pre1 %global clknetsim_ver f00531 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index e5d4b3b..f352bac 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.3-pre1.tar.gz) = 6a97b11cd7604808aa57db8cd67ae854391ef2bca84bb0256c043464e33683e15682a8ebadec3d2fcca83203d2c731953dfd4972976fe193246ca4af7fb7e0e7 -SHA512 (chrony-4.3-pre1-tar-gz-asc.txt) = 3a9cd53fcd0f2842241817d5bdeb3c6151eec9e1d0864ae4a89a2d7b93924ac28be7d4f090a32b99ab4b229437d027c2663bb552433182a97eca347175138164 +SHA512 (chrony-4.3.tar.gz) = 1394bac3ed684352fe89b7fef7da50e61f9f522abee807627ae1fc4c2dde891017bc8e5b13759fced028f3a1e875d5e4e5a4f85de65c63b5f83d0ca03bb4c5df +SHA512 (chrony-4.3-tar-gz-asc.txt) = 300b06f253ac3727edb86a1b7c337f9529ee752bbb471b266217b6a8ac5183e827264177a3210d436425d746673bf11fbdc41da145673213e28165197c6c76b7 SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5 From ca4d1cf061ae6b7a55c01821646b9fc3a9cbe4de Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 31 Aug 2022 15:01:50 +0200 Subject: [PATCH 34/91] 4.3-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c1c0b58..7fa5835 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.3 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 31 2022 Miroslav Lichvar 4.3-1 +- update to 4.3 + * Thu Aug 11 2022 Miroslav Lichvar 4.3-0.1.pre1 - update to 4.3-pre1 From ad0b95f5215380aec9d453548d0eb4c9e38c81a7 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 18 Jan 2023 23:50:34 +0000 Subject: [PATCH 35/91] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 7fa5835..4115eb2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPLv2 @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 18 2023 Fedora Release Engineering - 4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Wed Aug 31 2022 Miroslav Lichvar 4.3-1 - update to 4.3 From 95d7d27489b2d8bbe9a2bf7f26191a2ccf9be1a8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 24 Jan 2023 16:22:40 +0100 Subject: [PATCH 36/91] convert license tag to SPDX --- chrony.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 4115eb2..8506a31 100644 --- a/chrony.spec +++ b/chrony.spec @@ -12,7 +12,7 @@ Version: 4.3 Release: 2%{?dist} Summary: An NTP client/server -License: GPLv2 +License: GPL-2.0-only URL: https://chrony.tuxfamily.org Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt From 906e072deb3d572ce89d45a03812b7457a17decd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 15:16:13 +0100 Subject: [PATCH 37/91] add chronyd-restricted service for minimal NTP client configurations --- chrony-restricted.patch | 79 +++++++++++++++++++++++++++++++++++++++++ chrony.spec | 12 +++++-- 2 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 chrony-restricted.patch diff --git a/chrony-restricted.patch b/chrony-restricted.patch new file mode 100644 index 0000000..930e814 --- /dev/null +++ b/chrony-restricted.patch @@ -0,0 +1,79 @@ +commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4 +Author: Miroslav Lichvar +Date: Tue Jan 10 15:02:49 2023 +0100 + + examples: add chronyd-restricted.service + + This is a more restricted version of the chronyd service intended for + minimal NTP/NTS client configurations. The daemon is started without + root privileges and is allowed to write only to its own runtime, state, + and log directories. It cannot bind to privileged ports in order to + operate as an NTP server, or provide monitoring access over IPv4/IPv6. + It cannot use reference clocks, HW timestamping, RTC tracking, and other + features. + +diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service +new file mode 100644 +index 00000000..50998338 +--- /dev/null ++++ b/examples/chronyd-restricted.service +@@ -0,0 +1,59 @@ ++# This is a more restricted version of the chronyd service intended for ++# minimal NTP/NTS client configurations. The daemon is started without root ++# privileges and is allowed to write only to its own runtime, state, and log ++# directories. It cannot bind to privileged ports in order to operate as an ++# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use ++# reference clocks, HW timestamping, RTC tracking, and other features. ++[Unit] ++Description=NTP client (restricted) ++Documentation=man:chronyd(8) man:chrony.conf(5) ++After=chronyd.service ntpdate.service sntp.service ntpd.service ++Conflicts=chronyd.service ntpd.service systemd-timesyncd.service ++ConditionCapability=CAP_SYS_TIME ++ ++[Service] ++Type=forking ++PIDFile=/run/chrony/chronyd.pid ++EnvironmentFile=-/etc/sysconfig/chronyd ++ExecStart=/usr/sbin/chronyd -U $OPTIONS ++ ++User=chrony ++LogsDirectory=chrony ++LogsDirectoryMode=0750 ++RuntimeDirectory=chrony ++RuntimeDirectoryMode=0750 ++RuntimeDirectoryPreserve=restart ++StateDirectory=chrony ++StateDirectoryMode=0750 ++ ++AmbientCapabilities=CAP_SYS_TIME ++CapabilityBoundingSet=CAP_SYS_TIME ++DevicePolicy=closed ++LockPersonality=yes ++MemoryDenyWriteExecute=yes ++NoNewPrivileges=yes ++PrivateDevices=yes ++PrivateTmp=yes ++# This breaks adjtimex() ++#PrivateUsers=yes ++ProcSubset=pid ++ProtectControlGroups=yes ++ProtectHome=yes ++ProtectHostname=yes ++ProtectKernelLogs=yes ++ProtectKernelModules=yes ++ProtectKernelTunables=yes ++ProtectProc=invisible ++ProtectSystem=strict ++RemoveIPC=yes ++RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX ++RestrictNamespaces=yes ++RestrictRealtime=yes ++RestrictSUIDSGID=yes ++SystemCallArchitectures=native ++SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io ++SystemCallFilter=~@reboot @resources @swap ++UMask=0077 ++ ++[Install] ++WantedBy=multi-user.target diff --git a/chrony.spec b/chrony.spec index 8506a31..01f924d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -25,6 +25,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# add chronyd-restricted service +Patch2: chrony-restricted.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -56,6 +58,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp +%patch2 -p1 -b .restricted %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -68,6 +71,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service + f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone @@ -130,6 +134,8 @@ install -m 644 -p examples/chrony.logrotate \ install -m 644 -p examples/chronyd.service \ $RPM_BUILD_ROOT%{_unitdir}/chronyd.service +install -m 644 -p examples/chronyd-restricted.service \ + $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service install -m 755 -p examples/chrony.nm-dispatcher.onoffline \ $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline install -m 755 -p examples/chrony.nm-dispatcher.dhcp \ @@ -169,13 +175,13 @@ if test -a %{_libexecdir}/chrony-helper; then sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources" done 2> /dev/null fi -%systemd_post chronyd.service chrony-wait.service +%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service %preun -%systemd_preun chronyd.service chrony-wait.service +%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service %postun -%systemd_postun_with_restart chronyd.service +%systemd_postun_with_restart chronyd.service chronyd-restricted.service %files %{!?_licensedir:%global license %%doc} From f078395411559297198a1ec8987715161a42c797 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 16:42:23 +0100 Subject: [PATCH 38/91] drop default chrony.keys config (#2104918) --- chrony-keyaccess.patch | 191 +++++++++++++++++++++++++++++++++++++++++ chrony.spec | 13 ++- 2 files changed, 197 insertions(+), 7 deletions(-) create mode 100644 chrony-keyaccess.patch diff --git a/chrony-keyaccess.patch b/chrony-keyaccess.patch new file mode 100644 index 0000000..4beedd8 --- /dev/null +++ b/chrony-keyaccess.patch @@ -0,0 +1,191 @@ +commit 9cba9c8585bc5ebf19bafece118fb2362090547c +Author: Miroslav Lichvar +Date: Thu Jan 19 16:09:40 2023 +0100 + + keys+nts: warn if loading world-readable/writable key + + Log a warning message if the file specified by the keyfile or + ntsserverkey directive is world-readable or writable, which is likely + an insecure misconfiguration. There is no check of directories + containing the file. + +diff --git a/keys.c b/keys.c +index 11f8b761..9225e6cd 100644 +--- a/keys.c ++++ b/keys.c +@@ -182,6 +182,9 @@ KEY_Reload(void) + if (!key_file) + return; + ++ if (!UTI_CheckFilePermissions(key_file, 0771)) ++ ; ++ + in = UTI_OpenFile(NULL, key_file, NULL, 'r', 0); + if (!in) { + LOG(LOGS_WARN, "Could not open keyfile %s", key_file); +diff --git a/nts_ke_session.c b/nts_ke_session.c +index dfcd18ab..2ae1e915 100644 +--- a/nts_ke_session.c ++++ b/nts_ke_session.c +@@ -667,6 +667,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys, + assert(0); + + for (i = 0; i < n_certs_keys; i++) { ++ if (!UTI_CheckFilePermissions(keys[i], 0771)) ++ ; + r = gnutls_certificate_set_x509_key_file(credentials, certs[i], keys[i], + GNUTLS_X509_FMT_PEM); + if (r < 0) +diff --git a/util.c b/util.c +index 064292ce..4b9d30ee 100644 +--- a/util.c ++++ b/util.c +@@ -1248,6 +1248,29 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) + + /* ================================================== */ + ++int ++UTI_CheckFilePermissions(const char *path, mode_t perm) ++{ ++ mode_t extra_perm; ++ struct stat buf; ++ ++ if (stat(path, &buf) < 0 || !S_ISREG(buf.st_mode)) { ++ /* Not considered an error */ ++ return 1; ++ } ++ ++ extra_perm = (buf.st_mode & 0777) & ~perm; ++ if (extra_perm != 0) { ++ LOG(LOGS_WARN, "%s permissions on %s", extra_perm & 0006 ? ++ (extra_perm & 0004 ? "World-readable" : "World-writable") : "Wrong", path); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ================================================== */ ++ + static int + join_path(const char *basedir, const char *name, const char *suffix, + char *buffer, size_t length, LOG_Severity severity) +diff --git a/util.h b/util.h +index 4655e537..6844798c 100644 +--- a/util.h ++++ b/util.h +@@ -196,6 +196,10 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid + permissions and its uid/gid must match the specified values. */ + extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); + ++/* Check and log a warning message if a file has more permissions than ++ specified. It does not return error if it is not an accessible file. */ ++extern int UTI_CheckFilePermissions(const char *path, mode_t perm); ++ + /* Open a file. The full path of the file is constructed from the basedir + (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). + Created files have specified permissions (umasked). Returns NULL on error. + +commit 883b0dde946105e0910456a0bebb24d57fecb0fc +Author: Miroslav Lichvar +Date: Wed Jan 25 14:29:06 2023 +0100 + + conf: warn if not having read-only access to keys + + After dropping root privileges, log a warning message if chronyd + doesn't have read access or has (unnecessary) write access to the + files containing symmetric and server NTS keys. + +diff --git a/conf.c b/conf.c +index 9f42a426..0597836d 100644 +--- a/conf.c ++++ b/conf.c +@@ -1774,6 +1774,19 @@ CNF_CreateDirs(uid_t uid, gid_t gid) + + /* ================================================== */ + ++void ++CNF_CheckReadOnlyAccess(void) ++{ ++ unsigned int i; ++ ++ if (keys_file) ++ UTI_CheckReadOnlyAccess(keys_file); ++ for (i = 0; i < ARR_GetSize(nts_server_key_files); i++) ++ UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i)); ++} ++ ++/* ================================================== */ ++ + void + CNF_AddInitSources(void) + { +diff --git a/conf.h b/conf.h +index 11fd11df..d7acb4fd 100644 +--- a/conf.h ++++ b/conf.h +@@ -44,6 +44,8 @@ extern void CNF_ParseLine(const char *filename, int number, char *line); + + extern void CNF_CreateDirs(uid_t uid, gid_t gid); + ++extern void CNF_CheckReadOnlyAccess(void); ++ + extern void CNF_AddInitSources(void); + extern void CNF_AddSources(void); + extern void CNF_AddBroadcasts(void); +diff --git a/main.c b/main.c +index c40b5e4b..31e3c8f0 100644 +--- a/main.c ++++ b/main.c +@@ -637,9 +637,13 @@ int main + } + + /* Drop root privileges if the specified user has a non-zero UID */ +- if (!geteuid() && (pw->pw_uid || pw->pw_gid)) ++ if (!geteuid() && (pw->pw_uid || pw->pw_gid)) { + SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS); + ++ /* Warn if missing read access or having write access to keys */ ++ CNF_CheckReadOnlyAccess(); ++ } ++ + if (!geteuid()) + LOG(LOGS_WARN, "Running with root privileges"); + +diff --git a/util.c b/util.c +index 4b9d30ee..0321720e 100644 +--- a/util.c ++++ b/util.c +@@ -1271,6 +1271,17 @@ UTI_CheckFilePermissions(const char *path, mode_t perm) + + /* ================================================== */ + ++void ++UTI_CheckReadOnlyAccess(const char *path) ++{ ++ if (access(path, R_OK) != 0 && errno != ENOENT) ++ LOG(LOGS_WARN, "Missing read access to %s : %s", path, strerror(errno)); ++ if (access(path, W_OK) == 0) ++ LOG(LOGS_WARN, "Having write access to %s", path); ++} ++ ++/* ================================================== */ ++ + static int + join_path(const char *basedir, const char *name, const char *suffix, + char *buffer, size_t length, LOG_Severity severity) +diff --git a/util.h b/util.h +index 6844798c..d8e25dee 100644 +--- a/util.h ++++ b/util.h +@@ -200,6 +200,10 @@ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid + specified. It does not return error if it is not an accessible file. */ + extern int UTI_CheckFilePermissions(const char *path, mode_t perm); + ++/* Log a warning message if not having read access or having write access ++ to a file/directory */ ++extern void UTI_CheckReadOnlyAccess(const char *path); ++ + /* Open a file. The full path of the file is constructed from the basedir + (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). + Created files have specified permissions (umasked). Returns NULL on error. diff --git a/chrony.spec b/chrony.spec index 01f924d..3744814 100644 --- a/chrony.spec +++ b/chrony.spec @@ -27,6 +27,8 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c Patch1: chrony-nm-dispatcher-dhcp.patch # add chronyd-restricted service Patch2: chrony-restricted.patch +# warn if keys are world-accessible or chronyd doesn't have read-only access +Patch3: chrony-keyaccess.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,6 +61,7 @@ service to other computers in the network. %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp %patch2 -p1 -b .restricted +%patch3 -p1 -b .keyaccess %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -66,7 +69,6 @@ service to other computers in the network. md5sum -c <<-EOF | (! grep -v 'OK$') b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 - 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline @@ -80,11 +82,9 @@ test -n "%{vendorzone}" # use example chrony.conf as the default config with some modifications: # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses) # - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata -# - enable keyfile # - use NTP servers from DHCP sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ -e 's|#\(leapsectz\)|\1|' \ - -e 's|#\(keyfile\)|\1|' \ -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \ < examples/chrony.conf.example2 > chrony.conf @@ -125,8 +125,6 @@ mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d} install -m 644 -p chrony.conf $RPM_BUILD_ROOT%{_sysconfdir}/chrony.conf -install -m 640 -p examples/chrony.keys.example \ - $RPM_BUILD_ROOT%{_sysconfdir}/chrony.keys install -m 755 -p %{SOURCE3} \ $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d/chrony.sh install -m 644 -p examples/chrony.logrotate \ @@ -150,6 +148,7 @@ cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd < \ @@ -186,9 +185,9 @@ fi %files %{!?_licensedir:%global license %%doc} %license COPYING -%doc FAQ NEWS README +%doc FAQ NEWS README examples/chrony.keys.example %config(noreplace) %{_sysconfdir}/chrony.conf -%config(noreplace) %verify(not md5 size mtime) %attr(640,root,chrony) %{_sysconfdir}/chrony.keys +%ghost %config %attr(640,root,chrony) %{_sysconfdir}/chrony.keys %config(noreplace) %{_sysconfdir}/logrotate.d/chrony %config(noreplace) %{_sysconfdir}/sysconfig/chronyd %{_sysconfdir}/dhcp/dhclient.d/chrony.sh From e8775477fe6c92fa7220b09b29b253f2f3763bcf Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 25 Jan 2023 16:47:23 +0100 Subject: [PATCH 39/91] 4.3-3 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 3744814..532f6ef 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -204,6 +204,11 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jan 25 2023 Miroslav Lichvar 4.3-3 +- drop default chrony.keys config (#2104918) +- add chronyd-restricted service for minimal NTP client configurations +- convert license tag to SPDX + * Wed Jan 18 2023 Fedora Release Engineering - 4.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 08a5b8042dc6d97cdefea10382e2c162abdf8a91 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Mon, 17 Apr 2023 18:47:07 +0200 Subject: [PATCH 40/91] Adding fmf plans and gating --- ci.fmf | 1 + gating.yaml | 21 ++++++++++++++++----- plans/ci.fmf | 6 ------ plans/public.fmf | 6 ++++++ plans/tier1-internal.fmf | 12 ++++++++++++ 5 files changed, 35 insertions(+), 11 deletions(-) create mode 100644 ci.fmf delete mode 100644 plans/ci.fmf create mode 100644 plans/public.fmf create mode 100644 plans/tier1-internal.fmf diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/gating.yaml b/gating.yaml index f458db9..de5c323 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,16 +1,27 @@ --- !Policy product_versions: - fedora-* -decision_contexts: [bodhi_update_push_testing] +decision_context: bodhi_update_push_testing subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} -# rawhide +#Rawhide --- !Policy product_versions: - fedora-* -decision_contexts: [bodhi_update_push_stable] +decision_context: bodhi_update_push_stable subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} + +#gating rhel +--- !Policy +product_versions: + - rhel-* +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/public.functional} diff --git a/plans/ci.fmf b/plans/ci.fmf deleted file mode 100644 index 7834d37..0000000 --- a/plans/ci.fmf +++ /dev/null @@ -1,6 +0,0 @@ -summary: Test plan that runs all tests from tests repo. -discover: - how: fmf - url: https://src.fedoraproject.org/tests/chrony.git -execute: - how: tmt diff --git a/plans/public.fmf b/plans/public.fmf new file mode 100644 index 0000000..cff1391 --- /dev/null +++ b/plans/public.fmf @@ -0,0 +1,6 @@ +summary: Test plan with all Fedora tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/chrony.git +execute: + how: tmt diff --git a/plans/tier1-internal.fmf b/plans/tier1-internal.fmf new file mode 100644 index 0000000..9714336 --- /dev/null +++ b/plans/tier1-internal.fmf @@ -0,0 +1,12 @@ +summary: CI plan, picks internal Tier1 tests, runs in beakerlib. +discover: + - name: rhel + how: fmf + filter: 'tier: 1' + url: git://pkgs.devel.redhat.com/tests/chrony +execute: + how: tmt +adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. From e3bd39f52e4418bee9f0d3c1abcebe592b09d458 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:51:12 +0200 Subject: [PATCH 41/91] update to 4.4-pre1 --- .gitignore | 6 +- chrony-keyaccess.patch | 191 ---------------------------------------- chrony-restricted.patch | 79 ----------------- chrony.spec | 13 +-- sources | 6 +- 5 files changed, 10 insertions(+), 285 deletions(-) delete mode 100644 chrony-keyaccess.patch delete mode 100644 chrony-restricted.patch diff --git a/.gitignore b/.gitignore index 57bb59a..b393483 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.3.tar.gz -/chrony-4.3-tar-gz-asc.txt -/clknetsim-f00531.tar.gz +/chrony-4.4-pre1.tar.gz +/chrony-4.4-pre1-tar-gz-asc.txt +/clknetsim-13b0a5.tar.gz diff --git a/chrony-keyaccess.patch b/chrony-keyaccess.patch deleted file mode 100644 index 4beedd8..0000000 --- a/chrony-keyaccess.patch +++ /dev/null @@ -1,191 +0,0 @@ -commit 9cba9c8585bc5ebf19bafece118fb2362090547c -Author: Miroslav Lichvar -Date: Thu Jan 19 16:09:40 2023 +0100 - - keys+nts: warn if loading world-readable/writable key - - Log a warning message if the file specified by the keyfile or - ntsserverkey directive is world-readable or writable, which is likely - an insecure misconfiguration. There is no check of directories - containing the file. - -diff --git a/keys.c b/keys.c -index 11f8b761..9225e6cd 100644 ---- a/keys.c -+++ b/keys.c -@@ -182,6 +182,9 @@ KEY_Reload(void) - if (!key_file) - return; - -+ if (!UTI_CheckFilePermissions(key_file, 0771)) -+ ; -+ - in = UTI_OpenFile(NULL, key_file, NULL, 'r', 0); - if (!in) { - LOG(LOGS_WARN, "Could not open keyfile %s", key_file); -diff --git a/nts_ke_session.c b/nts_ke_session.c -index dfcd18ab..2ae1e915 100644 ---- a/nts_ke_session.c -+++ b/nts_ke_session.c -@@ -667,6 +667,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys, - assert(0); - - for (i = 0; i < n_certs_keys; i++) { -+ if (!UTI_CheckFilePermissions(keys[i], 0771)) -+ ; - r = gnutls_certificate_set_x509_key_file(credentials, certs[i], keys[i], - GNUTLS_X509_FMT_PEM); - if (r < 0) -diff --git a/util.c b/util.c -index 064292ce..4b9d30ee 100644 ---- a/util.c -+++ b/util.c -@@ -1248,6 +1248,29 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) - - /* ================================================== */ - -+int -+UTI_CheckFilePermissions(const char *path, mode_t perm) -+{ -+ mode_t extra_perm; -+ struct stat buf; -+ -+ if (stat(path, &buf) < 0 || !S_ISREG(buf.st_mode)) { -+ /* Not considered an error */ -+ return 1; -+ } -+ -+ extra_perm = (buf.st_mode & 0777) & ~perm; -+ if (extra_perm != 0) { -+ LOG(LOGS_WARN, "%s permissions on %s", extra_perm & 0006 ? -+ (extra_perm & 0004 ? "World-readable" : "World-writable") : "Wrong", path); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+/* ================================================== */ -+ - static int - join_path(const char *basedir, const char *name, const char *suffix, - char *buffer, size_t length, LOG_Severity severity) -diff --git a/util.h b/util.h -index 4655e537..6844798c 100644 ---- a/util.h -+++ b/util.h -@@ -196,6 +196,10 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid - permissions and its uid/gid must match the specified values. */ - extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); - -+/* Check and log a warning message if a file has more permissions than -+ specified. It does not return error if it is not an accessible file. */ -+extern int UTI_CheckFilePermissions(const char *path, mode_t perm); -+ - /* Open a file. The full path of the file is constructed from the basedir - (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). - Created files have specified permissions (umasked). Returns NULL on error. - -commit 883b0dde946105e0910456a0bebb24d57fecb0fc -Author: Miroslav Lichvar -Date: Wed Jan 25 14:29:06 2023 +0100 - - conf: warn if not having read-only access to keys - - After dropping root privileges, log a warning message if chronyd - doesn't have read access or has (unnecessary) write access to the - files containing symmetric and server NTS keys. - -diff --git a/conf.c b/conf.c -index 9f42a426..0597836d 100644 ---- a/conf.c -+++ b/conf.c -@@ -1774,6 +1774,19 @@ CNF_CreateDirs(uid_t uid, gid_t gid) - - /* ================================================== */ - -+void -+CNF_CheckReadOnlyAccess(void) -+{ -+ unsigned int i; -+ -+ if (keys_file) -+ UTI_CheckReadOnlyAccess(keys_file); -+ for (i = 0; i < ARR_GetSize(nts_server_key_files); i++) -+ UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i)); -+} -+ -+/* ================================================== */ -+ - void - CNF_AddInitSources(void) - { -diff --git a/conf.h b/conf.h -index 11fd11df..d7acb4fd 100644 ---- a/conf.h -+++ b/conf.h -@@ -44,6 +44,8 @@ extern void CNF_ParseLine(const char *filename, int number, char *line); - - extern void CNF_CreateDirs(uid_t uid, gid_t gid); - -+extern void CNF_CheckReadOnlyAccess(void); -+ - extern void CNF_AddInitSources(void); - extern void CNF_AddSources(void); - extern void CNF_AddBroadcasts(void); -diff --git a/main.c b/main.c -index c40b5e4b..31e3c8f0 100644 ---- a/main.c -+++ b/main.c -@@ -637,9 +637,13 @@ int main - } - - /* Drop root privileges if the specified user has a non-zero UID */ -- if (!geteuid() && (pw->pw_uid || pw->pw_gid)) -+ if (!geteuid() && (pw->pw_uid || pw->pw_gid)) { - SYS_DropRoot(pw->pw_uid, pw->pw_gid, SYS_MAIN_PROCESS); - -+ /* Warn if missing read access or having write access to keys */ -+ CNF_CheckReadOnlyAccess(); -+ } -+ - if (!geteuid()) - LOG(LOGS_WARN, "Running with root privileges"); - -diff --git a/util.c b/util.c -index 4b9d30ee..0321720e 100644 ---- a/util.c -+++ b/util.c -@@ -1271,6 +1271,17 @@ UTI_CheckFilePermissions(const char *path, mode_t perm) - - /* ================================================== */ - -+void -+UTI_CheckReadOnlyAccess(const char *path) -+{ -+ if (access(path, R_OK) != 0 && errno != ENOENT) -+ LOG(LOGS_WARN, "Missing read access to %s : %s", path, strerror(errno)); -+ if (access(path, W_OK) == 0) -+ LOG(LOGS_WARN, "Having write access to %s", path); -+} -+ -+/* ================================================== */ -+ - static int - join_path(const char *basedir, const char *name, const char *suffix, - char *buffer, size_t length, LOG_Severity severity) -diff --git a/util.h b/util.h -index 6844798c..d8e25dee 100644 ---- a/util.h -+++ b/util.h -@@ -200,6 +200,10 @@ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid - specified. It does not return error if it is not an accessible file. */ - extern int UTI_CheckFilePermissions(const char *path, mode_t perm); - -+/* Log a warning message if not having read access or having write access -+ to a file/directory */ -+extern void UTI_CheckReadOnlyAccess(const char *path); -+ - /* Open a file. The full path of the file is constructed from the basedir - (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). - Created files have specified permissions (umasked). Returns NULL on error. diff --git a/chrony-restricted.patch b/chrony-restricted.patch deleted file mode 100644 index 930e814..0000000 --- a/chrony-restricted.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit 6fba5a4a7fbe785849c0ec759e18bce0b7e234e4 -Author: Miroslav Lichvar -Date: Tue Jan 10 15:02:49 2023 +0100 - - examples: add chronyd-restricted.service - - This is a more restricted version of the chronyd service intended for - minimal NTP/NTS client configurations. The daemon is started without - root privileges and is allowed to write only to its own runtime, state, - and log directories. It cannot bind to privileged ports in order to - operate as an NTP server, or provide monitoring access over IPv4/IPv6. - It cannot use reference clocks, HW timestamping, RTC tracking, and other - features. - -diff --git a/examples/chronyd-restricted.service b/examples/chronyd-restricted.service -new file mode 100644 -index 00000000..50998338 ---- /dev/null -+++ b/examples/chronyd-restricted.service -@@ -0,0 +1,59 @@ -+# This is a more restricted version of the chronyd service intended for -+# minimal NTP/NTS client configurations. The daemon is started without root -+# privileges and is allowed to write only to its own runtime, state, and log -+# directories. It cannot bind to privileged ports in order to operate as an -+# NTP server, or provide monitoring access over IPv4/IPv6. It cannot use -+# reference clocks, HW timestamping, RTC tracking, and other features. -+[Unit] -+Description=NTP client (restricted) -+Documentation=man:chronyd(8) man:chrony.conf(5) -+After=chronyd.service ntpdate.service sntp.service ntpd.service -+Conflicts=chronyd.service ntpd.service systemd-timesyncd.service -+ConditionCapability=CAP_SYS_TIME -+ -+[Service] -+Type=forking -+PIDFile=/run/chrony/chronyd.pid -+EnvironmentFile=-/etc/sysconfig/chronyd -+ExecStart=/usr/sbin/chronyd -U $OPTIONS -+ -+User=chrony -+LogsDirectory=chrony -+LogsDirectoryMode=0750 -+RuntimeDirectory=chrony -+RuntimeDirectoryMode=0750 -+RuntimeDirectoryPreserve=restart -+StateDirectory=chrony -+StateDirectoryMode=0750 -+ -+AmbientCapabilities=CAP_SYS_TIME -+CapabilityBoundingSet=CAP_SYS_TIME -+DevicePolicy=closed -+LockPersonality=yes -+MemoryDenyWriteExecute=yes -+NoNewPrivileges=yes -+PrivateDevices=yes -+PrivateTmp=yes -+# This breaks adjtimex() -+#PrivateUsers=yes -+ProcSubset=pid -+ProtectControlGroups=yes -+ProtectHome=yes -+ProtectHostname=yes -+ProtectKernelLogs=yes -+ProtectKernelModules=yes -+ProtectKernelTunables=yes -+ProtectProc=invisible -+ProtectSystem=strict -+RemoveIPC=yes -+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -+RestrictNamespaces=yes -+RestrictRealtime=yes -+RestrictSUIDSGID=yes -+SystemCallArchitectures=native -+SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io -+SystemCallFilter=~@reboot @resources @swap -+UMask=0077 -+ -+[Install] -+WantedBy=multi-user.target diff --git a/chrony.spec b/chrony.spec index 532f6ef..efe9f89 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver f00531 +%global clknetsim_ver 13b0a5 +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.3 +Version: 4.4 Release: 3%{?dist} Summary: An NTP client/server @@ -25,10 +26,6 @@ Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch -# add chronyd-restricted service -Patch2: chrony-restricted.patch -# warn if keys are world-accessible or chronyd doesn't have read-only access -Patch3: chrony-keyaccess.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -60,8 +57,6 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch0 -p1} %patch1 -p1 -b .nm-dispatcher-dhcp -%patch2 -p1 -b .restricted -%patch3 -p1 -b .keyaccess %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -71,7 +66,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp - 2b81c60c020626165ac655b2633608eb examples/chrony.nm-dispatcher.onoffline + 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service EOF diff --git a/sources b/sources index f352bac..73edab9 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.3.tar.gz) = 1394bac3ed684352fe89b7fef7da50e61f9f522abee807627ae1fc4c2dde891017bc8e5b13759fced028f3a1e875d5e4e5a4f85de65c63b5f83d0ca03bb4c5df -SHA512 (chrony-4.3-tar-gz-asc.txt) = 300b06f253ac3727edb86a1b7c337f9529ee752bbb471b266217b6a8ac5183e827264177a3210d436425d746673bf11fbdc41da145673213e28165197c6c76b7 -SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5 +SHA512 (chrony-4.4-pre1.tar.gz) = d251f822ff49be0ff691c41e08b2c68ca86c3c3b1896c11d8f72cb72c5d3fde38ec4609ffab2a737faf0824f603b6c36d56a827aacde3b296cadddca59ad7812 +SHA512 (chrony-4.4-pre1-tar-gz-asc.txt) = b03592f26603403eaff2140f640f88408a1bd5be3468cf91fdd221fc9579611bdd475017a5803d7a5b1db08b11e20f260a4af91ee0a4d3b33ae6232b81a109fe +SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a From 55b6de12265b76d0f989c382c0058dbffb783f49 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:51:46 +0200 Subject: [PATCH 42/91] switch from patchX to patch -P X --- chrony.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chrony.spec b/chrony.spec index efe9f89..e6d0be8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -55,8 +55,8 @@ service to other computers in the network. %prep %{gpgverify} --keyring=%{SOURCE2} --signature=%{SOURCE1} --data=%{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease} -a 10 -%{?gitpatch:%patch0 -p1} -%patch1 -p1 -b .nm-dispatcher-dhcp +%{?gitpatch:%patch -P 0 -p1} +%patch -P 1 -p1 -b .nm-dispatcher-dhcp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From 014a45966ecf6abe66f489916f6d8f1e7ebbfbe5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 10 May 2023 15:55:45 +0200 Subject: [PATCH 43/91] 4.4-0.1.pre1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index e6d0be8..19bbcb2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 3%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -199,6 +199,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed May 10 2023 Miroslav Lichvar 4.4-0.1.pre1 +- update to 4.4-pre1 +- switch from patchX to patch -P X + * Wed Jan 25 2023 Miroslav Lichvar 4.3-3 - drop default chrony.keys config (#2104918) - add chronyd-restricted service for minimal NTP client configurations From cf4057bdecb7a430406dbc26aa7ac4e017ea6996 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 6 Jun 2023 13:08:16 +0200 Subject: [PATCH 44/91] 4.4-0.2.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 19bbcb2..90bcec0 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.1.pre1%{?dist} +Release: 0.2.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -199,6 +199,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jun 06 2023 Miroslav Lichvar 4.4-0.2.pre1 +- rebuild for AES-GCM-SIV in new nettle + * Wed May 10 2023 Miroslav Lichvar 4.4-0.1.pre1 - update to 4.4-pre1 - switch from patchX to patch -P X From dd472d8c34c2eeb10b4e2bddd3304ae4af48f5d4 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 11:03:16 +0200 Subject: [PATCH 45/91] set selinux context in chronyd-restricted service (#2169949) --- chrony.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/chrony.spec b/chrony.spec index 90bcec0..fe057df 100644 --- a/chrony.spec +++ b/chrony.spec @@ -85,6 +85,10 @@ sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ touch -r examples/chrony.conf.example2 chrony.conf +# set selinux context in chronyd-restricted service +sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' \ + examples/chronyd-restricted.service + # regenerate the file from getdate.y rm -f getdate.c From 9d4dc9b2d9f09ade23f84cbcfa5ad702b8fd9a81 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 14:32:30 +0200 Subject: [PATCH 46/91] update to 4.4-pre2 --- .gitignore | 4 ++-- chrony.spec | 10 +++++----- sources | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index b393483..62aad8b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4-pre1.tar.gz -/chrony-4.4-pre1-tar-gz-asc.txt +/chrony-4.4-pre2.tar.gz +/chrony-4.4-pre2-tar-gz-asc.txt /clknetsim-13b0a5.tar.gz diff --git a/chrony.spec b/chrony.spec index fe057df..c8ffc8f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,6 @@ %global _hardened_build 1 %global clknetsim_ver 13b0a5 -%global prerelease -pre1 +%global prerelease -pre2 %bcond_without debug %bcond_without nts @@ -62,13 +62,13 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') - b40117b4aac846d31e4ad196dc44cda3 examples/chrony-wait.service + 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 677ad16d6439daa369da44a1b75d1772 examples/chronyd.service - f092f965dc61f691ca838958eeeb3377 examples/chronyd-restricted.service + c11159b78b89684eca773db6236a9855 examples/chronyd.service + 46fa3e2d42c8eb9c42e71095686c90ed examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone @@ -155,7 +155,7 @@ echo 'chronyd.service' > \ %check # set random seed to get deterministic results -export CLKNETSIM_RANDOM_SEED=24505 +export CLKNETSIM_RANDOM_SEED=24508 %make_build -C test/simulation/clknetsim make quickcheck diff --git a/sources b/sources index 73edab9..02f0816 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4-pre1.tar.gz) = d251f822ff49be0ff691c41e08b2c68ca86c3c3b1896c11d8f72cb72c5d3fde38ec4609ffab2a737faf0824f603b6c36d56a827aacde3b296cadddca59ad7812 -SHA512 (chrony-4.4-pre1-tar-gz-asc.txt) = b03592f26603403eaff2140f640f88408a1bd5be3468cf91fdd221fc9579611bdd475017a5803d7a5b1db08b11e20f260a4af91ee0a4d3b33ae6232b81a109fe +SHA512 (chrony-4.4-pre2.tar.gz) = 4919cdbafa18f9cfc5d1ef0253373445c78f66480d3bfda2b58441d7abd2f330a2cd00ef7c498d733b74a0e3f02cb4c39b6ef2d054aed1648625e206f71888ad +SHA512 (chrony-4.4-pre2-tar-gz-asc.txt) = fe74013a75c143a651f9e3844ab231df8166bac24b919a0850d822430fbca81b17f2d9b0d2c17fe0edf3a7dc33a93718e5bbb892c3551d8d52bcc75c38cecc57 SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a From c2ad1d7c433d155d1950b5c6be2c8e51b11cd0ad Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Jun 2023 14:39:06 +0200 Subject: [PATCH 47/91] 4.4-0.3.pre2 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c8ffc8f..f431e5f 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.2.pre1%{?dist} +Release: 0.3.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -203,6 +203,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jun 21 2023 Miroslav Lichvar 4.4-0.3.pre2 +- update to 4.4-pre2 +- set selinux context in chronyd-restricted service (#2169949) + * Tue Jun 06 2023 Miroslav Lichvar 4.4-0.2.pre1 - rebuild for AES-GCM-SIV in new nettle From 133e764afbd6c68e3b7d3e913deed91416ba21a5 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 19 Jul 2023 15:38:23 +0000 Subject: [PATCH 48/91] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index f431e5f..abc71e4 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.4 -Release: 0.3.pre2%{?dist} +Release: 0.4.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -203,6 +203,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 19 2023 Fedora Release Engineering - 4.4-0.4.pre2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Wed Jun 21 2023 Miroslav Lichvar 4.4-0.3.pre2 - update to 4.4-pre2 - set selinux context in chronyd-restricted service (#2169949) From 0b020ff4e00e98543a1f4975ddbaf9bec9615472 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 29 Jun 2023 13:04:00 +0200 Subject: [PATCH 49/91] require tzdata (#2218368) --- chrony.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/chrony.spec b/chrony.spec index abc71e4..d35a2cb 100644 --- a/chrony.spec +++ b/chrony.spec @@ -35,6 +35,9 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?systemd_requires} %{?sysusers_requires_compat} +# Needed by the leapsectz directive in default chrony.conf +Requires: tzdata + # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 From 5782cfd640fc9f3bf45a0fdaf281c81ebd3d81f5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Aug 2023 16:38:03 +0200 Subject: [PATCH 50/91] update to 4.4 --- .gitignore | 6 +++--- chrony.spec | 11 +++++------ sources | 6 +++--- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 62aad8b..57ee54b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4-pre2.tar.gz -/chrony-4.4-pre2-tar-gz-asc.txt -/clknetsim-13b0a5.tar.gz +/chrony-4.4.tar.gz +/chrony-4.4-tar-gz-asc.txt +/clknetsim-ef2a7a.tar.gz diff --git a/chrony.spec b/chrony.spec index d35a2cb..a214149 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 13b0a5 -%global prerelease -pre2 +%global clknetsim_ver ef2a7a %bcond_without debug %bcond_without nts @@ -14,10 +13,10 @@ Release: 0.4.pre2%{?dist} Summary: An NTP client/server License: GPL-2.0-only -URL: https://chrony.tuxfamily.org -Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz -Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt -Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc +URL: https://chrony-project.org +Source0: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}.tar.gz +Source1: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}-tar-gz-asc.txt +Source2: https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc Source3: chrony.dhclient Source4: chrony.sysusers # simulator for test suite diff --git a/sources b/sources index 02f0816..1c8d2e0 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4-pre2.tar.gz) = 4919cdbafa18f9cfc5d1ef0253373445c78f66480d3bfda2b58441d7abd2f330a2cd00ef7c498d733b74a0e3f02cb4c39b6ef2d054aed1648625e206f71888ad -SHA512 (chrony-4.4-pre2-tar-gz-asc.txt) = fe74013a75c143a651f9e3844ab231df8166bac24b919a0850d822430fbca81b17f2d9b0d2c17fe0edf3a7dc33a93718e5bbb892c3551d8d52bcc75c38cecc57 -SHA512 (clknetsim-13b0a5.tar.gz) = e23b90bd0650502856ce472489d9ea0274aab7c1bd8945cac460f3a12338a509cad76133c60ccc2c7c31375496ec55b42c62008250109453f237ceb750bee03a +SHA512 (chrony-4.4.tar.gz) = 45e060eb0c5892552f28dc436429e5823409cc93533127af27b64d08ff9c769fdc72694272232114f5ca1884c2bc8b5e842fae7956dc457358e937bcd3dda4d7 +SHA512 (chrony-4.4-tar-gz-asc.txt) = bb795b428567434937cbf3a12c559b549b89abe65010d04eed0fbdcfde35e7266771ea01c2c5581f3e5fae993f1782fff5a62c5ae09259d2b65dab9473d756a3 +SHA512 (clknetsim-ef2a7a.tar.gz) = 55196099d975d635fcba7dce9e1bc42efe0aee25777c9ff0bc996e300922e70542ea784a78814dc888c2f7f281e9d7db68c893e2d3138e92fbc3fb1e64e7e2b6 From 271a50e6c18ca9e7d6fb5795753ca0777a4e0a19 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 9 Aug 2023 16:38:34 +0200 Subject: [PATCH 51/91] 4.4-1 --- chrony.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index a214149..0a0bb92 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.4 -Release: 0.4.pre2%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,10 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 09 2023 Miroslav Lichvar 4.4-1 +- update to 4.4 +- require tzdata (#2218368) + * Wed Jul 19 2023 Fedora Release Engineering - 4.4-0.4.pre2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From a1d483c64b6fc9223f0098a9cd31463d02d8274d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Nov 2023 14:44:06 +0100 Subject: [PATCH 52/91] update to 4.5-pre1 --- .gitignore | 6 +++--- chrony.spec | 5 +++-- sources | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 57ee54b..9b297b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.4.tar.gz -/chrony-4.4-tar-gz-asc.txt -/clknetsim-ef2a7a.tar.gz +/chrony-4.5-pre1-tar-gz-asc.txt +/chrony-4.5-pre1.tar.gz +/clknetsim-5d1dc0.tar.gz diff --git a/chrony.spec b/chrony.spec index 0a0bb92..c72af99 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver ef2a7a +%global clknetsim_ver 5d1dc0 +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.4 +Version: 4.5 Release: 1%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index 1c8d2e0..7493175 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.4.tar.gz) = 45e060eb0c5892552f28dc436429e5823409cc93533127af27b64d08ff9c769fdc72694272232114f5ca1884c2bc8b5e842fae7956dc457358e937bcd3dda4d7 -SHA512 (chrony-4.4-tar-gz-asc.txt) = bb795b428567434937cbf3a12c559b549b89abe65010d04eed0fbdcfde35e7266771ea01c2c5581f3e5fae993f1782fff5a62c5ae09259d2b65dab9473d756a3 -SHA512 (clknetsim-ef2a7a.tar.gz) = 55196099d975d635fcba7dce9e1bc42efe0aee25777c9ff0bc996e300922e70542ea784a78814dc888c2f7f281e9d7db68c893e2d3138e92fbc3fb1e64e7e2b6 +SHA512 (chrony-4.5-pre1-tar-gz-asc.txt) = 60030c572957afe2289ca3f20efaf92267d3f6eca1e8c220f9b24bcfacbfc830304151d47c048bdcb1972a6ed9c84e7e435fafd4276080ecb253b991087ce20f +SHA512 (chrony-4.5-pre1.tar.gz) = 1be4beb1257baf08a6c35613a5c547837f63aeab0f06b87dff1acdd912a49f79b276f376af7737c6d44bf6ba974829dddddee5e9153828abf90f828e749d8f6e +SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 From 69e59ad695b88de1b38afb618e91cdff12e9989a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Nov 2023 14:45:44 +0100 Subject: [PATCH 53/91] 4.5-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c72af99..e13c68d 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.5 -Release: 1%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Nov 22 2023 Miroslav Lichvar 4.5-0.1.pre1 +- update to 4.5-pre1 + * Wed Aug 09 2023 Miroslav Lichvar 4.4-1 - update to 4.4 - require tzdata (#2218368) From 9bca6ebe57a0846ff27e7495ad4ea1fa4d5a0c2b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 5 Dec 2023 15:20:20 +0100 Subject: [PATCH 54/91] update to 4.5 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 9b297b0..ca5815e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.5-pre1-tar-gz-asc.txt -/chrony-4.5-pre1.tar.gz +/chrony-4.5.tar.gz +/chrony-4.5-tar-gz-asc.txt /clknetsim-5d1dc0.tar.gz diff --git a/chrony.spec b/chrony.spec index e13c68d..a151383 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 %global clknetsim_ver 5d1dc0 -%global prerelease -pre1 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 7493175..0f64136 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.5-pre1-tar-gz-asc.txt) = 60030c572957afe2289ca3f20efaf92267d3f6eca1e8c220f9b24bcfacbfc830304151d47c048bdcb1972a6ed9c84e7e435fafd4276080ecb253b991087ce20f -SHA512 (chrony-4.5-pre1.tar.gz) = 1be4beb1257baf08a6c35613a5c547837f63aeab0f06b87dff1acdd912a49f79b276f376af7737c6d44bf6ba974829dddddee5e9153828abf90f828e749d8f6e +SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 +SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 From 17bd1206e37eb9f6eefa18fe8102b2752eb3e15e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 5 Dec 2023 15:23:50 +0100 Subject: [PATCH 55/91] 4.5-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index a151383..e4e6820 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Dec 05 2023 Miroslav Lichvar 4.5-1 +- update to 4.5 + * Wed Nov 22 2023 Miroslav Lichvar 4.5-0.1.pre1 - update to 4.5-pre1 From 396d15c284b65cc88840488e2b72ca4696159ed8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 9 Jan 2024 16:50:44 +0100 Subject: [PATCH 56/91] update clknetsim source --- chrony.spec | 4 ++-- sources | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index e4e6820..b160209 100644 --- a/chrony.spec +++ b/chrony.spec @@ -20,7 +20,7 @@ Source2: https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B Source3: chrony.dhclient Source4: chrony.sysusers # simulator for test suite -Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz +Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%{clknetsim_ver}.tar.gz %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} # add distribution-specific bits to DHCP dispatcher @@ -94,7 +94,7 @@ sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' # regenerate the file from getdate.y rm -f getdate.c -mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim +mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build %configure \ diff --git a/sources b/sources index 0f64136..970d87e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb -SHA512 (clknetsim-5d1dc0.tar.gz) = 76889da425dc9d63ba78811661d78ffa922a63c4f83aeb809fef02c866f64a97b09dd4b0906ccfd1e20cee5091d8b886aadfce54cd338d3bf597b0e976a78927 +SHA512 (clknetsim-5d1dc0.tar.gz) = 7d542443d7d9334d900cee821207fab1ee87e57fda6580a9d894f65fb36d265fdc4a72022b4293134d54cdeffba7e84d2f68f732f4b228b84d846d8668b314b2 From 9cedf747bf723bba78cec22f32b236a1b3b4aa87 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jan 2024 15:25:29 +0000 Subject: [PATCH 57/91] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index b160209..c806558 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Fri Jan 19 2024 Fedora Release Engineering - 4.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Tue Dec 05 2023 Miroslav Lichvar 4.5-1 - update to 4.5 From 2484d4001eaa7d8378f1a4f97171ac58a01b68c4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 23 Jan 2024 01:36:12 +0000 Subject: [PATCH 58/91] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index c806558..51a9c3a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jan 23 2024 Fedora Release Engineering - 4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Jan 19 2024 Fedora Release Engineering - 4.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 5d030eca6da200ac89e44d66728a7623b8b8ad15 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 17 Jul 2024 19:17:25 +0000 Subject: [PATCH 59/91] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 51a9c3a..5401be6 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 17 2024 Fedora Release Engineering - 4.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Tue Jan 23 2024 Fedora Release Engineering - 4.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 2aac4c014b2cb70255833115cbfb4bc759ea8eb2 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 30 Jul 2024 14:52:18 +0200 Subject: [PATCH 60/91] update to 4.6-pre1 --- .gitignore | 6 +++--- chrony.spec | 13 +++++++------ sources | 6 +++--- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index ca5815e..55c253a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.5.tar.gz -/chrony-4.5-tar-gz-asc.txt -/clknetsim-5d1dc0.tar.gz +/chrony-4.6-pre1.tar.gz +/chrony-4.6-pre1-tar-gz-asc.txt +/clknetsim-633a0b.tar.gz diff --git a/chrony.spec b/chrony.spec index 5401be6..d43f3be 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 5d1dc0 +%global clknetsim_ver 633a0b +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.5 +Version: 4.6 Release: 4%{?dist} Summary: An NTP client/server @@ -34,7 +35,7 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 %{?systemd_requires} %{?sysusers_requires_compat} -# Needed by the leapsectz directive in default chrony.conf +# Needed by the leapseclist directive in default chrony.conf Requires: tzdata # Old NetworkManager expects the dispatcher scripts in a different place @@ -65,7 +66,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service - 2d01b94bc1a7b7fb70cbee831488d121 examples/chrony.conf.example2 + 826354a2d467d6147e412d43bfe07484 examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline @@ -78,10 +79,10 @@ test -n "%{vendorzone}" # use example chrony.conf as the default config with some modifications: # - use our vendor zone (2.*pool.ntp.org names include IPv6 addresses) -# - enable leapsectz to get TAI-UTC offset and leap seconds from tzdata +# - enable leapseclist to get TAI-UTC offset and leap seconds # - use NTP servers from DHCP sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \ - -e 's|#\(leapsectz\)|\1|' \ + -e 's|#\(leapseclist\)|\1|' \ -e 's|^pool.*pool.ntp.org.*|&\n\n# Use NTP servers from DHCP.\nsourcedir /run/chrony-dhcp|' \ < examples/chrony.conf.example2 > chrony.conf diff --git a/sources b/sources index 970d87e..e895b1c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.5.tar.gz) = 58a449e23186da799064b16ab16f799c1673296984b152b43e87c620d86e272c55365e83439d410fc89e4e0ba0befd7d5c625eac78a6665813b7ea75444f71b5 -SHA512 (chrony-4.5-tar-gz-asc.txt) = 05470e6cc34524fdab494f70cee71d46172b38bdd4acd8173ac79fdec12178239248880db474437690094aae7909002113289ac7f9305130c5e0a1d9364122cb -SHA512 (clknetsim-5d1dc0.tar.gz) = 7d542443d7d9334d900cee821207fab1ee87e57fda6580a9d894f65fb36d265fdc4a72022b4293134d54cdeffba7e84d2f68f732f4b228b84d846d8668b314b2 +SHA512 (chrony-4.6-pre1.tar.gz) = 9d978b359ac4a6d6859f0fb2d3b6d3ed455838c2dc31d3db1b15b360a62d4f2d8dce71d1e67648658407121020880cd545a4eeb69d0df88475db778851c15cb4 +SHA512 (chrony-4.6-pre1-tar-gz-asc.txt) = c6c7147e63fc19153e230fa81e6207a08b66da39a2156dd1d26d2435abb530210d4effcd8273ee6f3eede5ef0e29d33a601190ac41881f2d65a84a51e9070211 +SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 From 02f36b402e2900050abfea5a93e23c49c3d31672 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 30 Jul 2024 14:52:53 +0200 Subject: [PATCH 61/91] 4.6-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index d43f3be..6e86955 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.6 -Release: 4%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Jul 30 2024 Miroslav Lichvar 4.6-0.1.pre1 +- update to 4.6-pre1 + * Wed Jul 17 2024 Fedora Release Engineering - 4.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 60a3986f3a58bac2d6cb7956d790103a52d858cd Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 15:15:35 +0200 Subject: [PATCH 62/91] update to 4.6 --- .gitignore | 4 ++-- chrony.spec | 1 - sources | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 55c253a..bde5491 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6-pre1.tar.gz -/chrony-4.6-pre1-tar-gz-asc.txt +/chrony-4.6.tar.gz +/chrony-4.6-tar-gz-asc.txt /clknetsim-633a0b.tar.gz diff --git a/chrony.spec b/chrony.spec index 6e86955..03a40e9 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 %global clknetsim_ver 633a0b -%global prerelease -pre1 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index e895b1c..5265d98 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6-pre1.tar.gz) = 9d978b359ac4a6d6859f0fb2d3b6d3ed455838c2dc31d3db1b15b360a62d4f2d8dce71d1e67648658407121020880cd545a4eeb69d0df88475db778851c15cb4 -SHA512 (chrony-4.6-pre1-tar-gz-asc.txt) = c6c7147e63fc19153e230fa81e6207a08b66da39a2156dd1d26d2435abb530210d4effcd8273ee6f3eede5ef0e29d33a601190ac41881f2d65a84a51e9070211 +SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd +SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 From 0ba6e157c2d66353426798a3ca7938a29d10dcb8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 15:16:32 +0200 Subject: [PATCH 63/91] 4.6-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 03a40e9..62acd40 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.6 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Sep 02 2024 Miroslav Lichvar 4.6-1 +- update to 4.6 + * Tue Jul 30 2024 Miroslav Lichvar 4.6-0.1.pre1 - update to 4.6-pre1 From bf7e96a93b94fecec55462ce210d8c1458b11ea6 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 16:28:18 +0200 Subject: [PATCH 64/91] update clknetsim to fix %check on i686 --- .gitignore | 2 +- chrony.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index bde5491..c02a352 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ /chrony-4.6.tar.gz /chrony-4.6-tar-gz-asc.txt -/clknetsim-633a0b.tar.gz +/clknetsim-64df92.tar.gz diff --git a/chrony.spec b/chrony.spec index 62acd40..98445d3 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver 633a0b +%global clknetsim_ver 64df92 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index 5265d98..d1a6a50 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db -SHA512 (clknetsim-633a0b.tar.gz) = 6fd8f5b0f3fc74e6dcaf64fc8058ef49806b1d010c8f76223715dd87286871e6bfc1c21be9b8379d9fddbd989490a98226f550805614c4b66c3ee0477acd6b59 +SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 From 73179b1fbd3f2e049997a996781663b4ecb1ad87 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 2 Sep 2024 16:29:00 +0200 Subject: [PATCH 65/91] 4.6-1 From 9999104b0943393d25de12a148cbdb03d8b4d649 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Oct 2024 15:39:55 +0200 Subject: [PATCH 66/91] update to 4.6.1 --- .gitignore | 4 ++-- chrony.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index c02a352..04fffa0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6.tar.gz -/chrony-4.6-tar-gz-asc.txt +/chrony-4.6.1.tar.gz +/chrony-4.6.1-tar-gz-asc.txt /clknetsim-64df92.tar.gz diff --git a/chrony.spec b/chrony.spec index 98445d3..125cc4a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -8,7 +8,7 @@ %endif Name: chrony -Version: 4.6 +Version: 4.6.1 Release: 1%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index d1a6a50..a3dab97 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6.tar.gz) = 84926b6c9eb90824ab98333412b001b18de9342dacb898d195ee8de52868b1945700a8b161de6b603c231460d290e02df6712c1dcb7f034ba45754b38466c8bd -SHA512 (chrony-4.6-tar-gz-asc.txt) = f735c1d52f1474d2af656e55d3a9abfd33b4ed706b983a393c7e3852b766b5179fe4098425ee7f32bb5db4a2e4170e8c5930cf63d20884be6c0eac338a3d26db +SHA512 (chrony-4.6.1.tar.gz) = 646ae08f2587366236796f2399d8ab3eb570979e0d82f5d13f5cec49939054c876cc93dc20c8d38e105fd3500e1720d05a223a15076783cd882d0de43afd9c7e +SHA512 (chrony-4.6.1-tar-gz-asc.txt) = 992b706636bf3a7eb6d502562a4990c9d8e20e5f3011d2cdb2ceb32220e9a1c2bfa6eca767212cee49b811823872602dc33f9e7201a7f9a93cc9c90e81b1db49 SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 From efe2d99a073e9515ac7fe6145f33c9247539b432 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 8 Oct 2024 15:42:45 +0200 Subject: [PATCH 67/91] 4.6.1-1 --- chrony.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/chrony.spec b/chrony.spec index 125cc4a..391bff2 100644 --- a/chrony.spec +++ b/chrony.spec @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Oct 08 2024 Miroslav Lichvar 4.6.1-1 +- update to 4.6.1 + * Mon Sep 02 2024 Miroslav Lichvar 4.6-1 - update to 4.6 From 0aae5f7bf1ce7d871adec9ab714299a69b03ad57 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 13:43:18 +0000 Subject: [PATCH 68/91] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 391bff2..3a4449a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.6.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Jan 16 2025 Fedora Release Engineering - 4.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Tue Oct 08 2024 Miroslav Lichvar 4.6.1-1 - update to 4.6.1 From 18b59b582787633bac1fe86ec032536c38485d0c Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Tue, 1 Oct 2024 12:13:30 +0200 Subject: [PATCH 69/91] Update plans and gating --- gating.yaml | 14 +++++------- plans.fmf | 47 ++++++++++++++++++++++++++++++++++++++++ plans/public.fmf | 6 ----- plans/tier1-internal.fmf | 12 ---------- 4 files changed, 53 insertions(+), 26 deletions(-) create mode 100644 plans.fmf delete mode 100644 plans/public.fmf delete mode 100644 plans/tier1-internal.fmf diff --git a/gating.yaml b/gating.yaml index de5c323..1b16508 100644 --- a/gating.yaml +++ b/gating.yaml @@ -4,8 +4,8 @@ product_versions: decision_context: bodhi_update_push_testing subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} - + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + #Rawhide --- !Policy product_versions: @@ -13,15 +13,13 @@ product_versions: decision_context: bodhi_update_push_stable subject_type: koji_build rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional} - + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + #gating rhel --- !Policy product_versions: - rhel-* decision_context: osci_compose_gate rules: - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation} - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/public.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional} + - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} \ No newline at end of file diff --git a/plans.fmf b/plans.fmf new file mode 100644 index 0000000..661c046 --- /dev/null +++ b/plans.fmf @@ -0,0 +1,47 @@ +/tier1-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier1/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/tier1-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier1/public + +/tier2-tier3-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier2-tier3/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/tier2-tier3-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/tier2-tier3/public + +/others-internal: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/others/internal + adjust: + enabled: false + when: distro == centos-stream, fedora + because: They don't have access to internal repos. + +/others-public: + plan: + import: + url: https://src.fedoraproject.org/tests/chrony.git + name: /plans/others/public diff --git a/plans/public.fmf b/plans/public.fmf deleted file mode 100644 index cff1391..0000000 --- a/plans/public.fmf +++ /dev/null @@ -1,6 +0,0 @@ -summary: Test plan with all Fedora tests -discover: - how: fmf - url: https://src.fedoraproject.org/tests/chrony.git -execute: - how: tmt diff --git a/plans/tier1-internal.fmf b/plans/tier1-internal.fmf deleted file mode 100644 index 9714336..0000000 --- a/plans/tier1-internal.fmf +++ /dev/null @@ -1,12 +0,0 @@ -summary: CI plan, picks internal Tier1 tests, runs in beakerlib. -discover: - - name: rhel - how: fmf - filter: 'tier: 1' - url: git://pkgs.devel.redhat.com/tests/chrony -execute: - how: tmt -adjust: - enabled: false - when: distro == centos-stream, fedora - because: They don't have access to internal repos. From 8f77afe47e9dd596174ba2ed6a4914efea889189 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 May 2025 14:45:46 +0200 Subject: [PATCH 70/91] update to 4.7-pre1 --- .gitignore | 6 +++--- chrony.spec | 9 +++++---- sources | 6 +++--- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 04fffa0..96c8228 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.6.1.tar.gz -/chrony-4.6.1-tar-gz-asc.txt -/clknetsim-64df92.tar.gz +/chrony-4.7-pre1-tar-gz-asc.txt +/chrony-4.7-pre1.tar.gz +/clknetsim-d60afc.tar.gz diff --git a/chrony.spec b/chrony.spec index 3a4449a..063693c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 64df92 +%global clknetsim_ver d60afc +%global prerelease -pre1 %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.6.1 +Version: 4.7 Release: 2%{?dist} Summary: An NTP client/server @@ -69,8 +70,8 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - c11159b78b89684eca773db6236a9855 examples/chronyd.service - 46fa3e2d42c8eb9c42e71095686c90ed examples/chronyd-restricted.service + 274a44cd51981d6d4d3a44dfc92c94ab examples/chronyd.service + 5ddbb8a8055f587cb6b0b462ca73ea46 examples/chronyd-restricted.service EOF # don't allow packaging without vendor zone diff --git a/sources b/sources index a3dab97..4931309 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.6.1.tar.gz) = 646ae08f2587366236796f2399d8ab3eb570979e0d82f5d13f5cec49939054c876cc93dc20c8d38e105fd3500e1720d05a223a15076783cd882d0de43afd9c7e -SHA512 (chrony-4.6.1-tar-gz-asc.txt) = 992b706636bf3a7eb6d502562a4990c9d8e20e5f3011d2cdb2ceb32220e9a1c2bfa6eca767212cee49b811823872602dc33f9e7201a7f9a93cc9c90e81b1db49 -SHA512 (clknetsim-64df92.tar.gz) = 3253e6823b66f23f63203aad0ea22c25cf9d1f5af789722662f4d383111cb2c1816cb23d2fa06171a65b102ae82a5371376becb029d7c9b163b0aee710374c02 +SHA512 (chrony-4.7-pre1-tar-gz-asc.txt) = 6180dfede6bc2d11b4b8a9f2708b306faecdf2f6c92552c52c222b8fe09210aa770ec28c9272a1105ea6716e66553e606dbb00077bce061c6faaf65e1ce2bbf9 +SHA512 (chrony-4.7-pre1.tar.gz) = 9f83887d9771a409edd812046a4b1b7e11966d02a99806d48442a52441ee41a7043a75987e29414b04ddb8ff82dedd0b7646135961f6532cc173c52c01c600c1 +SHA512 (clknetsim-d60afc.tar.gz) = 9fff0dc7c089169158926741860c933fa4fc6eda68c100a54ead137b294ec94b0a6fccb0e3f86abfed274b38621e89b49f3e1ad96fd9bed48a79fabcc0d0ba5f From 3b9d8b1213423834a2e59e5831b2ee429216961a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 May 2025 14:47:16 +0200 Subject: [PATCH 71/91] 4.7-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 063693c..144ff7c 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.7 -Release: 2%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed May 21 2025 Miroslav Lichvar 4.7-0.1.pre1 +- update to 4.7-pre1 + * Thu Jan 16 2025 Fedora Release Engineering - 4.6.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 5d99ee337f23f4e09fa4f7f669fa007629176ad9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 May 2025 14:40:19 +0200 Subject: [PATCH 72/91] add workaround for broken build on aarch64 --- chrony.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/chrony.spec b/chrony.spec index 144ff7c..1f023cb 100644 --- a/chrony.spec +++ b/chrony.spec @@ -98,6 +98,10 @@ rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build +%ifarch aarch64 +# workaround for bug #2367978 +CFLAGS="$RPM_OPT_FLAGS -fno-inline" +%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ From 969143e1d65cdfd02a88360aed91f0f6adc6c324 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 22 May 2025 14:40:43 +0200 Subject: [PATCH 73/91] 4.7-0.2.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 1f023cb..34ffc37 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.7 -Release: 0.1.pre1%{?dist} +Release: 0.2.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -210,6 +210,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu May 22 2025 Miroslav Lichvar 4.7-0.2.pre1 +- add workaround for broken build on aarch64 + * Wed May 21 2025 Miroslav Lichvar 4.7-0.1.pre1 - update to 4.7-pre1 From d17bcd6d55f045f7ea7924dcd6d4c9b060bbf9e2 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 11 Jun 2025 15:46:31 +0200 Subject: [PATCH 74/91] update to 4.7 --- .gitignore | 6 +++--- chrony.spec | 5 ++--- sources | 6 +++--- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 96c8228..2414820 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.7-pre1-tar-gz-asc.txt -/chrony-4.7-pre1.tar.gz -/clknetsim-d60afc.tar.gz +/chrony-4.7.tar.gz +/chrony-4.7-tar-gz-asc.txt +/clknetsim-83cf9c.tar.gz diff --git a/chrony.spec b/chrony.spec index 34ffc37..440c600 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global clknetsim_ver d60afc -%global prerelease -pre1 +%global clknetsim_ver 83cf9c %bcond_without debug %bcond_without nts @@ -66,7 +65,7 @@ service to other computers in the network. # review changes in packaged configuration files and scripts md5sum -c <<-EOF | (! grep -v 'OK$') 5530d6e60f84b76c27495485d2510bac examples/chrony-wait.service - 826354a2d467d6147e412d43bfe07484 examples/chrony.conf.example2 + 3f2ddca6065c3e8f4565d7422739795a examples/chrony.conf.example2 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline diff --git a/sources b/sources index 4931309..f03173e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.7-pre1-tar-gz-asc.txt) = 6180dfede6bc2d11b4b8a9f2708b306faecdf2f6c92552c52c222b8fe09210aa770ec28c9272a1105ea6716e66553e606dbb00077bce061c6faaf65e1ce2bbf9 -SHA512 (chrony-4.7-pre1.tar.gz) = 9f83887d9771a409edd812046a4b1b7e11966d02a99806d48442a52441ee41a7043a75987e29414b04ddb8ff82dedd0b7646135961f6532cc173c52c01c600c1 -SHA512 (clknetsim-d60afc.tar.gz) = 9fff0dc7c089169158926741860c933fa4fc6eda68c100a54ead137b294ec94b0a6fccb0e3f86abfed274b38621e89b49f3e1ad96fd9bed48a79fabcc0d0ba5f +SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 +SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 +SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9 From fcb1dcbf532fec8ef5dbd6d3492125d233863e3b Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 11 Jun 2025 15:51:50 +0200 Subject: [PATCH 75/91] 4.7-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 440c600..775150a 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 0.2.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -209,6 +209,9 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jun 11 2025 Miroslav Lichvar 4.7-1 +- update to 4.7 + * Thu May 22 2025 Miroslav Lichvar 4.7-0.2.pre1 - add workaround for broken build on aarch64 From 0de03083074a9787d1848551e5c44d0dd9db6814 Mon Sep 17 00:00:00 2001 From: Ondrej Mejzlik Date: Wed, 18 Jun 2025 20:38:17 +0200 Subject: [PATCH 76/91] Testing moves to RH gitlab centos-stream space --- plans.fmf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/plans.fmf b/plans.fmf index 661c046..c28aa6f 100644 --- a/plans.fmf +++ b/plans.fmf @@ -1,7 +1,7 @@ /tier1-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier1/internal adjust: enabled: false @@ -11,13 +11,13 @@ /tier1-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier1/public /tier2-tier3-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier2-tier3/internal adjust: enabled: false @@ -27,13 +27,13 @@ /tier2-tier3-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/tier2-tier3/public /others-internal: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/others/internal adjust: enabled: false @@ -43,5 +43,5 @@ /others-public: plan: import: - url: https://src.fedoraproject.org/tests/chrony.git + url: https://gitlab.com/redhat/centos-stream/tests/chrony.git name: /plans/others/public From 70a42e2391e14b3a9294e7f7c3cd162a6c244b1d Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 11:49:16 +0200 Subject: [PATCH 77/91] drop old conflict with NetworkManager --- chrony.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/chrony.spec b/chrony.spec index 775150a..e7467b5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -37,9 +37,6 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2 # Needed by the leapseclist directive in default chrony.conf Requires: tzdata -# Old NetworkManager expects the dispatcher scripts in a different place -Conflicts: NetworkManager < 1.20 - # suggest drivers for hardware reference clocks Suggests: ntp-refclock From 53321f84b8e15e39e3483fcc5f396bc4e4244e42 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 13:22:54 +0200 Subject: [PATCH 78/91] let systemd create /var/lib/chrony and /var/log/chrony (#2372944) Specify the directories in the chronyd unit file, so they don't have to exist before starting the service and rpm doesn't need to create any non-root directories/files. --- chrony-servicedirs.patch | 18 ++++++++++++++++++ chrony.spec | 9 ++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 chrony-servicedirs.patch diff --git a/chrony-servicedirs.patch b/chrony-servicedirs.patch new file mode 100644 index 0000000..e806dc9 --- /dev/null +++ b/chrony-servicedirs.patch @@ -0,0 +1,18 @@ +diff -up chrony-4.7/examples/chronyd.service.servicedirs chrony-4.7/examples/chronyd.service +--- chrony-4.7/examples/chronyd.service.servicedirs 2025-06-11 15:06:19.000000000 +0200 ++++ chrony-4.7/examples/chronyd.service 2025-07-10 12:06:57.354215498 +0200 +@@ -10,7 +10,13 @@ Type=notify + PIDFile=/run/chrony/chronyd.pid + Environment="OPTIONS=" + EnvironmentFile=-/etc/sysconfig/chronyd +-ExecStart=/usr/sbin/chronyd -n $OPTIONS ++ExecStart=!/usr/sbin/chronyd -n $OPTIONS ++ ++User=chrony ++LogsDirectory=chrony ++LogsDirectoryMode=0750 ++StateDirectory=chrony ++StateDirectoryMode=0750 + + CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE + CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE diff --git a/chrony.spec b/chrony.spec index e7467b5..c038549 100644 --- a/chrony.spec +++ b/chrony.spec @@ -25,6 +25,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% # add distribution-specific bits to DHCP dispatcher Patch1: chrony-nm-dispatcher-dhcp.patch +# let systemd create /var/lib/chrony and /var/log/chrony +Patch2: chrony-servicedirs.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -56,6 +58,7 @@ service to other computers in the network. %setup -q -n %{name}-%{version}%{?prerelease} -a 10 %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp +%patch -P 2 -p1 -b .servicedirs %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -66,7 +69,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate c3992e2f985550739cd1cd95f98c9548 examples/chrony.nm-dispatcher.dhcp 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline - 274a44cd51981d6d4d3a44dfc92c94ab examples/chronyd.service + 607c82f56639486f52c31105632909eb examples/chronyd.service 5ddbb8a8055f587cb6b0b462ca73ea46 examples/chronyd-restricted.service EOF @@ -200,10 +203,10 @@ fi %{_unitdir}/chrony*.service %{_sysusersdir}/chrony.conf %{_mandir}/man[158]/%{name}*.[158]* -%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony +%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc -%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony +%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog * Wed Jun 11 2025 Miroslav Lichvar 4.7-1 From 98c501e504b72d90c688982295bfb850f955d74a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 14:02:11 +0200 Subject: [PATCH 79/91] drop workaround for broken build on aarch64 --- chrony.spec | 4 ---- 1 file changed, 4 deletions(-) diff --git a/chrony.spec b/chrony.spec index c038549..6d8a713 100644 --- a/chrony.spec +++ b/chrony.spec @@ -97,10 +97,6 @@ rm -f getdate.c mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim %build -%ifarch aarch64 -# workaround for bug #2367978 -CFLAGS="$RPM_OPT_FLAGS -fno-inline" -%endif %configure \ %{?with_debug: --enable-debug} \ --enable-ntp-signd \ From 58b9f12d345dde8b0eca270f97325b4e1f6df115 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 10 Jul 2025 14:02:56 +0200 Subject: [PATCH 80/91] 4.7-2 --- chrony.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 6d8a713..887c864 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,11 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Jul 10 2025 Miroslav Lichvar 4.7-2 +- let systemd create /var/lib/chrony and /var/log/chrony (#2372944) +- drop workaround for broken build on aarch64 +- drop old conflict with NetworkManager + * Wed Jun 11 2025 Miroslav Lichvar 4.7-1 - update to 4.7 From 71344384222ce47b080842ea020f1124d066ef7c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 18:17:48 +0000 Subject: [PATCH 81/91] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 887c864..410ce4b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Thu Jul 10 2025 Miroslav Lichvar 4.7-2 - let systemd create /var/lib/chrony and /var/log/chrony (#2372944) - drop workaround for broken build on aarch64 From 1db87bbe8dd549a2b29a496f63b5cb39a2000ac8 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 14 Aug 2025 16:32:02 +0200 Subject: [PATCH 82/91] update to 4.8-pre1 --- .gitignore | 6 +++--- chrony.spec | 5 +++-- sources | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 2414820..bdfdbf2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.7.tar.gz -/chrony-4.7-tar-gz-asc.txt -/clknetsim-83cf9c.tar.gz +/chrony-4.8-pre1-tar-gz-asc.txt +/chrony-4.8-pre1.tar.gz +/clknetsim-a2eb0b258f8b.tar.gz diff --git a/chrony.spec b/chrony.spec index 410ce4b..aa51417 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,5 +1,6 @@ %global _hardened_build 1 -%global clknetsim_ver 83cf9c +%global prerelease -pre1 +%global clknetsim_ver a2eb0b258f8b %bcond_without debug %bcond_without nts @@ -8,7 +9,7 @@ %endif Name: chrony -Version: 4.7 +Version: 4.8 Release: 3%{?dist} Summary: An NTP client/server diff --git a/sources b/sources index f03173e..bdf667b 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623 -SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1 -SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9 +SHA512 (chrony-4.8-pre1-tar-gz-asc.txt) = 0daafd987e46d720c42bbe4de13f5a293feabb3e239c9caf90146197b8444504cf45efc2078f431e745fae52e222937f9d48da496b091372fe4301a3f8726983 +SHA512 (chrony-4.8-pre1.tar.gz) = 2e76fd523fbeaa31bcbecbe2a16105e4fa103751753f0d05e2d2fcfaed62dbd4e023b559e97a44b28756b3ae7bc5d0873a787f09eb760da6a00d8184eedc03ad +SHA512 (clknetsim-a2eb0b258f8b.tar.gz) = 88996d4652b73b603caf9387b030c8406e7bc015443bb4b348c4a626882a0b42398dbcefa971fc8ba02dcdc0a79171ea63cadc13c518961b66901fecbee7c8e3 From 283f2dad2f7e8f492a7582b83106c8bec90aa9e0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Thu, 14 Aug 2025 16:33:01 +0200 Subject: [PATCH 83/91] 4.8-0.1.pre1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index aa51417..c5d2aaa 100644 --- a/chrony.spec +++ b/chrony.spec @@ -10,7 +10,7 @@ Name: chrony Version: 4.8 -Release: 3%{?dist} +Release: 0.1.pre1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 +- update to 4.8-pre1 + * Wed Jul 23 2025 Fedora Release Engineering - 4.7-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From b9e07af77919a639d95c7ae1b533c3865f6c1b9e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Aug 2025 14:47:58 +0200 Subject: [PATCH 84/91] update to 4.8 --- .gitignore | 6 +++--- chrony.spec | 3 +-- sources | 6 +++--- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index bdfdbf2..4d608e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/chrony-4.8-pre1-tar-gz-asc.txt -/chrony-4.8-pre1.tar.gz -/clknetsim-a2eb0b258f8b.tar.gz +/chrony-4.8-tar-gz-asc.txt +/chrony-4.8.tar.gz +/clknetsim-6ee99f50dec8.tar.gz diff --git a/chrony.spec b/chrony.spec index c5d2aaa..708d57b 100644 --- a/chrony.spec +++ b/chrony.spec @@ -1,6 +1,5 @@ %global _hardened_build 1 -%global prerelease -pre1 -%global clknetsim_ver a2eb0b258f8b +%global clknetsim_ver 6ee99f50dec8 %bcond_without debug %bcond_without nts diff --git a/sources b/sources index bdf667b..35a8415 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (chrony-4.8-pre1-tar-gz-asc.txt) = 0daafd987e46d720c42bbe4de13f5a293feabb3e239c9caf90146197b8444504cf45efc2078f431e745fae52e222937f9d48da496b091372fe4301a3f8726983 -SHA512 (chrony-4.8-pre1.tar.gz) = 2e76fd523fbeaa31bcbecbe2a16105e4fa103751753f0d05e2d2fcfaed62dbd4e023b559e97a44b28756b3ae7bc5d0873a787f09eb760da6a00d8184eedc03ad -SHA512 (clknetsim-a2eb0b258f8b.tar.gz) = 88996d4652b73b603caf9387b030c8406e7bc015443bb4b348c4a626882a0b42398dbcefa971fc8ba02dcdc0a79171ea63cadc13c518961b66901fecbee7c8e3 +SHA512 (chrony-4.8-tar-gz-asc.txt) = df7f4e06f74a4b8c9a49e8fe57ea02e0324c5683d036412c32192a09f08e08f33537609cef8df0b4302bfcd63332b3092f33f40c8d02857c93ecea13822b5b47 +SHA512 (chrony-4.8.tar.gz) = 949b796bb34db32a5c1b9e6b53be6a22e51c59f24a316d585b8a52a52ab1f61bdf0378dc58b282bb0ba4fac1f05e1e99fbe37cb4259aa2b359e7bf679c176aab +SHA512 (clknetsim-6ee99f50dec8.tar.gz) = 2621d1c44b84b42fcdf644f236ff90dab9f8a8407a138c8719c53dd9c4f21480db3b4ba598116aa1b9d6bd1fa02fc410d85a43baf55ddf8ad47fc09aba4c4477 From fbf4abe9539130145f2c6266b609cc388ed8eb42 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Aug 2025 14:48:58 +0200 Subject: [PATCH 85/91] 4.8-1 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 708d57b..afe2248 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 0.1.pre1%{?dist} +Release: 1%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -205,6 +205,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Aug 27 2025 Miroslav Lichvar 4.8-1 +- update to 4.8 + * Thu Aug 14 2025 Miroslav Lichvar 4.8-0.1.pre1 - update to 4.8-pre1 From 95665ab0604acc9eb35e821ae580d6af41236047 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 8 Sep 2025 10:06:24 +0200 Subject: [PATCH 86/91] drop root privileges in chronyc by default Use the new configure option added in chrony-4.8 to change the default chronyc user to chrony. If chronyc is started under root, it will switch to the chrony user automatically to minimize impact of potential security issues. This shouldn't be visible to the user, but if for some reason the original behavior is required, "-u root" can be added to the chronyc command line. --- chrony.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/chrony.spec b/chrony.spec index afe2248..02fc8a8 100644 --- a/chrony.spec +++ b/chrony.spec @@ -105,6 +105,7 @@ mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim --chronyrundir=/run/chrony \ --docdir=%{_docdir} \ --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \ + --with-chronyc-user=chrony \ --with-user=chrony \ --with-hwclockfile=%{_sysconfdir}/adjtime \ --with-pidfile=/run/chrony/chronyd.pid \ From 9c685eb118a6f049a5a253cd9b76daf008a2dd3a Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 8 Sep 2025 10:10:54 +0200 Subject: [PATCH 87/91] 4.8-2 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 02fc8a8..5da1033 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -206,6 +206,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Mon Sep 08 2025 Miroslav Lichvar 4.8-2 +- drop root privileges in chronyc by default + * Wed Aug 27 2025 Miroslav Lichvar 4.8-1 - update to 4.8 From 57f2f4a8c160f18d4a544be5ab0f216771368c1c Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 21 Oct 2025 14:26:44 +0200 Subject: [PATCH 88/91] update seccomp filter for new glibc (#2405310) --- chrony-seccomp.patch | 35 +++++++++++++++++++++++++++++++++++ chrony.spec | 3 +++ 2 files changed, 38 insertions(+) create mode 100644 chrony-seccomp.patch diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch new file mode 100644 index 0000000..af9f775 --- /dev/null +++ b/chrony-seccomp.patch @@ -0,0 +1,35 @@ +commit 03875f1ea5c4c0eeeb30a7d1fc5fdd53236f4ac2 +Author: Miroslav Lichvar +Date: Tue Oct 21 14:06:38 2025 +0200 + + sys_linux: allow ioctl(TCGETS2) in seccomp filter + + Add TCGETS2 to the list of allowed ioctls. It seems to be called by the + latest glibc version from isatty(), which is called from libpcsclite + used by gnutls in an NTS-KE session. + + Include the linux termios header instead of glibc header to get a usable + definition of TCGETS2. + +diff --git a/sys_linux.c b/sys_linux.c +index ca5540f2..e20e459d 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -48,7 +48,7 @@ + #ifdef FEAT_SCFILTER + #include + #include +-#include ++#include + #ifdef FEAT_PPS + #include + #endif +@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { +- FIONREAD, TCGETS, TIOCGWINSZ, ++ FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, + #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) + PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, + #ifdef PTP_PIN_SETFUNC diff --git a/chrony.spec b/chrony.spec index 5da1033..78da102 100644 --- a/chrony.spec +++ b/chrony.spec @@ -27,6 +27,8 @@ Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-% Patch1: chrony-nm-dispatcher-dhcp.patch # let systemd create /var/lib/chrony and /var/log/chrony Patch2: chrony-servicedirs.patch +# update seccomp filter for new glibc +Patch3: chrony-seccomp.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel BuildRequires: gcc gcc-c++ make bison systemd gnupg2 @@ -59,6 +61,7 @@ service to other computers in the network. %{?gitpatch:%patch -P 0 -p1} %patch -P 1 -p1 -b .nm-dispatcher-dhcp %patch -P 2 -p1 -b .servicedirs +%patch -P 3 -p1 -b .seccomp %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} From ed7a59c023170d91a880b2bd979b5ac8e494e8d0 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 21 Oct 2025 14:34:19 +0200 Subject: [PATCH 89/91] 4.8-3 --- chrony.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chrony.spec b/chrony.spec index 78da102..66a86d5 100644 --- a/chrony.spec +++ b/chrony.spec @@ -9,7 +9,7 @@ Name: chrony Version: 4.8 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An NTP client/server License: GPL-2.0-only @@ -209,6 +209,9 @@ fi %ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Oct 21 2025 Miroslav Lichvar 4.8-3 +- update seccomp filter for new glibc (#2405310) + * Mon Sep 08 2025 Miroslav Lichvar 4.8-2 - drop root privileges in chronyc by default From d146c7faa536a1a15e65bcf4270e0f098cb5fdbf Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Oct 2025 14:15:13 +0200 Subject: [PATCH 90/91] fix seccomp fix to build on ppc64 --- chrony-seccomp.patch | 159 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch index af9f775..c8f79ae 100644 --- a/chrony-seccomp.patch +++ b/chrony-seccomp.patch @@ -33,3 +33,162 @@ index ca5540f2..e20e459d 100644 #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, #ifdef PTP_PIN_SETFUNC +commit 3c39afa13c769452d4c340bfc987e229b7c9caeb +Author: Miroslav Lichvar +Date: Wed Oct 22 10:53:11 2025 +0200 + + sys_linux: fix building with older compilers and some archs + + The recent replacement of with to get + TCGETS2 seems to work only with compilers (or C standards) that allow + the same structure to be defined multiple times. There is a conflict + between and . + + Another problem is that TCGETS2 is not used on some archs like ppc64. + + Switch back to and move TCGETS2 to a list in a separate + file where it can be compiled without . + + Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter") + +diff --git a/configure b/configure +index 195b1ed7..ca64475d 100755 +--- a/configure ++++ b/configure +@@ -808,6 +808,7 @@ then + # a time and the async resolver would block the main thread + priv_ops="NAME2IPADDRESS RELOADDNS" + EXTRA_LIBS="$EXTRA_LIBS -lseccomp" ++ EXTRA_OBJECTS="$EXTRA_OBJECTS sys_linux_scmp.o" + fi + + if [ "x$priv_ops" != "x" ]; then +diff --git a/sys_linux.c b/sys_linux.c +index e20e459d..89eec950 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -48,7 +48,7 @@ + #ifdef FEAT_SCFILTER + #include + #include +-#include ++#include + #ifdef FEAT_PPS + #include + #endif +@@ -63,6 +63,7 @@ + #endif + + #include "sys_linux.h" ++#include "sys_linux_scmp.h" + #include "sys_timex.h" + #include "conf.h" + #include "local.h" +@@ -615,7 +616,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { +- FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ, ++ FIONREAD, TCGETS, TIOCGWINSZ, + #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING) + PTP_EXTTS_REQUEST, PTP_SYS_OFFSET, + #ifdef PTP_PIN_SETFUNC +@@ -728,6 +729,14 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0) + goto add_failed; + } ++ ++ /* Allow selected ioctls that need to be specified in a separate ++ file to avoid conflicting headers (e.g. TCGETS2) */ ++ for (i = 0; SYS_Linux_GetExtraScmpIoctl(i) != 0; i++) { ++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, ++ SCMP_A1(SCMP_CMP_EQ, SYS_Linux_GetExtraScmpIoctl(i))) < 0) ++ goto add_failed; ++ } + } + + if (seccomp_load(ctx) < 0) +diff --git a/sys_linux_scmp.c b/sys_linux_scmp.c +new file mode 100644 +index 00000000..a907a97d +--- /dev/null ++++ b/sys_linux_scmp.c +@@ -0,0 +1,44 @@ ++/* ++ chronyd/chronyc - Programs for keeping computer clocks accurate. ++ ++ ********************************************************************** ++ * Copyright (C) Miroslav Lichvar 2025 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of version 2 of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ ********************************************************************** ++ ++ ======================================================================= ++ ++ Lists of values that are needed in seccomp filters but need to ++ be compiled separately from sys_linux.c due to conflicting headers. ++ */ ++ ++#include ++ ++#include "sys_linux_scmp.h" ++ ++unsigned long ++SYS_Linux_GetExtraScmpIoctl(int index) ++{ ++ const unsigned long ioctls[] = { ++#ifdef TCGETS2 ++ /* Conflict between and */ ++ TCGETS2, ++#endif ++ 0 ++ }; ++ ++ return ioctls[index]; ++} +diff --git a/sys_linux_scmp.h b/sys_linux_scmp.h +new file mode 100644 +index 00000000..62a9d548 +--- /dev/null ++++ b/sys_linux_scmp.h +@@ -0,0 +1,28 @@ ++/* ++ chronyd/chronyc - Programs for keeping computer clocks accurate. ++ ++ ********************************************************************** ++ * Copyright (C) Miroslav Lichvar 2025 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of version 2 of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ ********************************************************************** ++ ++ ======================================================================= ++ ++ Header file for lists that are needed in seccomp filters but need to ++ be compiled separately from sys_linux.c due to conflicting headers. ++ */ ++ ++extern unsigned long SYS_Linux_GetExtraScmpIoctl(int index); From f14345b7112621a85497b2e5e45176f6fa807ec9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 22 Oct 2025 14:16:17 +0200 Subject: [PATCH 91/91] 4.8-3