4.8-3

Use the new configure option added in chrony-4.8 to change the default
chronyc user to chrony. If chronyc is started under root, it will switch
to the chrony user automatically to minimize impact of potential
security issues. This shouldn't be visible to the user, but if for some
reason the original behavior is required, "-u root" can be added to the
chronyc command line.

.gitignore

@@ -1,3 +1,3 @@
-/chrony-4.7.tar.gz
-/chrony-4.7-tar-gz-asc.txt
-/clknetsim-83cf9c.tar.gz
+/chrony-4.8-tar-gz-asc.txt
+/chrony-4.8.tar.gz
+/clknetsim-6ee99f50dec8.tar.gz

chrony-defconfig.patch

@@ -1,57 +0,0 @@
-commit 4a8da7e02dc1b882d33cfbb7301d29bdb5ea915f
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date:   Wed Jun 11 14:53:47 2025 +0200
-
-    examples: improve chrony.conf examples
-    
-    Add a note that three servers is the generally recommended minimum for
-    an NTP client to be able to detect a falseticker. Mention that the pool
-    directive uses four servers. Update the links to the pool join page and
-    list of public servers.
-
-diff --git a/examples/chrony.conf.example1 b/examples/chrony.conf.example1
-index 5e93ea75..f822813b 100644
---- a/examples/chrony.conf.example1
-+++ b/examples/chrony.conf.example1
-@@ -1,4 +1,4 @@
--# Use public NTP servers from the pool.ntp.org project.
-+# Use four public NTP servers from the pool.ntp.org project.
- pool pool.ntp.org iburst
- 
- # Record the rate at which the system clock gains/losses time.
-diff --git a/examples/chrony.conf.example2 b/examples/chrony.conf.example2
-index 03e7d47b..a257f54c 100644
---- a/examples/chrony.conf.example2
-+++ b/examples/chrony.conf.example2
-@@ -1,5 +1,10 @@
--# Use public servers from the pool.ntp.org project.
--# Please consider joining the pool (https://www.pool.ntp.org/join.html).
-+# Note: The general recommendation for an NTP client is to have at least
-+# three NTP servers to be able to detect one server providing incorrect
-+# time (falseticker).
-+
-+# Use four public NTP servers from the pool.ntp.org project. If this
-+# host has a static public IP address, please consider joining the pool:
-+# https://www.ntppool.org/join.html
- pool pool.ntp.org iburst
- 
- # Record the rate at which the system clock gains/losses time.
-diff --git a/examples/chrony.conf.example3 b/examples/chrony.conf.example3
-index 8d895d04..01eaff1c 100644
---- a/examples/chrony.conf.example3
-+++ b/examples/chrony.conf.example3
-@@ -21,10 +21,12 @@
- #######################################################################
- ### SPECIFY YOUR NTP SERVERS
- # Most computers using chrony will send measurement requests to one or
--# more 'NTP servers'.  You will probably find that your Internet Service
-+# more NTP servers.  The general recommendation is to have at least
-+# three NTP servers to be able to detect one server providing incorrect
-+# time (falseticker).  You will probably find that your Internet Service
- # Provider or company have one or more NTP servers that you can specify.
- # Failing that, there are a lot of public NTP servers.  There is a list
--# you can access at http://support.ntp.org/bin/view/Servers/WebHome or
-+# you can access at https://support.ntp.org/bin/view/Servers/WebHome or
- # you can use servers from the pool.ntp.org project.
- 
- ! server ntp1.example.net iburst

chrony-seccomp.patch

@@ -0,0 +1,194 @@
+commit 03875f1ea5c4c0eeeb30a7d1fc5fdd53236f4ac2
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Tue Oct 21 14:06:38 2025 +0200
+
+    sys_linux: allow ioctl(TCGETS2) in seccomp filter
+    
+    Add TCGETS2 to the list of allowed ioctls. It seems to be called by the
+    latest glibc version from isatty(), which is called from libpcsclite
+    used by gnutls in an NTS-KE session.
+    
+    Include the linux termios header instead of glibc header to get a usable
+    definition of TCGETS2.
+
+diff --git a/sys_linux.c b/sys_linux.c
+index ca5540f2..e20e459d 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -48,7 +48,7 @@
+ #ifdef FEAT_SCFILTER
+ #include <sys/prctl.h>
+ #include <seccomp.h>
+-#include <termios.h>
++#include <linux/termios.h>
+ #ifdef FEAT_PPS
+ #include <linux/pps.h>
+ #endif
+@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+   const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL };
+ 
+   const static unsigned long ioctls[] = {
+-    FIONREAD, TCGETS, TIOCGWINSZ,
++    FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ,
+ #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING)
+     PTP_EXTTS_REQUEST, PTP_SYS_OFFSET,
+ #ifdef PTP_PIN_SETFUNC
+commit 3c39afa13c769452d4c340bfc987e229b7c9caeb
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Wed Oct 22 10:53:11 2025 +0200
+
+    sys_linux: fix building with older compilers and some archs
+    
+    The recent replacement of <termios.h> with <linux/termios.h> to get
+    TCGETS2 seems to work only with compilers (or C standards) that allow
+    the same structure to be defined multiple times. There is a conflict
+    between <sys/ioctl.h> and <linux/termios.h>.
+    
+    Another problem is that TCGETS2 is not used on some archs like ppc64.
+    
+    Switch back to <termios.h> and move TCGETS2 to a list in a separate
+    file where it can be compiled without <sys/ioctl.h>.
+    
+    Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter")
+
+diff --git a/configure b/configure
+index 195b1ed7..ca64475d 100755
+--- a/configure
++++ b/configure
+@@ -808,6 +808,7 @@ then
+   # a time and the async resolver would block the main thread
+   priv_ops="NAME2IPADDRESS RELOADDNS"
+   EXTRA_LIBS="$EXTRA_LIBS -lseccomp"
++  EXTRA_OBJECTS="$EXTRA_OBJECTS sys_linux_scmp.o"
+ fi
+ 
+ if [ "x$priv_ops" != "x" ]; then
+diff --git a/sys_linux.c b/sys_linux.c
+index e20e459d..89eec950 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -48,7 +48,7 @@
+ #ifdef FEAT_SCFILTER
+ #include <sys/prctl.h>
+ #include <seccomp.h>
+-#include <linux/termios.h>
++#include <termios.h>
+ #ifdef FEAT_PPS
+ #include <linux/pps.h>
+ #endif
+@@ -63,6 +63,7 @@
+ #endif
+ 
+ #include "sys_linux.h"
++#include "sys_linux_scmp.h"
+ #include "sys_timex.h"
+ #include "conf.h"
+ #include "local.h"
+@@ -615,7 +616,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+   const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL };
+ 
+   const static unsigned long ioctls[] = {
+-    FIONREAD, TCGETS, TCGETS2, TIOCGWINSZ,
++    FIONREAD, TCGETS, TIOCGWINSZ,
+ #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING)
+     PTP_EXTTS_REQUEST, PTP_SYS_OFFSET,
+ #ifdef PTP_PIN_SETFUNC
+@@ -728,6 +729,14 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+                            SCMP_A1(SCMP_CMP_EQ, ioctls[i])) < 0)
+         goto add_failed;
+     }
++
++    /* Allow selected ioctls that need to be specified in a separate
++       file to avoid conflicting headers (e.g. TCGETS2) */
++    for (i = 0; SYS_Linux_GetExtraScmpIoctl(i) != 0; i++) {
++      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1,
++                           SCMP_A1(SCMP_CMP_EQ, SYS_Linux_GetExtraScmpIoctl(i))) < 0)
++        goto add_failed;
++    }
+   }
+ 
+   if (seccomp_load(ctx) < 0)
+diff --git a/sys_linux_scmp.c b/sys_linux_scmp.c
+new file mode 100644
+index 00000000..a907a97d
+--- /dev/null
++++ b/sys_linux_scmp.c
+@@ -0,0 +1,44 @@
++/*
++  chronyd/chronyc - Programs for keeping computer clocks accurate.
++
++ **********************************************************************
++ * Copyright (C) Miroslav Lichvar  2025
++ * 
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of version 2 of the GNU General Public License as
++ * published by the Free Software Foundation.
++ * 
++ * This program is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ * 
++ * You should have received a copy of the GNU General Public License along
++ * with this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
++ * 
++ **********************************************************************
++
++  =======================================================================
++
++  Lists of values that are needed in seccomp filters but need to
++  be compiled separately from sys_linux.c due to conflicting headers.
++  */
++
++#include <linux/termios.h>
++
++#include "sys_linux_scmp.h"
++
++unsigned long
++SYS_Linux_GetExtraScmpIoctl(int index)
++{
++  const unsigned long ioctls[] = {
++#ifdef TCGETS2
++    /* Conflict between <linux/termios.h> and <sys/ioctl.h> */
++    TCGETS2,
++#endif
++    0
++  };
++
++  return ioctls[index];
++}
+diff --git a/sys_linux_scmp.h b/sys_linux_scmp.h
+new file mode 100644
+index 00000000..62a9d548
+--- /dev/null
++++ b/sys_linux_scmp.h
+@@ -0,0 +1,28 @@
++/*
++  chronyd/chronyc - Programs for keeping computer clocks accurate.
++
++ **********************************************************************
++ * Copyright (C) Miroslav Lichvar  2025
++ * 
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of version 2 of the GNU General Public License as
++ * published by the Free Software Foundation.
++ * 
++ * This program is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ * 
++ * You should have received a copy of the GNU General Public License along
++ * with this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
++ * 
++ **********************************************************************
++
++  =======================================================================
++
++  Header file for lists that are needed in seccomp filters but need to
++  be compiled separately from sys_linux.c due to conflicting headers.
++  */
++
++extern unsigned long SYS_Linux_GetExtraScmpIoctl(int index);

chrony-servicedirs.patch

@@ -0,0 +1,18 @@
+diff -up chrony-4.7/examples/chronyd.service.servicedirs chrony-4.7/examples/chronyd.service
+--- chrony-4.7/examples/chronyd.service.servicedirs	2025-06-11 15:06:19.000000000 +0200
++++ chrony-4.7/examples/chronyd.service	2025-07-10 12:06:57.354215498 +0200
+@@ -10,7 +10,13 @@ Type=notify
+ PIDFile=/run/chrony/chronyd.pid
+ Environment="OPTIONS="
+ EnvironmentFile=-/etc/sysconfig/chronyd
+-ExecStart=/usr/sbin/chronyd -n $OPTIONS
++ExecStart=!/usr/sbin/chronyd -n $OPTIONS
++
++User=chrony
++LogsDirectory=chrony
++LogsDirectoryMode=0750
++StateDirectory=chrony
++StateDirectoryMode=0750
+ 
+ CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE

chrony.spec

@@ -1,5 +1,5 @@
 %global _hardened_build 1
-%global clknetsim_ver 83cf9c
+%global clknetsim_ver 6ee99f50dec8
 %bcond_without debug
 %bcond_without nts
 
@@ -8,8 +8,8 @@
 %endif
 
 Name:           chrony
-Version:        4.7
-Release:        1%{?dist}
+Version:        4.8
+Release:        3%{?dist}
 Summary:        An NTP client/server
 
 License:        GPL-2.0-only
@@ -25,8 +25,10 @@ Source10:       https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%
 
 # add distribution-specific bits to DHCP dispatcher
 Patch1:         chrony-nm-dispatcher-dhcp.patch
-# revert upstream changes in default config
-Patch2:         chrony-defconfig.patch
+# let systemd create /var/lib/chrony and /var/log/chrony
+Patch2:         chrony-servicedirs.patch
+# update seccomp filter for new glibc
+Patch3:         chrony-seccomp.patch
 
 BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
 BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
@@ -39,9 +41,6 @@ BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
 # Needed by the leapseclist directive in default chrony.conf
 Requires:       tzdata
 
-# Old NetworkManager expects the dispatcher scripts in a different place
-Conflicts:      NetworkManager < 1.20
-
 # suggest drivers for hardware reference clocks
 Suggests:       ntp-refclock
 
@@ -61,18 +60,19 @@ service to other computers in the network.
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
 %{?gitpatch:%patch -P 0 -p1}
 %patch -P 1 -p1 -b .nm-dispatcher-dhcp
-%patch -P 2 -p1 -R -b .defconfig
+%patch -P 2 -p1 -b .servicedirs
+%patch -P 3 -p1 -b .seccomp
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
 
 # review changes in packaged configuration files and scripts
 md5sum -c <<-EOF | (! grep -v 'OK$')
         5530d6e60f84b76c27495485d2510bac  examples/chrony-wait.service
-        826354a2d467d6147e412d43bfe07484  examples/chrony.conf.example2
+        3f2ddca6065c3e8f4565d7422739795a  examples/chrony.conf.example2
         6a3178c4670de7de393d9365e2793740  examples/chrony.logrotate
         c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
         4e85d36595727318535af3387411070c  examples/chrony.nm-dispatcher.onoffline
-        274a44cd51981d6d4d3a44dfc92c94ab  examples/chronyd.service
+        607c82f56639486f52c31105632909eb  examples/chronyd.service
         5ddbb8a8055f587cb6b0b462ca73ea46  examples/chronyd-restricted.service
 EOF
 
@@ -100,10 +100,6 @@ rm -f getdate.c
 mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim
 
 %build
-%ifarch aarch64
-# workaround for bug #2367978
-CFLAGS="$RPM_OPT_FLAGS -fno-inline"
-%endif
 %configure \
 %{?with_debug: --enable-debug} \
         --enable-ntp-signd \
@@ -112,6 +108,7 @@ CFLAGS="$RPM_OPT_FLAGS -fno-inline"
         --chronyrundir=/run/chrony \
         --docdir=%{_docdir} \
         --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \
+        --with-chronyc-user=chrony \
         --with-user=chrony \
         --with-hwclockfile=%{_sysconfdir}/adjtime \
         --with-pidfile=/run/chrony/chronyd.pid \
@@ -206,13 +203,33 @@ fi
 %{_unitdir}/chrony*.service
 %{_sysusersdir}/chrony.conf
 %{_mandir}/man[158]/%{name}*.[158]*
-%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony
+%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony
 %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift
 %ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/rtc
-%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
+%ghost %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
 
 %changelog
-* Wed Jun 11 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-1.fc41
+* Tue Oct 21 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-3
+- update seccomp filter for new glibc (#2405310)
+
+* Mon Sep 08 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-2
+- drop root privileges in chronyc by default
+
+* Wed Aug 27 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-1
+- update to 4.8
+
+* Thu Aug 14 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.8-0.1.pre1
+- update to 4.8-pre1
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 4.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Thu Jul 10 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-2
+- let systemd create /var/lib/chrony and /var/log/chrony (#2372944)
+- drop workaround for broken build on aarch64
+- drop old conflict with NetworkManager
+
+* Wed Jun 11 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-1
 - update to 4.7
 
 * Thu May 22 2025 Miroslav Lichvar <mlichvar@redhat.com> 4.7-0.2.pre1

plans.fmf

@@ -1,7 +1,7 @@
 /tier1-internal:
   plan:
     import:
-      url: https://src.fedoraproject.org/tests/chrony.git
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
       name: /plans/tier1/internal
   adjust:
     enabled: false
@@ -11,13 +11,13 @@
 /tier1-public:
   plan:
     import:
-      url: https://src.fedoraproject.org/tests/chrony.git
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
       name: /plans/tier1/public
 
 /tier2-tier3-internal:
   plan:
     import:
-      url: https://src.fedoraproject.org/tests/chrony.git
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
       name: /plans/tier2-tier3/internal
   adjust:
     enabled: false
@@ -27,13 +27,13 @@
 /tier2-tier3-public:
   plan:
     import:
-      url: https://src.fedoraproject.org/tests/chrony.git
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
       name: /plans/tier2-tier3/public
 
 /others-internal:
   plan:
     import:
-      url: https://src.fedoraproject.org/tests/chrony.git
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
       name: /plans/others/internal
   adjust:
     enabled: false
@@ -43,5 +43,5 @@
 /others-public:
   plan:
     import:
-      url: https://src.fedoraproject.org/tests/chrony.git
+      url: https://gitlab.com/redhat/centos-stream/tests/chrony.git
       name: /plans/others/public

sources

@@ -1,3 +1,3 @@
-SHA512 (chrony-4.7.tar.gz) = 419594ab8ff0fd42acaf6e4ca1a011d5cf87c8d90ab040e90bb004b43570888329531593f073fb7c5a1093b5754d61c1ae6034d0b86660e4dc37d42ee0f30623
-SHA512 (chrony-4.7-tar-gz-asc.txt) = c2351e6e624f60e82973bddd5cb1d84c90ee5e862d7d24dfc2b7a8f60a6a948f7446c9b7d68c5e72be4afccbd5d8f572141a4e0bde9cfeefc59aebb7e4fc74e1
-SHA512 (clknetsim-83cf9c.tar.gz) = 2ffef556fc1edc3e19d44773ca550e9ac87889951a0162828238eab7dbd0586b46d16708d6a95a56aae8485acade1db5d16f7463362da00cb1d40cff394364e9
+SHA512 (chrony-4.8-tar-gz-asc.txt) = df7f4e06f74a4b8c9a49e8fe57ea02e0324c5683d036412c32192a09f08e08f33537609cef8df0b4302bfcd63332b3092f33f40c8d02857c93ecea13822b5b47
+SHA512 (chrony-4.8.tar.gz) = 949b796bb34db32a5c1b9e6b53be6a22e51c59f24a316d585b8a52a52ab1f61bdf0378dc58b282bb0ba4fac1f05e1e99fbe37cb4259aa2b359e7bf679c176aab
+SHA512 (clknetsim-6ee99f50dec8.tar.gz) = 2621d1c44b84b42fcdf644f236ff90dab9f8a8407a138c8719c53dd9c4f21480db3b4ba598116aa1b9d6bd1fa02fc410d85a43baf55ddf8ad47fc09aba4c4477