From ce2389d97fbf0f2d4412aae9818ee763d6f02a98 Mon Sep 17 00:00:00 2001 From: Jamie Anderson Date: Wed, 26 Feb 2020 19:42:21 +0000 Subject: [PATCH] chrony: Update seccomp filter to work with glibc 2.31 This is a series of additive patches taken from upstream. Signed-off-by: Jamie Anderson --- ...ys_linux-add-support-for-TCP-sockets.patch | 40 +++++++++++++++++++ ...inux-allow-F_GETFL-in-seccomp-filter.patch | 23 +++++++++++ ...llow-clock_adjtime-in-seccomp-filter.patch | 26 ++++++++++++ ...ux-allow-renameat2-in-seccomp-filter.patch | 26 ++++++++++++ packages/chrony/chrony.spec | 13 ++++++ 5 files changed, 128 insertions(+) create mode 100644 packages/chrony/0001-sys_linux-add-support-for-TCP-sockets.patch create mode 100644 packages/chrony/0002-sys_linux-allow-F_GETFL-in-seccomp-filter.patch create mode 100644 packages/chrony/0003-sys_linux-allow-clock_adjtime-in-seccomp-filter.patch create mode 100644 packages/chrony/0004-sys_linux-allow-renameat2-in-seccomp-filter.patch diff --git a/packages/chrony/0001-sys_linux-add-support-for-TCP-sockets.patch b/packages/chrony/0001-sys_linux-add-support-for-TCP-sockets.patch new file mode 100644 index 00000000000..26ca8e9dfdd --- /dev/null +++ b/packages/chrony/0001-sys_linux-add-support-for-TCP-sockets.patch @@ -0,0 +1,40 @@ +From 1e3925f7a62765d271cfad4eb371c6e555911746 Mon Sep 17 00:00:00 2001 +From: Jamie Anderson +Date: Wed, 26 Feb 2020 20:29:00 +0000 +Subject: [PATCH] sys_linux: add support for TCP sockets + +This patch was reworked from an upstream patch to only apply changes to +the seccomp filter, to allow later patches to the seccomp filter to +apply cleanly. The upstream patch message is preserved below: + +From 02ada36838e48942dd1ecd0513c3449fcf9135df Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Tue, 6 Aug 2019 18:33:06 +0200 +Subject: socket: add support for TCP sockets + +TCP sockets will be needed for NTS key establishment. +--- + sys_linux.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sys_linux.c b/sys_linux.c +index 898dc7a..1f36696 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -496,9 +496,10 @@ SYS_Linux_EnableSystemCallFilter(int level) + SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), + SCMP_SYS(unlink), SCMP_SYS(unlinkat), + /* Socket */ +- SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt), +- SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), +- SCMP_SYS(send), SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto), ++ SCMP_SYS(accept), SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), ++ SCMP_SYS(getsockopt), SCMP_SYS(recv), SCMP_SYS(recvfrom), ++ SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), SCMP_SYS(send), SCMP_SYS(sendmmsg), ++ SCMP_SYS(sendmsg), SCMP_SYS(sendto), SCMP_SYS(shutdown), + /* TODO: check socketcall arguments */ + SCMP_SYS(socketcall), + /* General I/O */ +-- +2.25.0.191.gde93cc14ab + diff --git a/packages/chrony/0002-sys_linux-allow-F_GETFL-in-seccomp-filter.patch b/packages/chrony/0002-sys_linux-allow-F_GETFL-in-seccomp-filter.patch new file mode 100644 index 00000000000..3c8c425ec67 --- /dev/null +++ b/packages/chrony/0002-sys_linux-allow-F_GETFL-in-seccomp-filter.patch @@ -0,0 +1,23 @@ +From 429c4468b0058d9c2e2fffbf6660b0f1581af6af Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Thu, 24 Oct 2019 12:42:02 +0200 +Subject: sys_linux: allow F_GETFL in seccomp filter + +This is needed for fdopen(). + +diff --git a/sys_linux.c b/sys_linux.c +index 1f36696..63eb8f1 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -529,7 +529,7 @@ SYS_Linux_EnableSystemCallFilter(int level) + #endif + }; + +- const static int fcntls[] = { F_GETFD, F_SETFD, F_SETFL }; ++ const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL }; + + const static unsigned long ioctls[] = { + FIONREAD, TCGETS, +-- +cgit v0.10.2 + diff --git a/packages/chrony/0003-sys_linux-allow-clock_adjtime-in-seccomp-filter.patch b/packages/chrony/0003-sys_linux-allow-clock_adjtime-in-seccomp-filter.patch new file mode 100644 index 00000000000..2fa3baca722 --- /dev/null +++ b/packages/chrony/0003-sys_linux-allow-clock_adjtime-in-seccomp-filter.patch @@ -0,0 +1,26 @@ +From 0cf506c92967c84f9ed83ba9e1be946a7fda6425 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Mon, 2 Dec 2019 12:47:13 +0100 +Subject: sys_linux: allow clock_adjtime in seccomp filter + +The adjtimex() function in glibc was switched to the clock_adjtime +system call. + +diff --git a/sys_linux.c b/sys_linux.c +index 63eb8f1..fcf89c2 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -478,8 +478,8 @@ SYS_Linux_EnableSystemCallFilter(int level) + { + const int syscalls[] = { + /* Clock */ +- SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday), +- SCMP_SYS(settimeofday), SCMP_SYS(time), ++ SCMP_SYS(adjtimex), SCMP_SYS(clock_adjtime), SCMP_SYS(clock_gettime), ++ SCMP_SYS(gettimeofday), SCMP_SYS(settimeofday), SCMP_SYS(time), + /* Process */ + SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid), + SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), +-- +cgit v0.10.2 + diff --git a/packages/chrony/0004-sys_linux-allow-renameat2-in-seccomp-filter.patch b/packages/chrony/0004-sys_linux-allow-renameat2-in-seccomp-filter.patch new file mode 100644 index 00000000000..1ab93ec3d52 --- /dev/null +++ b/packages/chrony/0004-sys_linux-allow-renameat2-in-seccomp-filter.patch @@ -0,0 +1,26 @@ +From 994409a03697b8df68115342dc8d1e7ceeeb40bd Mon Sep 17 00:00:00 2001 +From: Vincent Blut +Date: Thu, 16 Jan 2020 17:04:35 +0100 +Subject: sys_linux: allow renameat2 in seccomp filter + +This is needed for architectures that support neither rename() nor +renameat() (e.g. riscv64) + +diff --git a/sys_linux.c b/sys_linux.c +index fcf89c2..d2dc908 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -493,8 +493,8 @@ SYS_Linux_EnableSystemCallFilter(int level) + SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), SCMP_SYS(fchownat), + SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64), + SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), SCMP_SYS(renameat), +- SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), +- SCMP_SYS(unlink), SCMP_SYS(unlinkat), ++ SCMP_SYS(renameat2), SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), ++ SCMP_SYS(statfs64), SCMP_SYS(unlink), SCMP_SYS(unlinkat), + /* Socket */ + SCMP_SYS(accept), SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), + SCMP_SYS(getsockopt), SCMP_SYS(recv), SCMP_SYS(recvfrom), +-- +cgit v0.10.2 + diff --git a/packages/chrony/chrony.spec b/packages/chrony/chrony.spec index 921844cbc37..ee3cee135da 100644 --- a/packages/chrony/chrony.spec +++ b/packages/chrony/chrony.spec @@ -16,6 +16,19 @@ BuildRequires: %{_cross_os}readline-devel Requires: %{_cross_os}libcap Requires: %{_cross_os}libseccomp +# Patches taken from upstream + +# Update seccomp filter to work with glibc 2.31 +# Reworked version of +# https://git.tuxfamily.org/chrony/chrony.git/patch/sys_linux.c?id=02ada36838e48942dd1ecd0513c3449fcf9135df +Patch0: 0001-sys_linux-add-support-for-TCP-sockets.patch +# https://git.tuxfamily.org/chrony/chrony.git/patch/sys_linux.c?id=429c4468b0058d9c2e2fffbf6660b0f1581af6af +Patch1: 0002-sys_linux-allow-F_GETFL-in-seccomp-filter.patch +# https://git.tuxfamily.org/chrony/chrony.git/patch/sys_linux.c?id=0cf506c92967c84f9ed83ba9e1be946a7fda6425 +Patch2: 0003-sys_linux-allow-clock_adjtime-in-seccomp-filter.patch +# https://git.tuxfamily.org/chrony/chrony.git/patch/sys_linux.c?id=994409a03697b8df68115342dc8d1e7ceeeb40bd +Patch3: 0004-sys_linux-allow-renameat2-in-seccomp-filter.patch + %description %{summary}.