diff options
Diffstat (limited to '')
| -rw-r--r-- | debian/patches/allow-_llseek-in-seccomp-filter.patch | 31 | ||||
| -rw-r--r-- | debian/patches/allow-further-syscalls-in-seccomp-filter.patch | 41 | ||||
| -rw-r--r-- | debian/patches/allow-recv-send-in-seccomp-filter.patch | 24 | ||||
| -rw-r--r-- | debian/patches/allow-waitpid-in-seccomp-filter.patch | 22 | ||||
| -rw-r--r-- | debian/patches/create-new-file-when-writing-pidfile.patch | 187 | ||||
| -rw-r--r-- | debian/patches/series | 5 |
6 files changed, 310 insertions, 0 deletions
diff --git a/debian/patches/allow-_llseek-in-seccomp-filter.patch b/debian/patches/allow-_llseek-in-seccomp-filter.patch new file mode 100644 index 0000000..c0745ea --- /dev/null +++ b/debian/patches/allow-_llseek-in-seccomp-filter.patch @@ -0,0 +1,31 @@ +From: Vincent Blut <vincent.debian@free.fr> +Date: Thu, 28 Feb 2019 14:39:13 +0100 +Subject: sys_linux: allow _llseek in seccomp filter + +This is needed on various 32-bit platforms to reposition read/write file +offset on {raw}measurements and statistics log files. + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923137 +Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg00003.html +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=e392d1fde94db26b88a0a017850415f1d34266d7 +--- + sys_linux.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -498,10 +498,10 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2), + SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt), + /* Filesystem */ +- SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), SCMP_SYS(chown32), +- SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64), +- SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), SCMP_SYS(stat64), +- SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink), ++ SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), ++ SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), ++ SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), ++ SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink), + /* Socket */ + SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt), + SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), diff --git a/debian/patches/allow-further-syscalls-in-seccomp-filter.patch b/debian/patches/allow-further-syscalls-in-seccomp-filter.patch new file mode 100644 index 0000000..4cea484 --- /dev/null +++ b/debian/patches/allow-further-syscalls-in-seccomp-filter.patch @@ -0,0 +1,41 @@ +From: Vincent Blut <vincent.debian@free.fr> +Date: Fri, 15 Mar 2019 00:03:24 +0100 +Subject: sys_linux: allow further syscalls in seccomp filter + +Adding these syscalls in the seccomp filter whitelist is a prerequisite for +the arm64 architecture. + +Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00001.html +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ddd0ae23181f529bf0e8abaecfc9c726d672568 +--- + sys_linux.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -499,9 +499,11 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt), + /* Filesystem */ + SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), +- SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), +- SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), +- SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink), ++ SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), SCMP_SYS(fchownat), ++ SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64), ++ SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), SCMP_SYS(renameat), ++ SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), ++ SCMP_SYS(unlink), SCMP_SYS(unlinkat), + /* Socket */ + SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt), + SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), +@@ -510,8 +512,8 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(socketcall), + /* General I/O */ + SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe), +- SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(futex), SCMP_SYS(select), +- SCMP_SYS(set_robust_list), SCMP_SYS(write), ++ SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read), ++ SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write), + /* Miscellaneous */ + SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname), + }; diff --git a/debian/patches/allow-recv-send-in-seccomp-filter.patch b/debian/patches/allow-recv-send-in-seccomp-filter.patch new file mode 100644 index 0000000..67b8696 --- /dev/null +++ b/debian/patches/allow-recv-send-in-seccomp-filter.patch @@ -0,0 +1,24 @@ +From: Leigh Brown <leigh@solinno.co.uk> +Date: Wed, 13 Mar 2019 17:56:08 +0100 +Subject: [PATCH] sys_linux: allow recv and send in seccomp filter + +The lack of these two system calls has been problematic for the armv5tel +architecture. Other architectures might also be affected. + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924494 +Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00000.html +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=79db0b7eca3ffff1b6c6a86cf1a342a40cc76d2f +--- +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -504,8 +504,8 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink), + /* Socket */ + SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt), +- SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), +- SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto), ++ SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), ++ SCMP_SYS(send), SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto), + /* TODO: check socketcall arguments */ + SCMP_SYS(socketcall), + /* General I/O */ diff --git a/debian/patches/allow-waitpid-in-seccomp-filter.patch b/debian/patches/allow-waitpid-in-seccomp-filter.patch new file mode 100644 index 0000000..a4a01b6 --- /dev/null +++ b/debian/patches/allow-waitpid-in-seccomp-filter.patch @@ -0,0 +1,22 @@ +From 2ebba7fbaaf7c86d1840cacb7aa78b62d0166d5a Mon Sep 17 00:00:00 2001 +From: Vincent Blut <vincent.debian@free.fr> +Date: Thu, 28 Feb 2019 16:43:56 +0100 +Subject: sys_linux: allow waitpid in seccomp filter + +Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg00001.html +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ebba7fbaaf7c86d1840cacb7aa78b62d0166d5a +--- + sys_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -493,7 +493,7 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid), + SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), + SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), +- SCMP_SYS(wait4), ++ SCMP_SYS(wait4), SCMP_SYS(waitpid), + /* Memory */ + SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2), + SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt), diff --git a/debian/patches/create-new-file-when-writing-pidfile.patch b/debian/patches/create-new-file-when-writing-pidfile.patch new file mode 100644 index 0000000..96defbf --- /dev/null +++ b/debian/patches/create-new-file-when-writing-pidfile.patch @@ -0,0 +1,187 @@ +From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlichvar@redhat.com> +Date: Thu, 6 Aug 2020 09:31:11 +0200 +Subject: main: create new file when writing pidfile + +When writing the pidfile, open the file with the O_CREAT|O_EXCL flags +to avoid following a symlink and writing the PID to an unexpected file, +when chronyd still has the root privileges. + +The Linux open(2) man page warns about O_EXCL not working as expected on +NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on +a distributed filesystem like NFS is not generally expected, but if +there is a reason to do that, these old kernel and NFS versions are not +considered to be supported for saving files by chronyd. + +This is a minimal backport specific to this issue of the following +commits: +- commit 2fc8edacb810 ("use PATH_MAX") +- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()") +- commit 7a4c396bba8f ("util: add functions for common file operations") +- commit e18903a6b563 ("switch to new util file functions") + +Reported-by: Matthias Gerstner <mgerstner@suse.de> + +--- a/logging.c ++++ b/logging.c +@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity, + system_log = 0; + log_message(1, severity, buf); + } ++ exit(1); + break; + default: + assert(0); +--- a/main.c ++++ b/main.c +@@ -281,13 +281,9 @@ write_pidfile(void) + if (!pidfile[0]) + return; + +- out = fopen(pidfile, "w"); +- if (!out) { +- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno)); +- } else { +- fprintf(out, "%d\n", (int)getpid()); +- fclose(out); +- } ++ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644); ++ fprintf(out, "%d\n", (int)getpid()); ++ fclose(out); + } + + /* ================================================== */ +--- a/sysincl.h ++++ b/sysincl.h +@@ -37,6 +37,7 @@ + #include <glob.h> + #include <grp.h> + #include <inttypes.h> ++#include <limits.h> + #include <math.h> + #include <netdb.h> + #include <netinet/in.h> +--- a/util.c ++++ b/util.c +@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path + + /* ================================================== */ + ++static int ++join_path(const char *basedir, const char *name, const char *suffix, ++ char *buffer, size_t length, LOG_Severity severity) ++{ ++ const char *sep; ++ ++ if (!basedir) { ++ basedir = ""; ++ sep = ""; ++ } else { ++ sep = "/"; ++ } ++ ++ if (!suffix) ++ suffix = ""; ++ ++ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) { ++ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ================================================== */ ++ ++FILE * ++UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm) ++{ ++ const char *file_mode; ++ char path[PATH_MAX]; ++ LOG_Severity severity; ++ int fd, flags; ++ FILE *file; ++ ++ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR; ++ ++ if (!join_path(basedir, name, suffix, path, sizeof (path), severity)) ++ return NULL; ++ ++ switch (mode) { ++ case 'r': ++ case 'R': ++ flags = O_RDONLY; ++ file_mode = "r"; ++ if (severity != LOGS_FATAL) ++ severity = LOGS_DEBUG; ++ break; ++ case 'w': ++ case 'W': ++ flags = O_WRONLY | O_CREAT | O_EXCL; ++ file_mode = "w"; ++ break; ++ case 'a': ++ case 'A': ++ flags = O_WRONLY | O_CREAT | O_APPEND; ++ file_mode = "a"; ++ break; ++ default: ++ assert(0); ++ return NULL; ++ } ++ ++try_again: ++ fd = open(path, flags, perm); ++ if (fd < 0) { ++ if (errno == EEXIST) { ++ if (unlink(path) < 0) { ++ LOG(severity, "Could not remove %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ DEBUG_LOG("Removed %s", path); ++ goto try_again; ++ } ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ ++ UTI_FdSetCloexec(fd); ++ ++ file = fdopen(fd, file_mode); ++ if (!file) { ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ close(fd); ++ return NULL; ++ } ++ ++ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode); ++ ++ return file; ++} ++ ++/* ================================================== */ ++ + void + UTI_DropRoot(uid_t uid, gid_t gid) + { +--- a/util.h ++++ b/util.h +@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const + permissions and its uid/gid must match the specified values. */ + extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); + ++/* Open a file. The full path of the file is constructed from the basedir ++ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). ++ Created files have specified permissions (umasked). Returns NULL on error. ++ The following modes are supported (if the mode is an uppercase character, ++ errors are fatal): ++ r/R - open an existing file for reading ++ w/W - open a new file for writing (remove existing file) ++ a/A - open an existing file for appending (create if does not exist) */ ++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm); ++ + /* Set process user/group IDs and drop supplementary groups */ + extern void UTI_DropRoot(uid_t uid, gid_t gid); + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..ada08f7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,5 @@ +allow-_llseek-in-seccomp-filter.patch +allow-waitpid-in-seccomp-filter.patch +allow-recv-send-in-seccomp-filter.patch +allow-further-syscalls-in-seccomp-filter.patch +create-new-file-when-writing-pidfile.patch |