6 files changed, 135 insertions, 0 deletions
diff --git a/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch b/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch
new file mode 100644
index 0000000..6841494
--- /dev/null
+++ b/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch
@@ -0,0 +1,23 @@
+From b9f5ce83b02e765ad5a65a264e88352528d6b2b3 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 29 Apr 2021 12:35:49 +0200
+Subject: sys_linux: allow BINDTODEVICE option in seccomp filter
+
+Fixes: 4ef944b73436 ("socket: add support for binding sockets to device")
+
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=b9f5ce83b02e765ad5a65a264e88352528d6b2b3
+Last-Update: 2021-05-13
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -619,6 +619,9 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ #ifdef FEAT_IPV6
+     { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
+ #endif
++#ifdef SO_BINDTODEVICE
++    { SOL_SOCKET, SO_BINDTODEVICE },
++#endif
+     { SOL_SOCKET, SO_BROADCAST }, { SOL_SOCKET, SO_REUSEADDR },
+ #ifdef SO_REUSEPORT
+     { SOL_SOCKET, SO_REUSEPORT },
diff --git a/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch b/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
new file mode 100644
index 0000000..3793048
--- /dev/null
+++ b/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
@@ -0,0 +1,33 @@
+From 966e6fd939df724235a93e7a89dd7cf67178f99d Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@forstwoof.ru>
+Date: Sun, 4 Apr 2021 15:12:17 +0200
+Subject: sys_linux: allow setsockopt(SOL_IP, IP_TOS) in seccomp
+
+This system call is required by the DSCP marking feature introduced in commit
+6a5665ca5877 ("conf: add dscp directive").
+
+Before this change, enabling seccomp filtering (chronyd -F 1) and specifying a
+custom DSCP value in the configuration (for example "dscp 46") caused the
+process to be killed by seccomp due to IP_TOS not being allowed by the filter.
+
+Tested before and after the change on Ubuntu 21.04, kernel 5.11.0-13-generic.
+IP_TOS is available since Linux 1.0, so I didn't add any ifdefs for it.
+
+Signed-off-by: Foster Snowhill <forst@forstwoof.ru>
+
+Bug: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2021/04/msg00000.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=966e6fd939df724235a93e7a89dd7cf67178f99d
+Last-Update: 2021-04-08
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int lev
+   };
+ 
+   const static int socket_options[][2] = {
+-    { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND },
++    { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND }, { SOL_IP, IP_TOS },
+ #ifdef FEAT_IPV6
+     { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
+ #endif
diff --git a/debian/patches/allow-getuid32-in-seccomp-filter.patch b/debian/patches/allow-getuid32-in-seccomp-filter.patch
new file mode 100644
index 0000000..626713e
--- /dev/null
+++ b/debian/patches/allow-getuid32-in-seccomp-filter.patch
@@ -0,0 +1,24 @@
+From 9cdfc15e310887d86c74beb0d6b748572624201c Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 29 Apr 2021 16:53:40 +0200
+Subject: sys_linux: allow getuid32 in seccomp filter
+
+This was triggered on x86 in an NTS test.
+
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=9cdfc15e310887d86c74beb0d6b748572624201c
+Last-Update: 2021-05-13
+diff --git a/sys_linux.c b/sys_linux.c
+index be5d44d..57b4e0f 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -508,6 +508,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+     SCMP_SYS(getpid),
+     SCMP_SYS(getrlimit),
+     SCMP_SYS(getuid),
++    SCMP_SYS(getuid32),
+     SCMP_SYS(rt_sigaction),
+     SCMP_SYS(rt_sigreturn),
+     SCMP_SYS(rt_sigprocmask),
+--
+cgit v0.10.2
+
diff --git a/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch b/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
new file mode 100644
index 0000000..3bd9acd
--- /dev/null
+++ b/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
@@ -0,0 +1,33 @@
+From 29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Wed, 6 Oct 2021 10:02:34 +0200
+Subject: sys_linux: fix seccomp filter for BINDTODEVICE option
+
+The BINDTODEVICE socket option is the first option in the seccomp filter
+setting a string instead of int. Remove the length check from the
+setsockopt rules to allow a device name longer than 3 characters.
+
+This was reported in Debian bug #995207.
+
+Fixes: b9f5ce83b02e ("sys_linux: allow BINDTODEVICE option in seccomp filter")
+
+Origin: upstream, https://git.tuxfamily.org/chrony/chrony.git/commit/?id=29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995207
+
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -694,10 +694,9 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ 
+     /* Allow selected socket options */
+     for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
+-      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3,
++      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
+                            SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]),
+-                           SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]),
+-                           SCMP_A4(SCMP_CMP_LE, sizeof (int))) < 0)
++                           SCMP_A2(SCMP_CMP_EQ, socket_options[i][1])))
+         goto add_failed;
+     }
+ 
diff --git a/debian/patches/nm-dispatcher-dhcp_Move-server_dir-to-run.patch b/debian/patches/nm-dispatcher-dhcp_Move-server_dir-to-run.patch
new file mode 100644
index 0000000..29b37c5
--- /dev/null
+++ b/debian/patches/nm-dispatcher-dhcp_Move-server_dir-to-run.patch
@@ -0,0 +1,17 @@
+Description: Move server_dir path to /run
+Author: Vincent Blut <vincent.debian@free.fr>
+Forwarded: no
+Last-Update: 2020-09-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/examples/chrony.nm-dispatcher.dhcp
++++ b/examples/chrony.nm-dispatcher.dhcp
+@@ -11,7 +11,7 @@ action=$2
+ 
+ chronyc=/usr/bin/chronyc
+ default_server_options=iburst
+-server_dir=/var/run/chrony-dhcp
++server_dir=/run/chrony-dhcp
+ 
+ dhcp_server_file=$server_dir/$interface.sources
+ # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4037174
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,5 @@
+allow-IP_TOS-socket-option-in-seccomp-filter.patch
+nm-dispatcher-dhcp_Move-server_dir-to-run.patch
+allow-BINDTODEVICE-option-in-seccomp-filter.patch
+allow-getuid32-in-seccomp-filter.patch
+fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch