diff options
author | Vincent Blut <vincent.debian@free.fr> | 2021-06-12 00:36:53 +0200 |
---|---|---|
committer | Vincent Blut <vincent.debian@free.fr> | 2021-06-12 00:36:53 +0200 |
commit | 27a04385be31fda101cadc951b94a99e1c84c1a0 (patch) | |
tree | 44504bc315762edf0c8a9bdd47cd27e4511baeb5 | |
parent | a24b00599673e2407cfe8f1532f897d0edfe8e92 (diff) | |
parent | 09877d212e538c799d8c55e9fbdbe3774be98136 (diff) |
Merge branch 'debian/unstable' into debian/buster-backports
-rw-r--r-- | debian/changelog | 12 | ||||
-rw-r--r-- | debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch | 23 | ||||
-rw-r--r-- | debian/patches/allow-getuid32-in-seccomp-filter.patch | 24 | ||||
-rw-r--r-- | debian/patches/series | 2 |
4 files changed, 61 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 000fdc9..0c26fe7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +chrony (4.0-8) unstable; urgency=medium + + * debian/patches/: + - Add allow-BINDTODEVICE-option-in-seccomp-filter.patch to enable support + for binding sockets to a device without having to disable the seccomp + filter. + - Add allow-getuid32-in-seccomp-filter.patch. Upstream found out that + getuid32() needed to be allowed in the seccomp filter to enable some NTS + operations on i686. This may affect other 32-bits architectures. + + -- Vincent Blut <vincent.debian@free.fr> Thu, 13 May 2021 16:51:41 +0200 + chrony (4.0-7~bpo10+1) buster-backports; urgency=medium * Rebuild for buster-backports. diff --git a/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch b/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch new file mode 100644 index 0000000..6841494 --- /dev/null +++ b/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch @@ -0,0 +1,23 @@ +From b9f5ce83b02e765ad5a65a264e88352528d6b2b3 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlichvar@redhat.com> +Date: Thu, 29 Apr 2021 12:35:49 +0200 +Subject: sys_linux: allow BINDTODEVICE option in seccomp filter + +Fixes: 4ef944b73436 ("socket: add support for binding sockets to device") + +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=b9f5ce83b02e765ad5a65a264e88352528d6b2b3 +Last-Update: 2021-05-13 +Index: chrony/sys_linux.c +=================================================================== +--- chrony.orig/sys_linux.c ++++ chrony/sys_linux.c +@@ -619,6 +619,9 @@ SYS_Linux_EnableSystemCallFilter(int lev + #ifdef FEAT_IPV6 + { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO }, + #endif ++#ifdef SO_BINDTODEVICE ++ { SOL_SOCKET, SO_BINDTODEVICE }, ++#endif + { SOL_SOCKET, SO_BROADCAST }, { SOL_SOCKET, SO_REUSEADDR }, + #ifdef SO_REUSEPORT + { SOL_SOCKET, SO_REUSEPORT }, diff --git a/debian/patches/allow-getuid32-in-seccomp-filter.patch b/debian/patches/allow-getuid32-in-seccomp-filter.patch new file mode 100644 index 0000000..626713e --- /dev/null +++ b/debian/patches/allow-getuid32-in-seccomp-filter.patch @@ -0,0 +1,24 @@ +From 9cdfc15e310887d86c74beb0d6b748572624201c Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlichvar@redhat.com> +Date: Thu, 29 Apr 2021 16:53:40 +0200 +Subject: sys_linux: allow getuid32 in seccomp filter + +This was triggered on x86 in an NTS test. + +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=9cdfc15e310887d86c74beb0d6b748572624201c +Last-Update: 2021-05-13 +diff --git a/sys_linux.c b/sys_linux.c +index be5d44d..57b4e0f 100644 +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -508,6 +508,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) + SCMP_SYS(getpid), + SCMP_SYS(getrlimit), + SCMP_SYS(getuid), ++ SCMP_SYS(getuid32), + SCMP_SYS(rt_sigaction), + SCMP_SYS(rt_sigreturn), + SCMP_SYS(rt_sigprocmask), +-- +cgit v0.10.2 + diff --git a/debian/patches/series b/debian/patches/series index 29ab3ef..32d9a04 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,4 @@ allow-IP_TOS-socket-option-in-seccomp-filter.patch nm-dispatcher-dhcp_Move-server_dir-to-run.patch +allow-BINDTODEVICE-option-in-seccomp-filter.patch +allow-getuid32-in-seccomp-filter.patch |