Merge branch 'debian/unstable' into debian/buster-backports

4 files changed, 61 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 000fdc9..0c26fe7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+chrony (4.0-8) unstable; urgency=medium
+
+  * debian/patches/:
+    - Add allow-BINDTODEVICE-option-in-seccomp-filter.patch to enable support
+    for binding sockets to a device without having to disable the seccomp
+    filter.
+    - Add allow-getuid32-in-seccomp-filter.patch. Upstream found out that
+    getuid32() needed to be allowed in the seccomp filter to enable some NTS
+    operations on i686. This may affect other 32-bits architectures.
+
+ -- Vincent Blut <vincent.debian@free.fr>  Thu, 13 May 2021 16:51:41 +0200
+
 chrony (4.0-7~bpo10+1) buster-backports; urgency=medium
 
   * Rebuild for buster-backports.
diff --git a/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch b/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch
new file mode 100644
index 0000000..6841494
--- /dev/null
+++ b/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch
@@ -0,0 +1,23 @@
+From b9f5ce83b02e765ad5a65a264e88352528d6b2b3 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 29 Apr 2021 12:35:49 +0200
+Subject: sys_linux: allow BINDTODEVICE option in seccomp filter
+
+Fixes: 4ef944b73436 ("socket: add support for binding sockets to device")
+
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=b9f5ce83b02e765ad5a65a264e88352528d6b2b3
+Last-Update: 2021-05-13
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -619,6 +619,9 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ #ifdef FEAT_IPV6
+     { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
+ #endif
++#ifdef SO_BINDTODEVICE
++    { SOL_SOCKET, SO_BINDTODEVICE },
++#endif
+     { SOL_SOCKET, SO_BROADCAST }, { SOL_SOCKET, SO_REUSEADDR },
+ #ifdef SO_REUSEPORT
+     { SOL_SOCKET, SO_REUSEPORT },
diff --git a/debian/patches/allow-getuid32-in-seccomp-filter.patch b/debian/patches/allow-getuid32-in-seccomp-filter.patch
new file mode 100644
index 0000000..626713e
--- /dev/null
+++ b/debian/patches/allow-getuid32-in-seccomp-filter.patch
@@ -0,0 +1,24 @@
+From 9cdfc15e310887d86c74beb0d6b748572624201c Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 29 Apr 2021 16:53:40 +0200
+Subject: sys_linux: allow getuid32 in seccomp filter
+
+This was triggered on x86 in an NTS test.
+
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=9cdfc15e310887d86c74beb0d6b748572624201c
+Last-Update: 2021-05-13
+diff --git a/sys_linux.c b/sys_linux.c
+index be5d44d..57b4e0f 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -508,6 +508,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+     SCMP_SYS(getpid),
+     SCMP_SYS(getrlimit),
+     SCMP_SYS(getuid),
++    SCMP_SYS(getuid32),
+     SCMP_SYS(rt_sigaction),
+     SCMP_SYS(rt_sigreturn),
+     SCMP_SYS(rt_sigprocmask),
+--
+cgit v0.10.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 29ab3ef..32d9a04 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 allow-IP_TOS-socket-option-in-seccomp-filter.patch
 nm-dispatcher-dhcp_Move-server_dir-to-run.patch
+allow-BINDTODEVICE-option-in-seccomp-filter.patch
+allow-getuid32-in-seccomp-filter.patch