chrony: fix build break from libseccomp 2.4.2

03be1adb bumped libseccomp to 2.4.2, which has this note in the
changelog:

    "Stop defining __NR_x values for syscalls that don't exist,
     libseccomp now uses __SNR_x internally"

This change means that invalid syscalls for Linux that aren't defined in
glibc will no longer work. In this unlucky case, 'chrony' was trying to
reference the syscall number for 'ppoll', which doesn't exist. Fixing
this is easy with a simple patch.

This also includes another patch from upstream, which allows
clock_adjtime in the seccomp filter list. This is a robustness measure
for future glibc versions that use clock_adjutime inside adjtimex().

Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
Austin Seipp 2019-12-05 18:34:17 -06:00
parent c3e22dd546
commit 5d8bd748f3
No known key found for this signature in database
GPG Key ID: 25D2038DEB08021D
3 changed files with 44 additions and 0 deletions

View File

@ -0,0 +1,26 @@
From 0cf506c92967c84f9ed83ba9e1be946a7fda6425 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Mon, 2 Dec 2019 12:47:13 +0100
Subject: sys_linux: allow clock_adjtime in seccomp filter
The adjtimex() function in glibc was switched to the clock_adjtime
system call.
diff --git a/sys_linux.c b/sys_linux.c
index 63eb8f1..fcf89c2 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -478,8 +478,8 @@ SYS_Linux_EnableSystemCallFilter(int level)
{
const int syscalls[] = {
/* Clock */
- SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday),
- SCMP_SYS(settimeofday), SCMP_SYS(time),
+ SCMP_SYS(adjtimex), SCMP_SYS(clock_adjtime), SCMP_SYS(clock_gettime),
+ SCMP_SYS(gettimeofday), SCMP_SYS(settimeofday), SCMP_SYS(time),
/* Process */
SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
--
cgit v0.10.2

View File

@ -12,6 +12,11 @@ stdenv.mkDerivation rec {
sha256 = "1d9r2dhslll4kzdmxrj0qfgwq1b30d4l3s5cwr8yr93029dpj0jf";
};
patches = [
./allow-clock_adjtime.patch
./fix-seccomp-build.patch
];
postPatch = ''
patchShebangs test
'';

View File

@ -0,0 +1,13 @@
diff --git a/sys_linux.c b/sys_linux.c
index 898dc7a7f75..fcd334ecf03 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -503,7 +503,7 @@ SYS_Linux_EnableSystemCallFilter(int level)
SCMP_SYS(socketcall),
/* General I/O */
SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe),
- SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read),
+ SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(pselect6), SCMP_SYS(read),
SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write),
/* Miscellaneous */
SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),