1 |
commit: a2c99543bfd3245724e21089a617f28d828c5548 |
2 |
Author: Sam James (sam_c) <sam <AT> cmpct <DOT> info> |
3 |
AuthorDate: Sun Mar 15 20:53:29 2020 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Mar 30 18:36:44 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c99543 |
7 |
|
8 |
net-misc/chrony: Enable seccomp filtering when USE=seccomp |
9 |
|
10 |
We already have USE=seccomp but chronyd won't do anything unless |
11 |
-F is set to 1. We could also set -F -1 which will log any syscalls |
12 |
which would've been blocked but won't deny them. |
13 |
|
14 |
Also fixes systemd for previous commit. |
15 |
|
16 |
Bug: https://bugs.gentoo.org/711058 |
17 |
Signed-off-by: Sam James (sam_c) <sam <AT> cmpct.info> |
18 |
Closes: https://github.com/gentoo/gentoo/pull/14973 |
19 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
20 |
|
21 |
net-misc/chrony/chrony-3.5-r3.ebuild | 30 ++++++++++--------- |
22 |
...ony-3.5-r3.ebuild => chrony-4.0_pre1-r1.ebuild} | 35 ++++++++++++---------- |
23 |
net-misc/chrony/chrony-9999.ebuild | 30 ++++++++++--------- |
24 |
.../files/chrony-3.5-r3-systemd-gentoo.patch | 12 ++++++++ |
25 |
net-misc/chrony/files/chronyd.conf | 2 +- |
26 |
5 files changed, 65 insertions(+), 44 deletions(-) |
27 |
|
28 |
diff --git a/net-misc/chrony/chrony-3.5-r3.ebuild b/net-misc/chrony/chrony-3.5-r3.ebuild |
29 |
index 3f11f8dd951..229f5b27506 100644 |
30 |
--- a/net-misc/chrony/chrony-3.5-r3.ebuild |
31 |
+++ b/net-misc/chrony/chrony-3.5-r3.ebuild |
32 |
@@ -12,8 +12,8 @@ SLOT="0" |
33 |
|
34 |
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86" |
35 |
IUSE=" |
36 |
- +adns caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc |
37 |
- seccomp selinux |
38 |
+ +adns +caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc |
39 |
+ +seccomp selinux |
40 |
" |
41 |
REQUIRED_USE=" |
42 |
?? ( libedit readline ) |
43 |
@@ -42,7 +42,7 @@ S="${WORKDIR}/${P/_/-}" |
44 |
|
45 |
PATCHES=( |
46 |
"${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch |
47 |
- "${FILESDIR}"/${PN}-3.5-systemd-gentoo.patch |
48 |
+ "${FILESDIR}"/${PN}-3.5-r3-systemd-gentoo.patch |
49 |
) |
50 |
|
51 |
src_prepare() { |
52 |
@@ -52,13 +52,20 @@ src_prepare() { |
53 |
doc/* examples/* || die |
54 |
|
55 |
# Copy for potential user fixup |
56 |
- cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf |
57 |
+ cp "${FILESDIR}"/chronyd.conf "${T}"/chronyd.conf |
58 |
+ cp examples/chronyd.service "${T}"/chronyd.service |
59 |
|
60 |
# Set config for privdrop |
61 |
if ! use caps; then |
62 |
sed -i \ |
63 |
-e 's/-u ntp//' \ |
64 |
- "${T}"/chronyd.conf || die |
65 |
+ "${T}"/chronyd.conf "${T}"/chronyd.service || die |
66 |
+ fi |
67 |
+ |
68 |
+ if ! use seccomp; then |
69 |
+ sed -i \ |
70 |
+ -e 's/-F 1//' \ |
71 |
+ "${T}"/chronyd.conf "${T}"/chronyd.service || die |
72 |
fi |
73 |
} |
74 |
|
75 |
@@ -135,16 +142,11 @@ src_install() { |
76 |
insinto /etc/logrotate.d |
77 |
newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony |
78 |
|
79 |
- systemd_dounit examples/{chronyd,chrony-wait}.service |
80 |
+ systemd_dounit "${T}"/chronyd.service |
81 |
+ systemd_dounit examples/chrony-wait.service |
82 |
systemd_enable_ntpunit 50-chrony chronyd.service |
83 |
} |
84 |
|
85 |
-pkg_preinst() { |
86 |
- if use caps && has_version net-misc/chrony[-caps]; then |
87 |
- elog "/run/chronyd needs ntp:ntp permissions; please check." |
88 |
- elog "The safest option is reboot, but you may chown manually." |
89 |
- elif ! use caps && has_version net-misc/chrony[caps]; then |
90 |
- elog "/run/chronyd needs root:root permissions; please check." |
91 |
- elog "The safest option is reboot, but you may chown manually." |
92 |
- fi |
93 |
+pkg_postinst() { |
94 |
+ tmpfiles_process chronyd.conf |
95 |
} |
96 |
|
97 |
diff --git a/net-misc/chrony/chrony-3.5-r3.ebuild b/net-misc/chrony/chrony-4.0_pre1-r1.ebuild |
98 |
similarity index 81% |
99 |
copy from net-misc/chrony/chrony-3.5-r3.ebuild |
100 |
copy to net-misc/chrony/chrony-4.0_pre1-r1.ebuild |
101 |
index 3f11f8dd951..af44e004523 100644 |
102 |
--- a/net-misc/chrony/chrony-3.5-r3.ebuild |
103 |
+++ b/net-misc/chrony/chrony-4.0_pre1-r1.ebuild |
104 |
@@ -12,16 +12,18 @@ SLOT="0" |
105 |
|
106 |
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86" |
107 |
IUSE=" |
108 |
- +adns caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc |
109 |
- seccomp selinux |
110 |
+ +adns +caps +cmdmon html ipv6 libedit +nettle +ntp +phc pps readline +refclock +rtc |
111 |
+ +seccomp +sechash selinux |
112 |
" |
113 |
REQUIRED_USE=" |
114 |
?? ( libedit readline ) |
115 |
+ sechash? ( nettle ) |
116 |
" |
117 |
|
118 |
CDEPEND=" |
119 |
caps? ( sys-libs/libcap ) |
120 |
libedit? ( dev-libs/libedit ) |
121 |
+ nettle? ( dev-libs/nettle ) |
122 |
readline? ( >=sys-libs/readline-4.1-r4:= ) |
123 |
seccomp? ( sys-libs/libseccomp ) |
124 |
" |
125 |
@@ -42,7 +44,7 @@ S="${WORKDIR}/${P/_/-}" |
126 |
|
127 |
PATCHES=( |
128 |
"${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch |
129 |
- "${FILESDIR}"/${PN}-3.5-systemd-gentoo.patch |
130 |
+ "${FILESDIR}"/${PN}-3.5-r3-systemd-gentoo.patch |
131 |
) |
132 |
|
133 |
src_prepare() { |
134 |
@@ -52,13 +54,20 @@ src_prepare() { |
135 |
doc/* examples/* || die |
136 |
|
137 |
# Copy for potential user fixup |
138 |
- cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf |
139 |
+ cp "${FILESDIR}"/chronyd.conf "${T}"/chronyd.conf |
140 |
+ cp examples/chronyd.service "${T}"/chronyd.service |
141 |
|
142 |
# Set config for privdrop |
143 |
if ! use caps; then |
144 |
sed -i \ |
145 |
-e 's/-u ntp//' \ |
146 |
- "${T}"/chronyd.conf || die |
147 |
+ "${T}"/chronyd.conf "${T}"/chronyd.service || die |
148 |
+ fi |
149 |
+ |
150 |
+ if ! use seccomp; then |
151 |
+ sed -i \ |
152 |
+ -e 's/-F 1//' \ |
153 |
+ "${T}"/chronyd.conf "${T}"/chronyd.service || die |
154 |
fi |
155 |
} |
156 |
|
157 |
@@ -84,15 +93,16 @@ src_configure() { |
158 |
$(usex caps '' --disable-linuxcaps) |
159 |
$(usex cmdmon '' --disable-cmdmon) |
160 |
$(usex ipv6 '' --disable-ipv6) |
161 |
+ $(usex nettle '' --without-nettle) |
162 |
$(usex ntp '' --disable-ntp) |
163 |
$(usex phc '' --disable-phc) |
164 |
$(usex pps '' --disable-pps) |
165 |
$(usex refclock '' --disable-refclock) |
166 |
$(usex rtc '' --disable-rtc) |
167 |
+ $(usex sechash '' --disable-sechash) |
168 |
${CHRONY_EDITLINE} |
169 |
${EXTRA_ECONF} |
170 |
--chronysockdir="${EPREFIX}/run/chrony" |
171 |
- --disable-sechash |
172 |
--docdir="${EPREFIX}/usr/share/doc/${PF}" |
173 |
--mandir="${EPREFIX}/usr/share/man" |
174 |
--prefix="${EPREFIX}/usr" |
175 |
@@ -135,16 +145,11 @@ src_install() { |
176 |
insinto /etc/logrotate.d |
177 |
newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony |
178 |
|
179 |
- systemd_dounit examples/{chronyd,chrony-wait}.service |
180 |
+ systemd_dounit "${T}"/chronyd.service |
181 |
+ systemd_dounit examples/chrony-wait.service |
182 |
systemd_enable_ntpunit 50-chrony chronyd.service |
183 |
} |
184 |
|
185 |
-pkg_preinst() { |
186 |
- if use caps && has_version net-misc/chrony[-caps]; then |
187 |
- elog "/run/chronyd needs ntp:ntp permissions; please check." |
188 |
- elog "The safest option is reboot, but you may chown manually." |
189 |
- elif ! use caps && has_version net-misc/chrony[caps]; then |
190 |
- elog "/run/chronyd needs root:root permissions; please check." |
191 |
- elog "The safest option is reboot, but you may chown manually." |
192 |
- fi |
193 |
+pkg_postinst() { |
194 |
+ tmpfiles_process chronyd.conf |
195 |
} |
196 |
|
197 |
diff --git a/net-misc/chrony/chrony-9999.ebuild b/net-misc/chrony/chrony-9999.ebuild |
198 |
index 5b03ec4fe42..543cabf61d5 100644 |
199 |
--- a/net-misc/chrony/chrony-9999.ebuild |
200 |
+++ b/net-misc/chrony/chrony-9999.ebuild |
201 |
@@ -12,8 +12,8 @@ SLOT="0" |
202 |
|
203 |
KEYWORDS="" |
204 |
IUSE=" |
205 |
- +adns caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc |
206 |
- seccomp selinux |
207 |
+ +adns +caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc |
208 |
+ +seccomp selinux |
209 |
" |
210 |
REQUIRED_USE=" |
211 |
?? ( libedit readline ) |
212 |
@@ -40,7 +40,7 @@ S="${WORKDIR}/${P/_/-}" |
213 |
|
214 |
PATCHES=( |
215 |
"${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch |
216 |
- "${FILESDIR}"/${PN}-3.5-systemd-gentoo.patch |
217 |
+ "${FILESDIR}"/${PN}-3.5-r3-systemd-gentoo.patch |
218 |
) |
219 |
|
220 |
src_prepare() { |
221 |
@@ -50,13 +50,20 @@ src_prepare() { |
222 |
doc/* examples/* || die |
223 |
|
224 |
# Copy for potential user fixup |
225 |
- cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf |
226 |
+ cp "${FILESDIR}"/chronyd.conf "${T}"/chronyd.conf |
227 |
+ cp examples/chronyd.service "${T}"/chronyd.service |
228 |
|
229 |
# Set config for privdrop |
230 |
if ! use caps; then |
231 |
sed -i \ |
232 |
-e 's/-u ntp//' \ |
233 |
- "${T}"/chronyd.conf || die |
234 |
+ "${T}"/chronyd.conf "${T}"/chronyd.service || die |
235 |
+ fi |
236 |
+ |
237 |
+ if ! use seccomp; then |
238 |
+ sed -i \ |
239 |
+ -e 's/-F 1//' \ |
240 |
+ "${T}"/chronyd.conf "${T}"/chronyd.service || die |
241 |
fi |
242 |
} |
243 |
|
244 |
@@ -131,16 +138,11 @@ src_install() { |
245 |
insinto /etc/logrotate.d |
246 |
newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony |
247 |
|
248 |
- systemd_dounit examples/{chronyd,chrony-wait}.service |
249 |
+ systemd_dounit "${T}"/chronyd.service |
250 |
+ systemd_dounit examples/chrony-wait.service |
251 |
systemd_enable_ntpunit 50-chrony chronyd.service |
252 |
} |
253 |
|
254 |
-pkg_preinst() { |
255 |
- if use caps && has_version net-misc/chrony[-caps]; then |
256 |
- elog "/run/chronyd needs ntp:ntp permissions; please check." |
257 |
- elog "The safest option is reboot, but you may chown manually." |
258 |
- elif ! use caps && has_version net-misc/chrony[caps]; then |
259 |
- elog "/run/chronyd needs root:root permissions; please check." |
260 |
- elog "The safest option is reboot, but you may chown manually." |
261 |
- fi |
262 |
+pkg_postinst() { |
263 |
+ tmpfiles_process chronyd.conf |
264 |
} |
265 |
|
266 |
diff --git a/net-misc/chrony/files/chrony-3.5-r3-systemd-gentoo.patch b/net-misc/chrony/files/chrony-3.5-r3-systemd-gentoo.patch |
267 |
new file mode 100644 |
268 |
index 00000000000..0ea3c921980 |
269 |
--- /dev/null |
270 |
+++ b/net-misc/chrony/files/chrony-3.5-r3-systemd-gentoo.patch |
271 |
@@ -0,0 +1,12 @@ |
272 |
+--- a/examples/chronyd.service |
273 |
++++ b/examples/chronyd.service |
274 |
+@@ -8,8 +8,7 @@ |
275 |
+ [Service] |
276 |
+ Type=forking |
277 |
+ PIDFile=/run/chrony/chronyd.pid |
278 |
+-EnvironmentFile=-/etc/sysconfig/chronyd |
279 |
+-ExecStart=/usr/sbin/chronyd $OPTIONS |
280 |
++ExecStart=/usr/sbin/chronyd -u ntp -F 1 |
281 |
+ PrivateTmp=yes |
282 |
+ ProtectHome=yes |
283 |
+ ProtectSystem=full |
284 |
|
285 |
diff --git a/net-misc/chrony/files/chronyd.conf b/net-misc/chrony/files/chronyd.conf |
286 |
index c641d985e56..c04f3525f0b 100644 |
287 |
--- a/net-misc/chrony/files/chronyd.conf |
288 |
+++ b/net-misc/chrony/files/chronyd.conf |
289 |
@@ -9,4 +9,4 @@ CFGFILE="/etc/chrony/chrony.conf" |
290 |
# The combination of "-s -r" allows chronyd to perform long term averaging of |
291 |
# the gain or loss rate across system reboots and shutdowns. |
292 |
|
293 |
-ARGS="-u ntp" |
294 |
+ARGS="-u ntp -F 1" |