Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please unblock package chrony Removal of “cached PID/TID in clone” from glibc 2.24-10 exposed a regression in chrony when running it with the system call filter enabled. That’s due to getpid(2) not being allowed in the seccomp filter. Chrony 3.0-4 fixes this and thus closes #861258¹ (severity important.) unblock chrony/3.0-4 Cheers, Vincent ¹https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258 - -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlkD5GcXHHZpbmNlbnQu ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4ADJw/9ErKAa3uBO2vyw35vCY/gjgYZ /x9jLhcTVaEgenj/x6Wo5mYTwrQV32Rmyrcmz2wie7S51nzE8Vc3p8WdtSFsS/te khK0ptW6twA0OmLxckItzNfLzXCo9xEdqzJp5/VLoTF+z6cIbmMgA3BPqoFD74Tj 1fk99oSYIer3asGs56uoyvqV3xj3jc26QBKItK88sAy/l3Fl4fx/1UR0C9H6F8Hh a1wcjzFbNPQAUcDZP5Qxkrbd1rLTU5udmYFavBs4PF+b/SN8wYfWwVlj8ySlgQHZ qQa7lKCwHUBRBB99+UBpR906y3ifyaWrRR2t7xDp8ayQdeExh5j7YIJRR5/zEACN 2gmtITHXj2vn43C1MryTlHJvhkM8Doeqq3pn8xpQAENdCs9Z/03w5HZyux0dN9Nl T5IBxdtE/nocHEq/ZO8Abn+lZrZ6KRLds2R8bRT+5qBVlOrthpsoV8GFg8WO5FkF wrIe6xrCXuxKmhZIgISEHR7Y15OX9djgcn7Va0GQyEPM0cyCisdPyBfrxM0yk361 DKlxNLZrSdsZdAdp4/XNA+5XkcBr9Ic9hbcWbj83Cp1IHAUyEJ6ExPIiLFjYTqp3 FBblrFK/ePSQfS7chABPEfGO5xhUTn2caX4yGX8HJA48LG6Ir/1eaXWGZyXUgBaS z+vA8oIBSETvTNCUXbw= =v9co -----END PGP SIGNATURE-----
diffstat for chrony-3.0 chrony-3.0 changelog | 8 ++++++++ patches/allow_getpid_in_seccomp_filter.patch | 23 +++++++++++++++++++++++ patches/series | 1 + 3 files changed, 32 insertions(+) diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog --- chrony-3.0/debian/changelog 2017-02-07 00:37:24.000000000 +0100 +++ chrony-3.0/debian/changelog 2017-04-26 17:39:44.000000000 +0200 @@ -1,3 +1,11 @@ +chrony (3.0-4) unstable; urgency=medium + + * debian/patches/*: + - Backport commit 768bce799bfe to make chrony operable with the syscall + filtering feature enabled in level 1. (Closes: #861258) + + -- Vincent Blut <vincent.deb...@free.fr> Wed, 26 Apr 2017 17:39:44 +0200 + chrony (3.0-3) unstable; urgency=medium * debian/patches/*: diff -Nru chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch --- chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch 1970-01-01 01:00:00.000000000 +0100 +++ chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch 2017-04-26 17:39:44.000000000 +0200 @@ -0,0 +1,23 @@ +Description: Allow getpid in seccomp filter +Author: Miroslav Lichvar <mlich...@redhat.com> +Origin: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=768bce799bfe009e7dbaad5742738f7d05280d6d +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258 +Applied-Upstream: 3.1-10-g768bce7 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -465,9 +465,10 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday), + SCMP_SYS(settimeofday), SCMP_SYS(time), + /* Process */ +- SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getrlimit), +- SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask), +- SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), SCMP_SYS(wait4), ++ SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid), ++ SCMP_SYS(getrlimit),SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), ++ SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), ++ SCMP_SYS(wait4), + /* Memory */ + SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2), + SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt), diff -Nru chrony-3.0/debian/patches/series chrony-3.0/debian/patches/series --- chrony-3.0/debian/patches/series 2017-02-06 20:03:25.000000000 +0100 +++ chrony-3.0/debian/patches/series 2017-04-26 17:39:44.000000000 +0200 @@ -1 +1,2 @@ +allow_getpid_in_seccomp_filter.patch fix_time_smoothing_in_interleaved_mode.patch