Bug#924952: unblock: chrony/3.4-4

Mon, 18 Mar 2019 16:39:36 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

Please unblock package chrony

Compared to chrony 3.4-3, this release just add some necessary system 
calls to the seccomp filter whitelist. This allows to fix #924494, and 
probably many other bugs on some of our release architectures.

Debdiff attached!

unblock chrony/3.4-4

Thanks for your time,
Vincent

-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlyQK6IXHHZpbmNlbnQu
ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4CA6A/9G3j6lxibIjVPS7VuUT9N/SCD
pTC8bnCh4Mtktg9xWHualzKZHdFC2AsobBJwXH9Fkm3u2sCPlhX42Jm0Y8RDgnr3
BG0dDPL816xWQF0LDV7EAUYdqlgRGCqEArbxkmSfdmKdG/V9N4detZEw8Iv8I31U
82WrFDh068XbxyT3F+JTn0e4icQKaXFR4q4NwF5y5bElfFYxwleX4VBRHbitSMGc
Ikjm1w6/1FOkrjzRpCpFmKfjli430usyAGEIH8C9jDSdE5mQhM+ZiTIIzcJjxOje
7zqIJWLt2KTsfX7Oz3QEd9l5H2mxUZMO7HdAznNxaQNFVH47+QD3X7iA607HYh6s
vLMO5VFYEMKLiuDvvhP4sqistIhcokDGiC0zjKwxYRHSpTjRzLWvNdjP01LlwAMc
vJCJ15wDXOpLyDvoEAkcDZtDY4n2z3qe7QBn/5zoaF+AKm6jtZOpePIA4Z8k51B8
7gSR6WEi1cBC2+lxXry9i5EN8rjX1Js7vV6FTMLNn0NEV0TVMmvfslxJwh6nbciz
xKf85Ejf8e/SbOdR0gSmNQIuzh0qaREsc2eHIkOfi+CKeIQ8viFnLjeeThIbcD3v
OR6dod5jRtmUFboteKAVMMpNsgfnjHOr64nq+CXeNQt4QLEyfJi33wx+s0HT0BgV
8LdGuqGG+ZLHwU377OE=
=K3hy
-----END PGP SIGNATURE-----

diffstat for chrony-3.4 chrony-3.4

 changelog                                              |   14 +++++
 patches/allow-further-syscalls-in-seccomp-filter.patch |   41 +++++++++++++++++
 patches/allow-recv-send-in-seccomp-filter.patch        |   24 +++++++++
 patches/series                                         |    2 
 4 files changed, 81 insertions(+)

diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog
--- chrony-3.4/debian/changelog 2019-03-04 23:32:12.000000000 +0100
+++ chrony-3.4/debian/changelog 2019-03-18 19:35:34.000000000 +0100
@@ -1,3 +1,17 @@
+chrony (3.4-4) unstable; urgency=medium
+
+  * debian/patches/*:
+    - Add allow-further-syscalls-in-seccomp-filter.patch. Supplementing the
+    seccomp filter whitelist with those syscalls is a prerequisite, notably for
+    the arm64 architecture.
+
+  [ Leigh Brown ]
+  * debian/patches/*:
+    - Add allow-recv-send-in-seccomp-filter.patch. Necessary on armel and
+    ppc64el. Other architectures might also be affected. (Closes: #924494)
+
+ -- Vincent Blut <vincent.deb...@free.fr>  Mon, 18 Mar 2019 19:35:34 +0100
+
 chrony (3.4-3) unstable; urgency=medium
 
   * debian/.gitlab-ci.yml:
diff -Nru 
chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch 
chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch
--- chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch    
1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch    
2019-03-18 19:32:24.000000000 +0100
@@ -0,0 +1,41 @@
+From: Vincent Blut <vincent.deb...@free.fr>
+Date: Fri, 15 Mar 2019 00:03:24 +0100
+Subject: sys_linux: allow further syscalls in seccomp filter
+
+Adding these syscalls in the seccomp filter whitelist is a prerequisite for
+the arm64 architecture.
+
+Forwarded: 
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00001.html
+Applied-Upstream: 
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ddd0ae23181f529bf0e8abaecfc9c726d672568
+---
+ sys_linux.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -499,9 +499,11 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+     /* Filesystem */
+     SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
+-    SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
+-    SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
+-    SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
++    SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), 
SCMP_SYS(fchownat),
++    SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), 
SCMP_SYS(getdents64),
++    SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), 
SCMP_SYS(renameat),
++    SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64),
++    SCMP_SYS(unlink), SCMP_SYS(unlinkat),
+     /* Socket */
+     SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), 
SCMP_SYS(getsockopt),
+     SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
+@@ -510,8 +512,8 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(socketcall),
+     /* General I/O */
+     SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), 
SCMP_SYS(pipe),
+-    SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(futex), SCMP_SYS(select),
+-    SCMP_SYS(set_robust_list), SCMP_SYS(write),
++    SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), 
SCMP_SYS(read),
++    SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), 
SCMP_SYS(write),
+     /* Miscellaneous */
+     SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),
+   };
diff -Nru chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch 
chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch
--- chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch   
1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch   
2019-03-16 19:05:10.000000000 +0100
@@ -0,0 +1,24 @@
+From: Leigh Brown <le...@solinno.co.uk>
+Date: Wed, 13 Mar 2019 17:56:08 +0100
+Subject: [PATCH] sys_linux: allow recv and send in seccomp filter
+
+The lack of these two system calls has been problematic for the armv5tel
+architecture. Other architectures might also be affected.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924494
+Forwarded: 
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00000.html
+Applied-Upstream: 
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=79db0b7eca3ffff1b6c6a86cf1a342a40cc76d2f
+---
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -504,8 +504,8 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
+     /* Socket */
+     SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), 
SCMP_SYS(getsockopt),
+-    SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
+-    SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),
++    SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
++    SCMP_SYS(send), SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),
+     /* TODO: check socketcall arguments */
+     SCMP_SYS(socketcall),
+     /* General I/O */
diff -Nru chrony-3.4/debian/patches/series chrony-3.4/debian/patches/series
--- chrony-3.4/debian/patches/series    2019-03-04 18:02:36.000000000 +0100
+++ chrony-3.4/debian/patches/series    2019-03-18 16:47:59.000000000 +0100
@@ -1,2 +1,4 @@
 allow-_llseek-in-seccomp-filter.patch
 allow-waitpid-in-seccomp-filter.patch
+allow-recv-send-in-seccomp-filter.patch
+allow-further-syscalls-in-seccomp-filter.patch

Reply via email to