Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

[ Reason ]
chrony 4.0 allows binding the NTP, NTS-KE, client and UDP command sockets 
to a specific network device using the 'binddevice', 'bindacqdevice' and
'bindcmddevice' directives.
In Bullseye, using these directives with a network interface name longer
than 3 characters (e.g. binddevice eth0) will cause chronyd to crash because
of the way the system call filter handles the SO_BINDTODEVICE socket option.

[ Impact ]
To bind sockets to a network interface with a "long" name, users have to
disable chronyd's system call filter which is certainly not ideal.

[ Tests ]
I manually tested each of the aforementioned directives with a network
interface name longer than 3 characters. I also made sure that autopkgtests
still run fine.

[ Risks ]
The fix is trivial and well tested.

[ Checklist ]
  [ ] *all* changes are documented in the d/changelog
  [✓] I reviewed all changes and I approve them
  [✓] attach debdiff against the package in (old)stable
  [✓] the issue is verified as fixed in unstable

[ Changes ]
In addition to the patch fixing the issue with the system call filter, I also
made a few anecdotal but practical changes that I considered unnecessary to
mention for a revision targetting stable:
    - pointing Vcs-Git to the 'debian/bullseye' branch
    - running the Salsa CI pipeline on Bullseye

Cheers,
Vincent

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYXR7MQAKCRAQn1qAt/bg
AVlbAP9ZaHpjsgLA3HNcLPsWJXhMm/SUcU3DgEpdM9nMiJjDJgEAxYspGEhLBnGK
4n5lB38HAKdWm6aY1/VHGAcLZ0X9tQM=
=K28n
-----END PGP SIGNATURE-----
diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog 2021-05-13 16:51:41.000000000 +0200
+++ chrony-4.0/debian/changelog 2021-10-19 22:02:40.000000000 +0200
@@ -1,3 +1,12 @@
+chrony (4.0-8+deb11u1) bullseye; urgency=medium
+
+  * debian/patches/:
+    - Add fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch to be able
+    to bind a socket to a network device with a name longer than 3 characters
+    when the system call filter is enabled. (Closes: #995207)
+
+ -- Vincent Blut <vincent.deb...@free.fr>  Tue, 19 Oct 2021 22:02:40 +0200
+
 chrony (4.0-8) unstable; urgency=medium
 
   * debian/patches/:
diff -Nru chrony-4.0/debian/control chrony-4.0/debian/control
--- chrony-4.0/debian/control   2021-05-13 16:51:41.000000000 +0200
+++ chrony-4.0/debian/control   2021-10-19 22:02:40.000000000 +0200
@@ -18,7 +18,7 @@
                pps-tools (>= 0.20120406+g0deb9c7e-2) [linux-any],
                procps <!nocheck>
 Homepage: https://chrony.tuxfamily.org
-Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/bullseye
 Vcs-Browser: https://salsa.debian.org/debian/chrony
 Rules-Requires-Root: no
 
diff -Nru chrony-4.0/debian/.gitlab-ci.yml chrony-4.0/debian/.gitlab-ci.yml
--- chrony-4.0/debian/.gitlab-ci.yml    2021-05-13 16:51:41.000000000 +0200
+++ chrony-4.0/debian/.gitlab-ci.yml    2021-10-19 22:02:40.000000000 +0200
@@ -9,3 +9,6 @@
     only:
         variables:
             - $SEE_YOU_SOON_REPROTEST
+
+variables:
+    RELEASE: 'bullseye'
diff -Nru 
chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
 
chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
--- 
chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
   1970-01-01 01:00:00.000000000 +0100
+++ 
chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
   2021-10-19 22:02:40.000000000 +0200
@@ -0,0 +1,33 @@
+From 29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlich...@redhat.com>
+Date: Wed, 6 Oct 2021 10:02:34 +0200
+Subject: sys_linux: fix seccomp filter for BINDTODEVICE option
+
+The BINDTODEVICE socket option is the first option in the seccomp filter
+setting a string instead of int. Remove the length check from the
+setsockopt rules to allow a device name longer than 3 characters.
+
+This was reported in Debian bug #995207.
+
+Fixes: b9f5ce83b02e ("sys_linux: allow BINDTODEVICE option in seccomp filter")
+
+Origin: upstream, 
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995207
+
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -694,10 +694,9 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ 
+     /* Allow selected socket options */
+     for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
+-      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3,
++      if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
+                            SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]),
+-                           SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]),
+-                           SCMP_A4(SCMP_CMP_LE, sizeof (int))) < 0)
++                           SCMP_A2(SCMP_CMP_EQ, socket_options[i][1])))
+         goto add_failed;
+     }
+ 
diff -Nru chrony-4.0/debian/patches/series chrony-4.0/debian/patches/series
--- chrony-4.0/debian/patches/series    2021-05-13 16:51:41.000000000 +0200
+++ chrony-4.0/debian/patches/series    2021-10-19 22:02:40.000000000 +0200
@@ -2,3 +2,4 @@
 nm-dispatcher-dhcp_Move-server_dir-to-run.patch
 allow-BINDTODEVICE-option-in-seccomp-filter.patch
 allow-getuid32-in-seccomp-filter.patch
+fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch

Reply via email to