Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, Please unblock package chrony Compared to chrony 3.4-3, this release just add some necessary system calls to the seccomp filter whitelist. This allows to fix #924494, and probably many other bugs on some of our release architectures. Debdiff attached! unblock chrony/3.4-4 Thanks for your time, Vincent -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlyQK6IXHHZpbmNlbnQu ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4CA6A/9G3j6lxibIjVPS7VuUT9N/SCD pTC8bnCh4Mtktg9xWHualzKZHdFC2AsobBJwXH9Fkm3u2sCPlhX42Jm0Y8RDgnr3 BG0dDPL816xWQF0LDV7EAUYdqlgRGCqEArbxkmSfdmKdG/V9N4detZEw8Iv8I31U 82WrFDh068XbxyT3F+JTn0e4icQKaXFR4q4NwF5y5bElfFYxwleX4VBRHbitSMGc Ikjm1w6/1FOkrjzRpCpFmKfjli430usyAGEIH8C9jDSdE5mQhM+ZiTIIzcJjxOje 7zqIJWLt2KTsfX7Oz3QEd9l5H2mxUZMO7HdAznNxaQNFVH47+QD3X7iA607HYh6s vLMO5VFYEMKLiuDvvhP4sqistIhcokDGiC0zjKwxYRHSpTjRzLWvNdjP01LlwAMc vJCJ15wDXOpLyDvoEAkcDZtDY4n2z3qe7QBn/5zoaF+AKm6jtZOpePIA4Z8k51B8 7gSR6WEi1cBC2+lxXry9i5EN8rjX1Js7vV6FTMLNn0NEV0TVMmvfslxJwh6nbciz xKf85Ejf8e/SbOdR0gSmNQIuzh0qaREsc2eHIkOfi+CKeIQ8viFnLjeeThIbcD3v OR6dod5jRtmUFboteKAVMMpNsgfnjHOr64nq+CXeNQt4QLEyfJi33wx+s0HT0BgV 8LdGuqGG+ZLHwU377OE= =K3hy -----END PGP SIGNATURE-----
diffstat for chrony-3.4 chrony-3.4 changelog | 14 +++++ patches/allow-further-syscalls-in-seccomp-filter.patch | 41 +++++++++++++++++ patches/allow-recv-send-in-seccomp-filter.patch | 24 +++++++++ patches/series | 2 4 files changed, 81 insertions(+) diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog --- chrony-3.4/debian/changelog 2019-03-04 23:32:12.000000000 +0100 +++ chrony-3.4/debian/changelog 2019-03-18 19:35:34.000000000 +0100 @@ -1,3 +1,17 @@ +chrony (3.4-4) unstable; urgency=medium + + * debian/patches/*: + - Add allow-further-syscalls-in-seccomp-filter.patch. Supplementing the + seccomp filter whitelist with those syscalls is a prerequisite, notably for + the arm64 architecture. + + [ Leigh Brown ] + * debian/patches/*: + - Add allow-recv-send-in-seccomp-filter.patch. Necessary on armel and + ppc64el. Other architectures might also be affected. (Closes: #924494) + + -- Vincent Blut <vincent.deb...@free.fr> Mon, 18 Mar 2019 19:35:34 +0100 + chrony (3.4-3) unstable; urgency=medium * debian/.gitlab-ci.yml: diff -Nru chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch --- chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch 1970-01-01 01:00:00.000000000 +0100 +++ chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch 2019-03-18 19:32:24.000000000 +0100 @@ -0,0 +1,41 @@ +From: Vincent Blut <vincent.deb...@free.fr> +Date: Fri, 15 Mar 2019 00:03:24 +0100 +Subject: sys_linux: allow further syscalls in seccomp filter + +Adding these syscalls in the seccomp filter whitelist is a prerequisite for +the arm64 architecture. + +Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00001.html +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ddd0ae23181f529bf0e8abaecfc9c726d672568 +--- + sys_linux.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -499,9 +499,11 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt), + /* Filesystem */ + SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), +- SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), +- SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), +- SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink), ++ SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), SCMP_SYS(fchownat), ++ SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64), ++ SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), SCMP_SYS(renameat), ++ SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), ++ SCMP_SYS(unlink), SCMP_SYS(unlinkat), + /* Socket */ + SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt), + SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), +@@ -510,8 +512,8 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(socketcall), + /* General I/O */ + SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe), +- SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(futex), SCMP_SYS(select), +- SCMP_SYS(set_robust_list), SCMP_SYS(write), ++ SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read), ++ SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write), + /* Miscellaneous */ + SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname), + }; diff -Nru chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch --- chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch 1970-01-01 01:00:00.000000000 +0100 +++ chrony-3.4/debian/patches/allow-recv-send-in-seccomp-filter.patch 2019-03-16 19:05:10.000000000 +0100 @@ -0,0 +1,24 @@ +From: Leigh Brown <le...@solinno.co.uk> +Date: Wed, 13 Mar 2019 17:56:08 +0100 +Subject: [PATCH] sys_linux: allow recv and send in seccomp filter + +The lack of these two system calls has been problematic for the armv5tel +architecture. Other architectures might also be affected. + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924494 +Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00000.html +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=79db0b7eca3ffff1b6c6a86cf1a342a40cc76d2f +--- +--- a/sys_linux.c ++++ b/sys_linux.c +@@ -504,8 +504,8 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink), + /* Socket */ + SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt), +- SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), +- SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto), ++ SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), ++ SCMP_SYS(send), SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto), + /* TODO: check socketcall arguments */ + SCMP_SYS(socketcall), + /* General I/O */ diff -Nru chrony-3.4/debian/patches/series chrony-3.4/debian/patches/series --- chrony-3.4/debian/patches/series 2019-03-04 18:02:36.000000000 +0100 +++ chrony-3.4/debian/patches/series 2019-03-18 16:47:59.000000000 +0100 @@ -1,2 +1,4 @@ allow-_llseek-in-seccomp-filter.patch allow-waitpid-in-seccomp-filter.patch +allow-recv-send-in-seccomp-filter.patch +allow-further-syscalls-in-seccomp-filter.patch