Bug#923897: stretch-pu: package chrony/3.0-4+deb9u2

Wed, 06 Mar 2019 13:09:35 -0800 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I would like to update chrony in Stretch to fix #923137 (severity 
important). This issue is caused by the absence of the _llseek() system 
call in the seccomp filter provided by chrony, which prevents some 
information to be logged on various 32-bit architectures when the system 
call filter is active.

While working on the bug report mentionned above, I discovered that 
chronyd could also be incorrectly stopped when the system call filter is 
enabled. This is due to the waitpid() system call being absent from the 
seccomp filter. This is addressed by the 
allow-waitpid-in-seccomp-filter.patch patch.

I’m testing the proposed changes since a few days without any 
regression. Debdiff attached!

Cheers,
Vincent

-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlyANnwXHHZpbmNlbnQu
ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4BwUg//cxLwFRApU06w57sr7smRmwS7
00dR4NHcHHf2os82AmP1ugaHYT5KeQeCoU1s8pIIq3dXbwemf/TgjzOSBsOVK018
Qb15o3B5mN3ydeQl5sqKUwlBpnmj4IBD9ktmTMHbR6BQBvuBNI3OkZnjHTAFlZCB
htH3g0u8VUZ7p2hqr+PrBICUhooIFSEvrnEUcZfEFPjD+aTq6joMbrslNTgLkhvE
SEx/QZCzAgbEcbczeu2+s3PvvtLdPBRE+szWBNcXZoRJCfXuDqvBJzlQngwhCYNY
CTiQVmB2fjROjVpTzDYj97TdEJVV4EtOJefywYmquugdtphg5d4lVJ4vhYy8sp6t
ukOm43Q240Ae/bzvahXNU5xqFdZ3muOhG9uSPsg9KzOncyu65mHPxRpZ6Cq8vUlC
1uOCkzfvRS7vnUTM4K8QHIatqPcjQNu1/qyLoHUleQqClC+iZruvCwYyr7yijj+M
e9C5f34lKYm39CrPdMxy6gCtwJZEIkCPFwFYh1XtTMt+daLjpS3+mtlI5wl6l2Q3
qRXS1PVgA+nETU30e+ofPPGPGHwtx32yhtnIY3durfPkChR7qQVIFJ4jHoYpL4G9
u5cgeGg37wyCxcnmi8qFHrzpEaf2vFc0zqIPYYN4s6jBBjfqzmbZ9rx1xuLlZc9M
GKtwRTA840u1nN2zaLE=
=JdHo
-----END PGP SIGNATURE-----

diffstat for chrony-3.0 chrony-3.0

 changelog                                     |   12 ++++++++++
 patches/allow-_llseek-in-seccomp-filter.patch |   30 ++++++++++++++++++++++++++
 patches/allow-waitpid-in-seccomp-filter.patch |   20 +++++++++++++++++
 patches/series                                |    2 +
 4 files changed, 64 insertions(+)

diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog
--- chrony-3.0/debian/changelog 2017-07-22 17:24:44.000000000 +0200
+++ chrony-3.0/debian/changelog 2019-03-06 11:13:29.000000000 +0100
@@ -1,3 +1,15 @@
+chrony (3.0-4+deb9u2) stretch; urgency=medium
+
+  * debian/patches/*:
+    - Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit
+    plateforms to log the {raw}measurements and statistics information when
+    the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute)
+    <invernom...@paranoici.org> for the report. (Closes: #923137)
+    - Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop
+    chronyd on some plateforms when the seccomp filter is enabled.
+
+ -- Vincent Blut <vincent.deb...@free.fr>  Wed, 06 Mar 2019 11:13:29 +0100
+
 chrony (3.0-4+deb9u1) stretch; urgency=medium
 
   * debian/chrony.if-up:
diff -Nru chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch 
chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch
--- chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch     
1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch     
2019-03-05 23:36:44.000000000 +0100
@@ -0,0 +1,30 @@
+From: Vincent Blut <vincent.deb...@free.fr>
+Date: Thu, 28 Feb 2019 14:39:13 +0100
+Subject: sys_linux: allow _llseek in seccomp filter
+
+This is needed on various 32-bit platforms to reposition read/write file
+offset on {raw}measurements and statistics log files.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923137
+Forwarded: 
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg00003.html
+Applied-Upstream: 
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=e392d1fde94db26b88a0a017850415f1d34266d7
+---
+ sys_linux.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -473,10 +473,10 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+     /* Filesystem */
+-    SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), SCMP_SYS(chown32),
+-    SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), 
SCMP_SYS(getdents64),
+-    SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), SCMP_SYS(stat64),
+-    SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
++    SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
++    SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
++    SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
++    SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
+     /* Socket */
+     SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname),
+     SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
diff -Nru chrony-3.0/debian/patches/allow-waitpid-in-seccomp-filter.patch 
chrony-3.0/debian/patches/allow-waitpid-in-seccomp-filter.patch
--- chrony-3.0/debian/patches/allow-waitpid-in-seccomp-filter.patch     
1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.0/debian/patches/allow-waitpid-in-seccomp-filter.patch     
2019-03-05 23:54:02.000000000 +0100
@@ -0,0 +1,20 @@
+From: Vincent Blut <vincent.deb...@free.fr>
+Date: Thu, 28 Feb 2019 16:43:56 +0100
+Subject: sys_linux: allow waitpid in seccomp filter
+
+Forwarded: 
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg00001.html
+Applied-Upstream: 
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ebba7fbaaf7c86d1840cacb7aa78b62d0166d5a
+---
+ sys_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -468,7 +468,7 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
+     SCMP_SYS(getrlimit),SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
+     SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
+-    SCMP_SYS(wait4),
++    SCMP_SYS(wait4), SCMP_SYS(waitpid),
+     /* Memory */
+     SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
diff -Nru chrony-3.0/debian/patches/series chrony-3.0/debian/patches/series
--- chrony-3.0/debian/patches/series    2017-07-22 17:24:44.000000000 +0200
+++ chrony-3.0/debian/patches/series    2019-03-05 23:51:17.000000000 +0100
@@ -1,2 +1,4 @@
 allow_getpid_in_seccomp_filter.patch
+allow-_llseek-in-seccomp-filter.patch
+allow-waitpid-in-seccomp-filter.patch
 fix_time_smoothing_in_interleaved_mode.patch

Reply via email to