commit: a2c99543bfd3245724e21089a617f28d828c5548 Author: Sam James (sam_c) <sam <AT> cmpct <DOT> info> AuthorDate: Sun Mar 15 20:53:29 2020 +0000 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> CommitDate: Mon Mar 30 18:36:44 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c99543
net-misc/chrony: Enable seccomp filtering when USE=seccomp We already have USE=seccomp but chronyd won't do anything unless -F is set to 1. We could also set -F -1 which will log any syscalls which would've been blocked but won't deny them. Also fixes systemd for previous commit. Bug: https://bugs.gentoo.org/711058 Signed-off-by: Sam James (sam_c) <sam <AT> cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/14973 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> net-misc/chrony/chrony-3.5-r3.ebuild | 30 ++++++++++--------- ...ony-3.5-r3.ebuild => chrony-4.0_pre1-r1.ebuild} | 35 ++++++++++++---------- net-misc/chrony/chrony-9999.ebuild | 30 ++++++++++--------- .../files/chrony-3.5-r3-systemd-gentoo.patch | 12 ++++++++ net-misc/chrony/files/chronyd.conf | 2 +- 5 files changed, 65 insertions(+), 44 deletions(-) diff --git a/net-misc/chrony/chrony-3.5-r3.ebuild b/net-misc/chrony/chrony-3.5-r3.ebuild index 3f11f8dd951..229f5b27506 100644 --- a/net-misc/chrony/chrony-3.5-r3.ebuild +++ b/net-misc/chrony/chrony-3.5-r3.ebuild @@ -12,8 +12,8 @@ SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86" IUSE=" - +adns caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc - seccomp selinux + +adns +caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc + +seccomp selinux " REQUIRED_USE=" ?? ( libedit readline ) @@ -42,7 +42,7 @@ S="${WORKDIR}/${P/_/-}" PATCHES=( "${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch - "${FILESDIR}"/${PN}-3.5-systemd-gentoo.patch + "${FILESDIR}"/${PN}-3.5-r3-systemd-gentoo.patch ) src_prepare() { @@ -52,13 +52,20 @@ src_prepare() { doc/* examples/* || die # Copy for potential user fixup - cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf + cp "${FILESDIR}"/chronyd.conf "${T}"/chronyd.conf + cp examples/chronyd.service "${T}"/chronyd.service # Set config for privdrop if ! use caps; then sed -i \ -e 's/-u ntp//' \ - "${T}"/chronyd.conf || die + "${T}"/chronyd.conf "${T}"/chronyd.service || die + fi + + if ! use seccomp; then + sed -i \ + -e 's/-F 1//' \ + "${T}"/chronyd.conf "${T}"/chronyd.service || die fi } @@ -135,16 +142,11 @@ src_install() { insinto /etc/logrotate.d newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony - systemd_dounit examples/{chronyd,chrony-wait}.service + systemd_dounit "${T}"/chronyd.service + systemd_dounit examples/chrony-wait.service systemd_enable_ntpunit 50-chrony chronyd.service } -pkg_preinst() { - if use caps && has_version net-misc/chrony[-caps]; then - elog "/run/chronyd needs ntp:ntp permissions; please check." - elog "The safest option is reboot, but you may chown manually." - elif ! use caps && has_version net-misc/chrony[caps]; then - elog "/run/chronyd needs root:root permissions; please check." - elog "The safest option is reboot, but you may chown manually." - fi +pkg_postinst() { + tmpfiles_process chronyd.conf } diff --git a/net-misc/chrony/chrony-3.5-r3.ebuild b/net-misc/chrony/chrony-4.0_pre1-r1.ebuild similarity index 81% copy from net-misc/chrony/chrony-3.5-r3.ebuild copy to net-misc/chrony/chrony-4.0_pre1-r1.ebuild index 3f11f8dd951..af44e004523 100644 --- a/net-misc/chrony/chrony-3.5-r3.ebuild +++ b/net-misc/chrony/chrony-4.0_pre1-r1.ebuild @@ -12,16 +12,18 @@ SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86" IUSE=" - +adns caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc - seccomp selinux + +adns +caps +cmdmon html ipv6 libedit +nettle +ntp +phc pps readline +refclock +rtc + +seccomp +sechash selinux " REQUIRED_USE=" ?? ( libedit readline ) + sechash? ( nettle ) " CDEPEND=" caps? ( sys-libs/libcap ) libedit? ( dev-libs/libedit ) + nettle? ( dev-libs/nettle ) readline? ( >=sys-libs/readline-4.1-r4:= ) seccomp? ( sys-libs/libseccomp ) " @@ -42,7 +44,7 @@ S="${WORKDIR}/${P/_/-}" PATCHES=( "${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch - "${FILESDIR}"/${PN}-3.5-systemd-gentoo.patch + "${FILESDIR}"/${PN}-3.5-r3-systemd-gentoo.patch ) src_prepare() { @@ -52,13 +54,20 @@ src_prepare() { doc/* examples/* || die # Copy for potential user fixup - cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf + cp "${FILESDIR}"/chronyd.conf "${T}"/chronyd.conf + cp examples/chronyd.service "${T}"/chronyd.service # Set config for privdrop if ! use caps; then sed -i \ -e 's/-u ntp//' \ - "${T}"/chronyd.conf || die + "${T}"/chronyd.conf "${T}"/chronyd.service || die + fi + + if ! use seccomp; then + sed -i \ + -e 's/-F 1//' \ + "${T}"/chronyd.conf "${T}"/chronyd.service || die fi } @@ -84,15 +93,16 @@ src_configure() { $(usex caps '' --disable-linuxcaps) $(usex cmdmon '' --disable-cmdmon) $(usex ipv6 '' --disable-ipv6) + $(usex nettle '' --without-nettle) $(usex ntp '' --disable-ntp) $(usex phc '' --disable-phc) $(usex pps '' --disable-pps) $(usex refclock '' --disable-refclock) $(usex rtc '' --disable-rtc) + $(usex sechash '' --disable-sechash) ${CHRONY_EDITLINE} ${EXTRA_ECONF} --chronysockdir="${EPREFIX}/run/chrony" - --disable-sechash --docdir="${EPREFIX}/usr/share/doc/${PF}" --mandir="${EPREFIX}/usr/share/man" --prefix="${EPREFIX}/usr" @@ -135,16 +145,11 @@ src_install() { insinto /etc/logrotate.d newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony - systemd_dounit examples/{chronyd,chrony-wait}.service + systemd_dounit "${T}"/chronyd.service + systemd_dounit examples/chrony-wait.service systemd_enable_ntpunit 50-chrony chronyd.service } -pkg_preinst() { - if use caps && has_version net-misc/chrony[-caps]; then - elog "/run/chronyd needs ntp:ntp permissions; please check." - elog "The safest option is reboot, but you may chown manually." - elif ! use caps && has_version net-misc/chrony[caps]; then - elog "/run/chronyd needs root:root permissions; please check." - elog "The safest option is reboot, but you may chown manually." - fi +pkg_postinst() { + tmpfiles_process chronyd.conf } diff --git a/net-misc/chrony/chrony-9999.ebuild b/net-misc/chrony/chrony-9999.ebuild index 5b03ec4fe42..543cabf61d5 100644 --- a/net-misc/chrony/chrony-9999.ebuild +++ b/net-misc/chrony/chrony-9999.ebuild @@ -12,8 +12,8 @@ SLOT="0" KEYWORDS="" IUSE=" - +adns caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc - seccomp selinux + +adns +caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc + +seccomp selinux " REQUIRED_USE=" ?? ( libedit readline ) @@ -40,7 +40,7 @@ S="${WORKDIR}/${P/_/-}" PATCHES=( "${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch - "${FILESDIR}"/${PN}-3.5-systemd-gentoo.patch + "${FILESDIR}"/${PN}-3.5-r3-systemd-gentoo.patch ) src_prepare() { @@ -50,13 +50,20 @@ src_prepare() { doc/* examples/* || die # Copy for potential user fixup - cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf + cp "${FILESDIR}"/chronyd.conf "${T}"/chronyd.conf + cp examples/chronyd.service "${T}"/chronyd.service # Set config for privdrop if ! use caps; then sed -i \ -e 's/-u ntp//' \ - "${T}"/chronyd.conf || die + "${T}"/chronyd.conf "${T}"/chronyd.service || die + fi + + if ! use seccomp; then + sed -i \ + -e 's/-F 1//' \ + "${T}"/chronyd.conf "${T}"/chronyd.service || die fi } @@ -131,16 +138,11 @@ src_install() { insinto /etc/logrotate.d newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony - systemd_dounit examples/{chronyd,chrony-wait}.service + systemd_dounit "${T}"/chronyd.service + systemd_dounit examples/chrony-wait.service systemd_enable_ntpunit 50-chrony chronyd.service } -pkg_preinst() { - if use caps && has_version net-misc/chrony[-caps]; then - elog "/run/chronyd needs ntp:ntp permissions; please check." - elog "The safest option is reboot, but you may chown manually." - elif ! use caps && has_version net-misc/chrony[caps]; then - elog "/run/chronyd needs root:root permissions; please check." - elog "The safest option is reboot, but you may chown manually." - fi +pkg_postinst() { + tmpfiles_process chronyd.conf } diff --git a/net-misc/chrony/files/chrony-3.5-r3-systemd-gentoo.patch b/net-misc/chrony/files/chrony-3.5-r3-systemd-gentoo.patch new file mode 100644 index 00000000000..0ea3c921980 --- /dev/null +++ b/net-misc/chrony/files/chrony-3.5-r3-systemd-gentoo.patch @@ -0,0 +1,12 @@ +--- a/examples/chronyd.service ++++ b/examples/chronyd.service +@@ -8,8 +8,7 @@ + [Service] + Type=forking + PIDFile=/run/chrony/chronyd.pid +-EnvironmentFile=-/etc/sysconfig/chronyd +-ExecStart=/usr/sbin/chronyd $OPTIONS ++ExecStart=/usr/sbin/chronyd -u ntp -F 1 + PrivateTmp=yes + ProtectHome=yes + ProtectSystem=full diff --git a/net-misc/chrony/files/chronyd.conf b/net-misc/chrony/files/chronyd.conf index c641d985e56..c04f3525f0b 100644 --- a/net-misc/chrony/files/chronyd.conf +++ b/net-misc/chrony/files/chronyd.conf @@ -9,4 +9,4 @@ CFGFILE="/etc/chrony/chrony.conf" # The combination of "-s -r" allows chronyd to perform long term averaging of # the gain or loss rate across system reboots and shutdowns. -ARGS="-u ntp" +ARGS="-u ntp -F 1"
