- rel 2; glibc related fixes

diff --git a/allow-clock_adjtime.patch b/allow-clock_adjtime.patch
new file mode 100644 (file)
index 0000000..2fa3bac
--- /dev/null
+++ b/allow-clock_adjtime.patch
@@ -0,0 +1,26 @@
+From 0cf506c92967c84f9ed83ba9e1be946a7fda6425 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Mon, 2 Dec 2019 12:47:13 +0100
+Subject: sys_linux: allow clock_adjtime in seccomp filter
+
+The adjtimex() function in glibc was switched to the clock_adjtime
+system call.
+
+diff --git a/sys_linux.c b/sys_linux.c
+index 63eb8f1..fcf89c2 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -478,8 +478,8 @@ SYS_Linux_EnableSystemCallFilter(int level)
+ {
+   const int syscalls[] = {
+     /* Clock */
+-    SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday),
+-    SCMP_SYS(settimeofday), SCMP_SYS(time),
++    SCMP_SYS(adjtimex), SCMP_SYS(clock_adjtime), SCMP_SYS(clock_gettime),
++    SCMP_SYS(gettimeofday), SCMP_SYS(settimeofday), SCMP_SYS(time),
+     /* Process */
+     SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
+     SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
+-- 
+cgit v0.10.2
+

diff --git a/chrony.spec b/chrony.spec
index cebf1bc6ba098d7a90c7fb4cf8ca8096f3a4b0ec..b0984ead0d41244930d352109698428df35c375c 100644 (file)
--- a/chrony.spec
+++ b/chrony.spec
@@ -3,7 +3,7 @@
 Summary:       An NTP client/server
 Name:          chrony
 Version:       3.5
-Release:       1
+Release:       2
 License:       GPL v2
 Group:         Daemons
 Source0:       http://download.tuxfamily.org/chrony/%{name}-%{version}.tar.gz
@@ -13,10 +13,13 @@ Source2:    %{name}.keys
 Source3:       %{name}d.sysconfig
 Source4:       %{name}d.init
 Source5:       %{name}.logrotate
+Patch0:                allow-clock_adjtime.patch
+Patch1:                fix-seccomp-build.patch
 URL:           http://chrony.tuxfamily.org/
 BuildRequires: asciidoc
 BuildRequires: bison
 BuildRequires: libcap-devel
+BuildRequires: libseccomp-devel
 BuildRequires: nettle-devel >= %{nettle_ver}
 BuildRequires: nss-devel
 BuildRequires: readline-devel
@@ -50,6 +53,8 @@ in permanently connected environments.
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
 
 %build
 # NOTE: It is not autoconf generated configre
@@ -57,10 +62,15 @@ CC="%{__cc}" \
 CFLAGS="%{rpmcflags} -Wmissing-prototypes -Wall" \
 CPPFLAGS="%{rpmcppflags}" \
 ./configure \
+       --enable-ntp-signd \
+       --enable-scfilter \
        --prefix=%{_prefix} \
        --sysconfdir=%{_sysconfdir} \
        --docdir=%{_docdir} \
-       --without-editline \
+       --with-ntp-era=$(date -d '1970-01-01 00:00:00+00:00' +'%s') \
+       --with-hwclockfile=%{_sysconfdir}/adjtime \
+       --with-sendmail=%{_sbindir}/sendmail \
+       --without-editline
 
 %{__make} getdate all docs \
        ADOC=asciidoc

diff --git a/fix-seccomp-build.patch b/fix-seccomp-build.patch
new file mode 100644 (file)
index 0000000..6888e7e
--- /dev/null
+++ b/fix-seccomp-build.patch
@@ -0,0 +1,13 @@
+diff --git a/sys_linux.c b/sys_linux.c
+index 898dc7a7f75..fcd334ecf03 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -503,7 +503,7 @@ SYS_Linux_EnableSystemCallFilter(int level)
+     SCMP_SYS(socketcall),
+     /* General I/O */
+     SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe),
+-    SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read),
++    SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(pselect6), SCMP_SYS(read),
+     SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write),
+     /* Miscellaneous */
+     SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),