ntpsec: Add glibc-2.34/kernel-5.14 seccomp fixes

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Signed-off-by: Alex Kiernan <alexk@zuma.ai> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Alex Kiernan <alex.kiernan@gmail.com> 2022-01-01 17:17:51 +0000
committer: Khem Raj <raj.khem@gmail.com> 2022-01-05 11:10:02 -0800
commit: ccab46e8bf06538fb672a183b8be3206b5d8b8f9 (patch)
tree: 3317fced74ce6eeff9a6f13f182f68872bf25982
parent: d195826983305a25c3f31ae5094be1e4740aa4b4 (diff)
download: meta-openembedded-ccab46e8bf06538fb672a183b8be3206b5d8b8f9.tar.gz
4 files changed, 110 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch
new file mode 100644
index 0000000000..112aaa2a07
--- /dev/null
+++ b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch
@@ -0,0 +1,31 @@
+From d474682bb30b93d04b7b01c2dd09832e483265ed Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Sun, 14 Nov 2021 08:54:58 +0000
+Subject: [PATCH] ntpd/ntp_sandbox.c: allow clone3 for glibc-2.34 in seccomp
+ filter
+Bug: https://bugs.gentoo.org/823692
+Fixes: https://gitlab.com/NTPsec/ntpsec/-/issues/713
+Signed-off-by: Sam James <sam@gentoo.org>
+Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/d474682bb30b93d04b7b01c2dd09832e483265ed]
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index e66faaa8cbb0..3d6bccdfcf77 100644
+--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
+@@ -401,6 +401,7 @@ int scmp_sc[] = {
+  * rather than generate a trap.
+  */
+        SCMP_SYS(clone),        /* threads */
+       SCMP_SYS(clone3),
+        SCMP_SYS(kill),         /* generate signal */
+        SCMP_SYS(madvise),
+        SCMP_SYS(mprotect),
+-- 
+2.34.1
diff --git a/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch
new file mode 100644
index 0000000000..3bec2cea77
--- /dev/null
+++ b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch
@@ -0,0 +1,42 @@
+From a6c0847582305aaab122d54b635954829812922f Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Thu, 30 Dec 2021 09:32:26 +0000
+Subject: [PATCH 1/2] ntpd/ntp_sandbox.c: allow newfstatat on all archs for
+ glibc-2.34 in seccomp filter
+On Yocto Poky, newfstatat is used on (at least) arm64, x86_64 and
+riscv64:
+  2021-12-30T09:32:04 ntpd[341]: ERR: SIGSYS: got a trap.
+  2021-12-30T09:32:04 ntpd[341]: ERR: SIGSYS/seccomp bad syscall 262/0xc000003e
+Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/a6c0847582305aaab122d54b635954829812922f]
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index 3d6bccdfcf77..1ae82a671344 100644
+--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
+@@ -349,6 +349,7 @@ int scmp_sc[] = {
+        SCMP_SYS(lseek),
+        SCMP_SYS(membarrier),   /* Needed on Alpine 3.11.3 */
+        SCMP_SYS(munmap),
+       SCMP_SYS(newfstatat),
+        SCMP_SYS(open),
+ #ifdef __NR_openat
+        SCMP_SYS(openat),       /* SUSE */
+@@ -452,7 +453,6 @@ int scmp_sc[] = {
+ #endif
+ #if defined(__aarch64__)
+        SCMP_SYS(faccessat),
+-       SCMP_SYS(newfstatat),
+        SCMP_SYS(renameat),
+        SCMP_SYS(linkat),
+        SCMP_SYS(unlinkat),
+-- 
+2.34.1
diff --git a/meta-networking/recipes-support/ntpsec/ntpsec/0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch b/meta-networking/recipes-support/ntpsec/ntpsec/0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch
new file mode 100644
index 0000000000..705a87bdfa
--- /dev/null
+++ b/meta-networking/recipes-support/ntpsec/ntpsec/0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch
@@ -0,0 +1,34 @@
+From 0f94870b84e68448f16b1304058bde4628dafde5 Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Thu, 30 Dec 2021 10:41:20 +0000
+Subject: [PATCH 2/2] ntpd/ntp_sandbox.c: match riscv to aarch in seccomp
+ filter
+On Yocto Poky, faccessat (et al) are also used on riscv64:
+  2018-03-09T12:35:32 ntpd[341]: ERR: SIGSYS: got a trap.
+  2018-03-09T12:35:32 ntpd[341]: ERR: SIGSYS/seccomp bad syscall 48/0xc00000f3
+Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/0f94870b84e68448f16b1304058bde4628dafde5]
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index 1ae82a671344..4a14ae224dc6 100644
+--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
+@@ -451,7 +451,7 @@ int scmp_sc[] = {
+        /* gentoo 64-bit and 32-bit, Intel and Arm use mmap */
+        SCMP_SYS(mmap),
+ #endif
+-#if defined(__aarch64__)
+#if defined(__aarch64__) || defined(__riscv)
+        SCMP_SYS(faccessat),
+        SCMP_SYS(renameat),
+        SCMP_SYS(linkat),
+-- 
+2.34.1
diff --git a/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb b/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb
index 2551b6aab8..3efac7d983 100644
--- a/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb
+++ b/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb
@@ -13,6 +13,9 @@ DEPENDS += "bison-native \
 SRC_URI = "https://ftp.ntpsec.org/pub/releases/ntpsec-${PV}.tar.gz \
           file://0001-Update-to-OpenSSL-3.0.0-alpha15.patch \
+           file://0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch \
+           file://0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch \
+           file://0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch \
           file://volatiles.ntpsec"
 SRC_URI[sha256sum] = "f2684835116c80b8f21782a5959a805ba3c44e3a681dd6c17c7cb00cc242c27a"
author	Alex Kiernan <alex.kiernan@gmail.com>	2022-01-01 17:17:51 +0000
committer	Khem Raj <raj.khem@gmail.com>	2022-01-05 11:10:02 -0800
commit	ccab46e8bf06538fb672a183b8be3206b5d8b8f9 (patch)
tree	3317fced74ce6eeff9a6f13f182f68872bf25982
parent	d195826983305a25c3f31ae5094be1e4740aa4b4 (diff)
download	meta-openembedded-ccab46e8bf06538fb672a183b8be3206b5d8b8f9.tar.gz

diff --git a/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch new file mode 100644 index 0000000000..112aaa2a07 --- /dev/null +++ b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch
@@ -0,0 +1,31 @@
		1	From d474682bb30b93d04b7b01c2dd09832e483265ed Mon Sep 17 00:00:00 2001
		2	From: Sam James <sam@gentoo.org>
		3	Date: Sun, 14 Nov 2021 08:54:58 +0000
		4	Subject: [PATCH] ntpd/ntp_sandbox.c: allow clone3 for glibc-2.34 in seccomp
		5	filter
		6
		7	Bug: https://bugs.gentoo.org/823692
		8	Fixes: https://gitlab.com/NTPsec/ntpsec/-/issues/713
		9	Signed-off-by: Sam James <sam@gentoo.org>
		10	Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/d474682bb30b93d04b7b01c2dd09832e483265ed]
		11	Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
		12	Signed-off-by: Alex Kiernan <alexk@zuma.ai>
		13	---
		14	ntpd/ntp_sandbox.c \| 1 +
		15	1 file changed, 1 insertion(+)
		16
		17	diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
		18	index e66faaa8cbb0..3d6bccdfcf77 100644
		19	--- a/ntpd/ntp_sandbox.c
		20	+++ b/ntpd/ntp_sandbox.c
		21	@@ -401,6 +401,7 @@ int scmp_sc[] = {
		22	* rather than generate a trap.
		23	*/
		24	SCMP_SYS(clone), /* threads */
		25	+ SCMP_SYS(clone3),
		26	SCMP_SYS(kill), /* generate signal */
		27	SCMP_SYS(madvise),
		28	SCMP_SYS(mprotect),
		29	--
		30	2.34.1
		31


diff --git a/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch new file mode 100644 index 0000000000..3bec2cea77 --- /dev/null +++ b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch
@@ -0,0 +1,42 @@
		1	From a6c0847582305aaab122d54b635954829812922f Mon Sep 17 00:00:00 2001
		2	From: Alex Kiernan <alexk@zuma.ai>
		3	Date: Thu, 30 Dec 2021 09:32:26 +0000
		4	Subject: [PATCH 1/2] ntpd/ntp_sandbox.c: allow newfstatat on all archs for
		5	glibc-2.34 in seccomp filter
		6
		7	On Yocto Poky, newfstatat is used on (at least) arm64, x86_64 and
		8	riscv64:
		9
		10	2021-12-30T09:32:04 ntpd[341]: ERR: SIGSYS: got a trap.
		11	2021-12-30T09:32:04 ntpd[341]: ERR: SIGSYS/seccomp bad syscall 262/0xc000003e
		12
		13	Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/a6c0847582305aaab122d54b635954829812922f]
		14	Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
		15	Signed-off-by: Alex Kiernan <alexk@zuma.ai>
		16	---
		17	ntpd/ntp_sandbox.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
		21	index 3d6bccdfcf77..1ae82a671344 100644
		22	--- a/ntpd/ntp_sandbox.c
		23	+++ b/ntpd/ntp_sandbox.c
		24	@@ -349,6 +349,7 @@ int scmp_sc[] = {
		25	SCMP_SYS(lseek),
		26	SCMP_SYS(membarrier), /* Needed on Alpine 3.11.3 */
		27	SCMP_SYS(munmap),
		28	+ SCMP_SYS(newfstatat),
		29	SCMP_SYS(open),
		30	#ifdef __NR_openat
		31	SCMP_SYS(openat), /* SUSE */
		32	@@ -452,7 +453,6 @@ int scmp_sc[] = {
		33	#endif
		34	#if defined(__aarch64__)
		35	SCMP_SYS(faccessat),
		36	- SCMP_SYS(newfstatat),
		37	SCMP_SYS(renameat),
		38	SCMP_SYS(linkat),
		39	SCMP_SYS(unlinkat),
		40	--
		41	2.34.1
		42


diff --git a/meta-networking/recipes-support/ntpsec/ntpsec/0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch b/meta-networking/recipes-support/ntpsec/ntpsec/0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch new file mode 100644 index 0000000000..705a87bdfa --- /dev/null +++ b/meta-networking/recipes-support/ntpsec/ntpsec/0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch
@@ -0,0 +1,34 @@
		1	From 0f94870b84e68448f16b1304058bde4628dafde5 Mon Sep 17 00:00:00 2001
		2	From: Alex Kiernan <alexk@zuma.ai>
		3	Date: Thu, 30 Dec 2021 10:41:20 +0000
		4	Subject: [PATCH 2/2] ntpd/ntp_sandbox.c: match riscv to aarch in seccomp
		5	filter
		6
		7	On Yocto Poky, faccessat (et al) are also used on riscv64:
		8
		9	2018-03-09T12:35:32 ntpd[341]: ERR: SIGSYS: got a trap.
		10	2018-03-09T12:35:32 ntpd[341]: ERR: SIGSYS/seccomp bad syscall 48/0xc00000f3
		11
		12	Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/0f94870b84e68448f16b1304058bde4628dafde5]
		13	Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
		14	Signed-off-by: Alex Kiernan <alexk@zuma.ai>
		15	---
		16	ntpd/ntp_sandbox.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
		20	index 1ae82a671344..4a14ae224dc6 100644
		21	--- a/ntpd/ntp_sandbox.c
		22	+++ b/ntpd/ntp_sandbox.c
		23	@@ -451,7 +451,7 @@ int scmp_sc[] = {
		24	/* gentoo 64-bit and 32-bit, Intel and Arm use mmap */
		25	SCMP_SYS(mmap),
		26	#endif
		27	-#if defined(__aarch64__)
		28	+#if defined(__aarch64__) \|\| defined(__riscv)
		29	SCMP_SYS(faccessat),
		30	SCMP_SYS(renameat),
		31	SCMP_SYS(linkat),
		32	--
		33	2.34.1
		34


diff --git a/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb b/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb index 2551b6aab8..3efac7d983 100644 --- a/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb +++ b/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb
@@ -13,6 +13,9 @@ DEPENDS += "bison-native \
13		13
14	SRC_URI = "https://ftp.ntpsec.org/pub/releases/ntpsec-${PV}.tar.gz \	14	SRC_URI = "https://ftp.ntpsec.org/pub/releases/ntpsec-${PV}.tar.gz \
15	file://0001-Update-to-OpenSSL-3.0.0-alpha15.patch \	15	file://0001-Update-to-OpenSSL-3.0.0-alpha15.patch \
		16	file://0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch \
		17	file://0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch \
		18	file://0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch \
16	file://volatiles.ntpsec"	19	file://volatiles.ntpsec"
17		20
18	SRC_URI[sha256sum] = "f2684835116c80b8f21782a5959a805ba3c44e3a681dd6c17c7cb00cc242c27a"	21	SRC_URI[sha256sum] = "f2684835116c80b8f21782a5959a805ba3c44e3a681dd6c17c7cb00cc242c27a"