chrony: Upgrade to 4.0

ChangeLog is here [1] Do not install /var/log as it conflicts with basefiles package Collected errors: * check_data_file_clashes: Package chrony wants to install file /var/log But that file is already provided by package * base-files Remove CVE patch since its upstream Forward port arm_eabi.patch patch Make builds reproducible [1] https://chrony.tuxfamily.org/news.html Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Khem Raj <raj.khem@gmail.com> 2020-11-23 22:47:43 -0800
committer: Khem Raj <raj.khem@gmail.com> 2020-11-23 22:51:38 -0800
commit: d9d871386087cdad9fd2197976bb00f21b1df081 (patch)
tree: aa2d3203ebc8c66d97df38abcc21a2adf8f34228
parent: 5cd29d53b349b566e2f05c46c5da56b382b95465 (diff)
download: meta-openembedded-d9d871386087cdad9fd2197976bb00f21b1df081.tar.gz
4 files changed, 51 insertions, 245 deletions
diff --git a/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch b/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch
deleted file mode 100644
index 79df1007e..000000000
--- a/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001
-From: Miroslav Lichvar <mlichvar@redhat.com>
-Date: Thu, 6 Aug 2020 09:31:11 +0200
-Subject: main: create new file when writing pidfile
-When writing the pidfile, open the file with the O_CREAT|O_EXCL flags
-to avoid following a symlink and writing the PID to an unexpected file,
-when chronyd still has the root privileges.
-The Linux open(2) man page warns about O_EXCL not working as expected on
-NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on
-a distributed filesystem like NFS is not generally expected, but if
-there is a reason to do that, these old kernel and NFS versions are not
-considered to be supported for saving files by chronyd.
-This is a minimal backport specific to this issue of the following
-commits:
- commit 2fc8edacb810 ("use PATH_MAX")
- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()")
- commit 7a4c396bba8f ("util: add functions for common file operations")
- commit e18903a6b563 ("switch to new util file functions")
-Reported-by: Matthias Gerstner <mgerstner@suse.de>
-Upstream-Status: Backport [https://git.tuxfamily.org/chrony/chrony.git/commit/?id=f00fed20092b6a42283f29c6ee1f58244d74b545]
-CVE: CVE-2020-14367
-Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
-diff --git a/logging.c b/logging.c
-index d2296e0..fd7f900 100644
--- a/logging.c
-+++ b/logging.c
-@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity,
-         system_log = 0;
-         log_message(1, severity, buf);
-       }
-+      exit(1);
-       break;
-     default:
-       assert(0);
-diff --git a/main.c b/main.c
-index 6ccf32e..8edb2e1 100644
--- a/main.c
-+++ b/main.c
-@@ -281,13 +281,9 @@ write_pidfile(void)
-   if (!pidfile[0])
-     return;
- 
-  out = fopen(pidfile, "w");
-  if (!out) {
-    LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno));
-  } else {
-    fprintf(out, "%d\n", (int)getpid());
-    fclose(out);
-  }
-+  out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644);
-+  fprintf(out, "%d\n", (int)getpid());
-+  fclose(out);
- }
- 
- /* ================================================== */
-diff --git a/sysincl.h b/sysincl.h
-index 296c5e6..873a3bd 100644
--- a/sysincl.h
-+++ b/sysincl.h
-@@ -37,6 +37,7 @@
- #include <glob.h>
- #include <grp.h>
- #include <inttypes.h>
-+#include <limits.h>
- #include <math.h>
- #include <netinet/in.h>
- #include <pwd.h>
-diff --git a/util.c b/util.c
-index e7e3442..83b3b20 100644
--- a/util.c
-+++ b/util.c
-@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid)
- 
- /* ================================================== */
- 
-+static int
-+join_path(const char *basedir, const char *name, const char *suffix,
-+          char *buffer, size_t length, LOG_Severity severity)
-+{
-+  const char *sep;
-+
-+  if (!basedir) {
-+    basedir = "";
-+    sep = "";
-+  } else {
-+    sep = "/";
-+  }
-+
-+  if (!suffix)
-+    suffix = "";
-+
-+  if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) {
-+    LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix);
-+    return 0;
-+  }
-+
-+  return 1;
-+}
-+
-+/* ================================================== */
-+
-+FILE *
-+UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
-+             char mode, mode_t perm)
-+{
-+  const char *file_mode;
-+  char path[PATH_MAX];
-+  LOG_Severity severity;
-+  int fd, flags;
-+  FILE *file;
-+
-+  severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR;
-+
-+  if (!join_path(basedir, name, suffix, path, sizeof (path), severity))
-+    return NULL;
-+
-+  switch (mode) {
-+    case 'r':
-+    case 'R':
-+      flags = O_RDONLY;
-+      file_mode = "r";
-+      if (severity != LOGS_FATAL)
-+        severity = LOGS_DEBUG;
-+      break;
-+    case 'w':
-+    case 'W':
-+      flags = O_WRONLY | O_CREAT | O_EXCL;
-+      file_mode = "w";
-+      break;
-+    case 'a':
-+    case 'A':
-+      flags = O_WRONLY | O_CREAT | O_APPEND;
-+      file_mode = "a";
-+      break;
-+    default:
-+      assert(0);
-+      return NULL;
-+  }
-+
-+try_again:
-+  fd = open(path, flags, perm);
-+  if (fd < 0) {
-+    if (errno == EEXIST) {
-+      if (unlink(path) < 0) {
-+        LOG(severity, "Could not remove %s : %s", path, strerror(errno));
-+        return NULL;
-+      }
-+      DEBUG_LOG("Removed %s", path);
-+      goto try_again;
-+    }
-+    LOG(severity, "Could not open %s : %s", path, strerror(errno));
-+    return NULL;
-+  }
-+
-+  UTI_FdSetCloexec(fd);
-+
-+  file = fdopen(fd, file_mode);
-+  if (!file) {
-+    LOG(severity, "Could not open %s : %s", path, strerror(errno));
-+    close(fd);
-+    return NULL;
-+  }
-+
-+  DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode);
-+
-+  return file;
-+}
-+
-+/* ================================================== */
-+
- void
- UTI_DropRoot(uid_t uid, gid_t gid)
- {
-diff --git a/util.h b/util.h
-index e3d6767..a2481cc 100644
--- a/util.h
-+++ b/util.h
-@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid
-    permissions and its uid/gid must match the specified values. */
- extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid);
- 
-+/* Open a file.  The full path of the file is constructed from the basedir
-+   (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL).
-+   Created files have specified permissions (umasked).  Returns NULL on error.
-+   The following modes are supported (if the mode is an uppercase character,
-+   errors are fatal):
-+   r/R - open an existing file for reading
-+   w/W - open a new file for writing (remove existing file)
-+   a/A - open an existing file for appending (create if does not exist) */
-+extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
-+                          char mode, mode_t perm);
-+
- /* Set process user/group IDs and drop supplementary groups */
- extern void UTI_DropRoot(uid_t uid, gid_t gid);
- 
-- 
-cgit v0.10.2
diff --git a/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch b/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch
index 187898a6e..97b44dc7a 100644
--- a/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch
+++ b/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch
@@ -18,45 +18,60 @@ Subject: [PATCH] chrony: fix build failure for arma9
    Refresh patch for new upstream version.
    Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+    Refreshed for 4.0
+    Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
 sys_linux.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)
-diff --git a/sys_linux.c b/sys_linux.c
-index 898dc7a..b268ad1 100644
 --- a/sys_linux.c
 +++ b/sys_linux.c
-@@ -479,14 +479,14 @@ SYS_Linux_EnableSystemCallFilter(int level)
+@@ -499,14 +499,12 @@ SYS_Linux_EnableSystemCallFilter(int lev
-   const int syscalls[] = {
+ #endif
-     /* Clock */
+     SCMP_SYS(gettimeofday),
-     SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday),
+     SCMP_SYS(settimeofday),
-    SCMP_SYS(settimeofday), SCMP_SYS(time),
+-    SCMP_SYS(time),
-+    SCMP_SYS(settimeofday),
     /* Process */
-     SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
+     SCMP_SYS(clone),
-    SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
+     SCMP_SYS(exit),
-+    SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
+     SCMP_SYS(exit_group),
-     SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
+     SCMP_SYS(getpid),
-     SCMP_SYS(wait4), SCMP_SYS(waitpid),
+-    SCMP_SYS(getrlimit),
+     SCMP_SYS(getuid),
+     SCMP_SYS(rt_sigaction),
+     SCMP_SYS(rt_sigreturn),
+@@ -519,7 +517,6 @@ SYS_Linux_EnableSystemCallFilter(int lev
     /* Memory */
-    SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+     SCMP_SYS(brk),
-+    SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap2),
+     SCMP_SYS(madvise),
-     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+-    SCMP_SYS(mmap),
-     /* Filesystem */
+     SCMP_SYS(mmap2),
-     SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
+     SCMP_SYS(mprotect),
-@@ -499,14 +499,22 @@ SYS_Linux_EnableSystemCallFilter(int level)
+     SCMP_SYS(mremap),
-     SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),
+@@ -573,8 +570,6 @@ SYS_Linux_EnableSystemCallFilter(int lev
-     SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
+     SCMP_SYS(sendmsg),
-     SCMP_SYS(send), SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),
+     SCMP_SYS(sendto),
+     SCMP_SYS(shutdown),
 -    /* TODO: check socketcall arguments */
 -    SCMP_SYS(socketcall),
     /* General I/O */
-     SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe),
+     SCMP_SYS(_newselect),
-     SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read),
+@@ -597,7 +592,6 @@ SYS_Linux_EnableSystemCallFilter(int lev
-    SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write),
+ #ifdef __NR_futex_time64
-+    SCMP_SYS(futex), SCMP_SYS(set_robust_list), SCMP_SYS(write),
+     SCMP_SYS(futex_time64),
-     /* Miscellaneous */
+ #endif
-     SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),
+-    SCMP_SYS(select),
+     SCMP_SYS(set_robust_list),
+     SCMP_SYS(write),
+@@ -605,6 +599,15 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(getrandom),
+     SCMP_SYS(sysinfo),
+     SCMP_SYS(uname),
 +    /* not always available */
 +#if ! defined(__ARM_EABI__)
 +    SCMP_SYS(time),
@@ -66,10 +81,6 @@ index 898dc7a..b268ad1 100644
 +    /* TODO: check socketcall arguments */
 +    SCMP_SYS(socketcall),
 +#endif
-+
   };
- 
-   const int socket_domains[] = {
-- 
-2.17.1
+   const int socket_domains[] = {
diff --git a/meta-networking/recipes-support/chrony/chrony/chronyd b/meta-networking/recipes-support/chrony/chrony/chronyd
index 04f1b681c..8c7c167b3 100644
--- a/meta-networking/recipes-support/chrony/chrony/chronyd
+++ b/meta-networking/recipes-support/chrony/chrony/chronyd
@@ -15,7 +15,7 @@
 PATH=/sbin:/bin:/usr/bin:/usr/sbin
 DAEMON=/usr/sbin/chronyd
-PIDFILE=/var/run/chronyd.pid
+PIDFILE=/run/chrony/chronyd.pid
 test -x $DAEMON -a -r /etc/chrony.conf || exit 0
diff --git a/meta-networking/recipes-support/chrony/chrony_3.5.bb b/meta-networking/recipes-support/chrony/chrony_4.0.bb
index 182ce13cc..c8987013b 100644
--- a/meta-networking/recipes-support/chrony/chrony_3.5.bb
+++ b/meta-networking/recipes-support/chrony/chrony_4.0.bb
@@ -34,14 +34,12 @@ SRC_URI = "https://download.tuxfamily.org/chrony/chrony-${PV}.tar.gz \
    file://chrony.conf \
    file://chronyd \
    file://arm_eabi.patch \
-    file://CVE-2020-14367.patch \
 "
 SRC_URI_append_libc-musl = " \
    file://0001-Fix-compilation-with-musl.patch \
 "
-SRC_URI[md5sum] = "5f66338bc940a9b51eede8f391e7bed3"
+SRC_URI[sha256sum] = "be27ea14c55e7a4434b2fa51d53018c7051c42fa6a3198c9aa6a1658bae0c625"
-SRC_URI[sha256sum] = "4e02795b1260a4ec51e6ace84149036305cc9fc340e65edb9f8452aa611339b5"
 DEPENDS = "pps-tools"
@@ -82,6 +80,10 @@ DISABLE_STATIC = ""
 do_configure() {
    ./configure --sysconfdir=${sysconfdir} --bindir=${bindir} --sbindir=${sbindir} \
                --localstatedir=${localstatedir} --datarootdir=${datadir} \
+                --with-ntp-era=$(shell date -d '1970-01-01 00:00:00+00:00' +'%s') \
+                --with-pidfile=/run/chrony/chronyd.pid \
+                --chronyrundir=/run/chrony \
+                --host-system=Linux \
                ${PACKAGECONFIG_CONFARGS}
 }
@@ -107,9 +109,6 @@ do_install() {
    # Variable data (for drift and/or rtc file)
    install -d ${D}${localstatedir}/lib/chrony
-    # Log files
-    install -d ${D}${localstatedir}/log/chrony
    # Fix hard-coded paths in config files and init scripts
    sed -i -e 's!/var/!${localstatedir}/!g' -e 's!/etc/!${sysconfdir}/!g' \
           -e 's!/usr/sbin/!${sbindir}/!g' -e 's!/usr/bin/!${bindir}/!g' \
@@ -120,7 +119,7 @@ do_install() {
    sed -i 's!^EnvironmentFile=.*!EnvironmentFile=-${sysconfdir}/default/chronyd!' ${D}${systemd_unitdir}/system/chronyd.service
 }
-FILES_${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}"
+FILES_${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}/lib/chrony ${localstatedir}"
 CONFFILES_${PN} = "${sysconfdir}/chrony.conf"
 INITSCRIPT_NAME = "chronyd"
 INITSCRIPT_PARAMS = "defaults"
author	Khem Raj <raj.khem@gmail.com>	2020-11-23 22:47:43 -0800
committer	Khem Raj <raj.khem@gmail.com>	2020-11-23 22:51:38 -0800
commit	d9d871386087cdad9fd2197976bb00f21b1df081 (patch)
tree	aa2d3203ebc8c66d97df38abcc21a2adf8f34228
parent	5cd29d53b349b566e2f05c46c5da56b382b95465 (diff)
download	meta-openembedded-d9d871386087cdad9fd2197976bb00f21b1df081.tar.gz

diff --git a/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch b/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch deleted file mode 100644 index 79df1007e..000000000 --- a/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch +++ /dev/null
@@ -1,204 +0,0 @@
1	From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001
2	From: Miroslav Lichvar <mlichvar@redhat.com>
3	Date: Thu, 6 Aug 2020 09:31:11 +0200
4	Subject: main: create new file when writing pidfile
5
6	When writing the pidfile, open the file with the O_CREAT\|O_EXCL flags
7	to avoid following a symlink and writing the PID to an unexpected file,
8	when chronyd still has the root privileges.
9
10	The Linux open(2) man page warns about O_EXCL not working as expected on
11	NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on
12	a distributed filesystem like NFS is not generally expected, but if
13	there is a reason to do that, these old kernel and NFS versions are not
14	considered to be supported for saving files by chronyd.
15
16	This is a minimal backport specific to this issue of the following
17	commits:
18	- commit 2fc8edacb810 ("use PATH_MAX")
19	- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()")
20	- commit 7a4c396bba8f ("util: add functions for common file operations")
21	- commit e18903a6b563 ("switch to new util file functions")
22
23	Reported-by: Matthias Gerstner <mgerstner@suse.de>
24
25	Upstream-Status: Backport [https://git.tuxfamily.org/chrony/chrony.git/commit/?id=f00fed20092b6a42283f29c6ee1f58244d74b545]
26	CVE: CVE-2020-14367
27	Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
28
29	diff --git a/logging.c b/logging.c
30	index d2296e0..fd7f900 100644
31	--- a/logging.c
32	+++ b/logging.c
33	@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity,
34	system_log = 0;
35	log_message(1, severity, buf);
36	}
37	+ exit(1);
38	break;
39	default:
40	assert(0);
41	diff --git a/main.c b/main.c
42	index 6ccf32e..8edb2e1 100644
43	--- a/main.c
44	+++ b/main.c
45	@@ -281,13 +281,9 @@ write_pidfile(void)
46	if (!pidfile[0])
47	return;
48
49	- out = fopen(pidfile, "w");
50	- if (!out) {
51	- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno));
52	- } else {
53	- fprintf(out, "%d\n", (int)getpid());
54	- fclose(out);
55	- }
56	+ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644);
57	+ fprintf(out, "%d\n", (int)getpid());
58	+ fclose(out);
59	}
60
61	/* ================================================== */
62	diff --git a/sysincl.h b/sysincl.h
63	index 296c5e6..873a3bd 100644
64	--- a/sysincl.h
65	+++ b/sysincl.h
66	@@ -37,6 +37,7 @@
67	#include <glob.h>
68	#include <grp.h>
69	#include <inttypes.h>
70	+#include <limits.h>
71	#include <math.h>
72	#include <netinet/in.h>
73	#include <pwd.h>
74	diff --git a/util.c b/util.c
75	index e7e3442..83b3b20 100644
76	--- a/util.c
77	+++ b/util.c
78	@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid)
79
80	/* ================================================== */
81
82	+static int
83	+join_path(const char basedir, const char name, const char *suffix,
84	+ char *buffer, size_t length, LOG_Severity severity)
85	+{
86	+ const char *sep;
87	+
88	+ if (!basedir) {
89	+ basedir = "";
90	+ sep = "";
91	+ } else {
92	+ sep = "/";
93	+ }
94	+
95	+ if (!suffix)
96	+ suffix = "";
97	+
98	+ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) {
99	+ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix);
100	+ return 0;
101	+ }
102	+
103	+ return 1;
104	+}
105	+
106	+/* ================================================== */
107	+
108	+FILE *
109	+UTI_OpenFile(const char basedir, const char name, const char *suffix,
110	+ char mode, mode_t perm)
111	+{
112	+ const char *file_mode;
113	+ char path[PATH_MAX];
114	+ LOG_Severity severity;
115	+ int fd, flags;
116	+ FILE *file;
117	+
118	+ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR;
119	+
120	+ if (!join_path(basedir, name, suffix, path, sizeof (path), severity))
121	+ return NULL;
122	+
123	+ switch (mode) {
124	+ case 'r':
125	+ case 'R':
126	+ flags = O_RDONLY;
127	+ file_mode = "r";
128	+ if (severity != LOGS_FATAL)
129	+ severity = LOGS_DEBUG;
130	+ break;
131	+ case 'w':
132	+ case 'W':
133	+ flags = O_WRONLY \| O_CREAT \| O_EXCL;
134	+ file_mode = "w";
135	+ break;
136	+ case 'a':
137	+ case 'A':
138	+ flags = O_WRONLY \| O_CREAT \| O_APPEND;
139	+ file_mode = "a";
140	+ break;
141	+ default:
142	+ assert(0);
143	+ return NULL;
144	+ }
145	+
146	+try_again:
147	+ fd = open(path, flags, perm);
148	+ if (fd < 0) {
149	+ if (errno == EEXIST) {
150	+ if (unlink(path) < 0) {
151	+ LOG(severity, "Could not remove %s : %s", path, strerror(errno));
152	+ return NULL;
153	+ }
154	+ DEBUG_LOG("Removed %s", path);
155	+ goto try_again;
156	+ }
157	+ LOG(severity, "Could not open %s : %s", path, strerror(errno));
158	+ return NULL;
159	+ }
160	+
161	+ UTI_FdSetCloexec(fd);
162	+
163	+ file = fdopen(fd, file_mode);
164	+ if (!file) {
165	+ LOG(severity, "Could not open %s : %s", path, strerror(errno));
166	+ close(fd);
167	+ return NULL;
168	+ }
169	+
170	+ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode);
171	+
172	+ return file;
173	+}
174	+
175	+/* ================================================== */
176	+
177	void
178	UTI_DropRoot(uid_t uid, gid_t gid)
179	{
180	diff --git a/util.h b/util.h
181	index e3d6767..a2481cc 100644
182	--- a/util.h
183	+++ b/util.h
184	@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid
185	permissions and its uid/gid must match the specified values. */
186	extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid);
187
188	+/* Open a file. The full path of the file is constructed from the basedir
189	+ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL).
190	+ Created files have specified permissions (umasked). Returns NULL on error.
191	+ The following modes are supported (if the mode is an uppercase character,
192	+ errors are fatal):
193	+ r/R - open an existing file for reading
194	+ w/W - open a new file for writing (remove existing file)
195	+ a/A - open an existing file for appending (create if does not exist) */
196	+extern FILE UTI_OpenFile(const char basedir, const char name, const char suffix,
197	+ char mode, mode_t perm);
198	+
199	/* Set process user/group IDs and drop supplementary groups */
200	extern void UTI_DropRoot(uid_t uid, gid_t gid);
201
202	--
203	cgit v0.10.2
204


diff --git a/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch b/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch index 187898a6e..97b44dc7a 100644 --- a/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch +++ b/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch
@@ -18,45 +18,60 @@ Subject: [PATCH] chrony: fix build failure for arma9
18	Refresh patch for new upstream version.	18	Refresh patch for new upstream version.
19		19
20	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>	20	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
		21
		22	Refreshed for 4.0
		23
		24	Signed-off-by: Khem Raj <raj.khem@gmail.com>
21	---	25	---
22	sys_linux.c \| 20 ++++++++++++++------	26	sys_linux.c \| 20 ++++++++++++++------
23	1 file changed, 14 insertions(+), 6 deletions(-)	27	1 file changed, 14 insertions(+), 6 deletions(-)
24		28
25	diff --git a/sys_linux.c b/sys_linux.c
26	index 898dc7a..b268ad1 100644
27	--- a/sys_linux.c	29	--- a/sys_linux.c
28	+++ b/sys_linux.c	30	+++ b/sys_linux.c
29	@@ -479,14 +479,14 @@ SYS_Linux_EnableSystemCallFilter(int level)	31	@@ -499,14 +499,12 @@ SYS_Linux_EnableSystemCallFilter(int lev
30	const int syscalls[] = {	32	#endif
31	/* Clock */	33	SCMP_SYS(gettimeofday),
32	SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday),	34	SCMP_SYS(settimeofday),
33	- SCMP_SYS(settimeofday), SCMP_SYS(time),	35	- SCMP_SYS(time),
34	+ SCMP_SYS(settimeofday),	36
35	/* Process */	37	/* Process */
36	SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),	38	SCMP_SYS(clone),
37	- SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),	39	SCMP_SYS(exit),
38	+ SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),	40	SCMP_SYS(exit_group),
39	SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),	41	SCMP_SYS(getpid),
40	SCMP_SYS(wait4), SCMP_SYS(waitpid),	42	- SCMP_SYS(getrlimit),
		43	SCMP_SYS(getuid),
		44	SCMP_SYS(rt_sigaction),
		45	SCMP_SYS(rt_sigreturn),
		46	@@ -519,7 +517,6 @@ SYS_Linux_EnableSystemCallFilter(int lev
41	/* Memory */	47	/* Memory */
42	- SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),	48	SCMP_SYS(brk),
43	+ SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap2),	49	SCMP_SYS(madvise),
44	SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),	50	- SCMP_SYS(mmap),
45	/* Filesystem */	51	SCMP_SYS(mmap2),
46	SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),	52	SCMP_SYS(mprotect),
47	@@ -499,14 +499,22 @@ SYS_Linux_EnableSystemCallFilter(int level)	53	SCMP_SYS(mremap),
48	SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),	54	@@ -573,8 +570,6 @@ SYS_Linux_EnableSystemCallFilter(int lev
49	SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),	55	SCMP_SYS(sendmsg),
50	SCMP_SYS(send), SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),	56	SCMP_SYS(sendto),
		57	SCMP_SYS(shutdown),
51	- /* TODO: check socketcall arguments */	58	- /* TODO: check socketcall arguments */
52	- SCMP_SYS(socketcall),	59	- SCMP_SYS(socketcall),
		60
53	/* General I/O */	61	/* General I/O */
54	SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe),	62	SCMP_SYS(_newselect),
55	SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read),	63	@@ -597,7 +592,6 @@ SYS_Linux_EnableSystemCallFilter(int lev
56	- SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write),	64	#ifdef __NR_futex_time64
57	+ SCMP_SYS(futex), SCMP_SYS(set_robust_list), SCMP_SYS(write),	65	SCMP_SYS(futex_time64),
58	/* Miscellaneous */	66	#endif
59	SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),	67	- SCMP_SYS(select),
		68	SCMP_SYS(set_robust_list),
		69	SCMP_SYS(write),
		70
		71	@@ -605,6 +599,15 @@ SYS_Linux_EnableSystemCallFilter(int lev
		72	SCMP_SYS(getrandom),
		73	SCMP_SYS(sysinfo),
		74	SCMP_SYS(uname),
60	+ /* not always available */	75	+ /* not always available */
61	+#if ! defined(__ARM_EABI__)	76	+#if ! defined(__ARM_EABI__)
62	+ SCMP_SYS(time),	77	+ SCMP_SYS(time),
@@ -66,10 +81,6 @@ index 898dc7a..b268ad1 100644
66	+ /* TODO: check socketcall arguments */	81	+ /* TODO: check socketcall arguments */
67	+ SCMP_SYS(socketcall),	82	+ SCMP_SYS(socketcall),
68	+#endif	83	+#endif
69	+
70	};	84	};
71
72	const int socket_domains[] = {
73	--
74	2.17.1
75		85
		86	const int socket_domains[] = {


diff --git a/meta-networking/recipes-support/chrony/chrony/chronyd b/meta-networking/recipes-support/chrony/chrony/chronyd index 04f1b681c..8c7c167b3 100644 --- a/meta-networking/recipes-support/chrony/chrony/chronyd +++ b/meta-networking/recipes-support/chrony/chrony/chronyd
@@ -15,7 +15,7 @@
15	PATH=/sbin:/bin:/usr/bin:/usr/sbin	15	PATH=/sbin:/bin:/usr/bin:/usr/sbin
16		16
17	DAEMON=/usr/sbin/chronyd	17	DAEMON=/usr/sbin/chronyd
18	PIDFILE=/var/run/chronyd.pid	18	PIDFILE=/run/chrony/chronyd.pid
19		19
20	test -x $DAEMON -a -r /etc/chrony.conf \|\| exit 0	20	test -x $DAEMON -a -r /etc/chrony.conf \|\| exit 0
21		21


diff --git a/meta-networking/recipes-support/chrony/chrony_3.5.bb b/meta-networking/recipes-support/chrony/chrony_4.0.bb index 182ce13cc..c8987013b 100644 --- a/meta-networking/recipes-support/chrony/chrony_3.5.bb +++ b/meta-networking/recipes-support/chrony/chrony_4.0.bb
@@ -34,14 +34,12 @@ SRC_URI = "https://download.tuxfamily.org/chrony/chrony-${PV}.tar.gz \
34	file://chrony.conf \	34	file://chrony.conf \
35	file://chronyd \	35	file://chronyd \
36	file://arm_eabi.patch \	36	file://arm_eabi.patch \
37	file://CVE-2020-14367.patch \
38	"	37	"
39		38
40	SRC_URI_append_libc-musl = " \	39	SRC_URI_append_libc-musl = " \
41	file://0001-Fix-compilation-with-musl.patch \	40	file://0001-Fix-compilation-with-musl.patch \
42	"	41	"
43	SRC_URI[md5sum] = "5f66338bc940a9b51eede8f391e7bed3"	42	SRC_URI[sha256sum] = "be27ea14c55e7a4434b2fa51d53018c7051c42fa6a3198c9aa6a1658bae0c625"
44	SRC_URI[sha256sum] = "4e02795b1260a4ec51e6ace84149036305cc9fc340e65edb9f8452aa611339b5"
45		43
46	DEPENDS = "pps-tools"	44	DEPENDS = "pps-tools"
47		45
@@ -82,6 +80,10 @@ DISABLE_STATIC = ""
82	do_configure() {	80	do_configure() {
83	./configure --sysconfdir=${sysconfdir} --bindir=${bindir} --sbindir=${sbindir} \	81	./configure --sysconfdir=${sysconfdir} --bindir=${bindir} --sbindir=${sbindir} \
84	--localstatedir=${localstatedir} --datarootdir=${datadir} \	82	--localstatedir=${localstatedir} --datarootdir=${datadir} \
		83	--with-ntp-era=$(shell date -d '1970-01-01 00:00:00+00:00' +'%s') \
		84	--with-pidfile=/run/chrony/chronyd.pid \
		85	--chronyrundir=/run/chrony \
		86	--host-system=Linux \
85	${PACKAGECONFIG_CONFARGS}	87	${PACKAGECONFIG_CONFARGS}
86	}	88	}
87		89
@@ -107,9 +109,6 @@ do_install() {
107	# Variable data (for drift and/or rtc file)	109	# Variable data (for drift and/or rtc file)
108	install -d ${D}${localstatedir}/lib/chrony	110	install -d ${D}${localstatedir}/lib/chrony
109		111
110	# Log files
111	install -d ${D}${localstatedir}/log/chrony
112
113	# Fix hard-coded paths in config files and init scripts	112	# Fix hard-coded paths in config files and init scripts
114	sed -i -e 's!/var/!${localstatedir}/!g' -e 's!/etc/!${sysconfdir}/!g' \	113	sed -i -e 's!/var/!${localstatedir}/!g' -e 's!/etc/!${sysconfdir}/!g' \
115	-e 's!/usr/sbin/!${sbindir}/!g' -e 's!/usr/bin/!${bindir}/!g' \	114	-e 's!/usr/sbin/!${sbindir}/!g' -e 's!/usr/bin/!${bindir}/!g' \
@@ -120,7 +119,7 @@ do_install() {
120	sed -i 's!^EnvironmentFile=.*!EnvironmentFile=-${sysconfdir}/default/chronyd!' ${D}${systemd_unitdir}/system/chronyd.service	119	sed -i 's!^EnvironmentFile=.*!EnvironmentFile=-${sysconfdir}/default/chronyd!' ${D}${systemd_unitdir}/system/chronyd.service
121	}	120	}
122		121
123	FILES_${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}"	122	FILES_${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}/lib/chrony ${localstatedir}"
124	CONFFILES_${PN} = "${sysconfdir}/chrony.conf"	123	CONFFILES_${PN} = "${sysconfdir}/chrony.conf"
125	INITSCRIPT_NAME = "chronyd"	124	INITSCRIPT_NAME = "chronyd"
126	INITSCRIPT_PARAMS = "defaults"	125	INITSCRIPT_PARAMS = "defaults"