[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861435: marked as done (unblock: chrony/3.0-4)



Your message dated Sat, 29 Apr 2017 07:31:00 +0000
with message-id <f538811d-c3db-8a8c-853b-c6f583316460@thykier.net>
and subject line Re: Bug#861435: unblock: chrony/3.0-4
has caused the Debian Bug report #861435,
regarding unblock: chrony/3.0-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861435: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861435
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package chrony

Removal of “cached PID/TID in clone” from glibc 2.24-10 exposed a 
regression in chrony when running it with the system call filter 
enabled. That’s due to getpid(2) not being allowed in the seccomp 
filter. Chrony 3.0-4 fixes this and thus closes #861258¹ (severity 
important.)

unblock chrony/3.0-4

Cheers,
Vincent

¹https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258

- -- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlkD5GcXHHZpbmNlbnQu
ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4ADJw/9ErKAa3uBO2vyw35vCY/gjgYZ
/x9jLhcTVaEgenj/x6Wo5mYTwrQV32Rmyrcmz2wie7S51nzE8Vc3p8WdtSFsS/te
khK0ptW6twA0OmLxckItzNfLzXCo9xEdqzJp5/VLoTF+z6cIbmMgA3BPqoFD74Tj
1fk99oSYIer3asGs56uoyvqV3xj3jc26QBKItK88sAy/l3Fl4fx/1UR0C9H6F8Hh
a1wcjzFbNPQAUcDZP5Qxkrbd1rLTU5udmYFavBs4PF+b/SN8wYfWwVlj8ySlgQHZ
qQa7lKCwHUBRBB99+UBpR906y3ifyaWrRR2t7xDp8ayQdeExh5j7YIJRR5/zEACN
2gmtITHXj2vn43C1MryTlHJvhkM8Doeqq3pn8xpQAENdCs9Z/03w5HZyux0dN9Nl
T5IBxdtE/nocHEq/ZO8Abn+lZrZ6KRLds2R8bRT+5qBVlOrthpsoV8GFg8WO5FkF
wrIe6xrCXuxKmhZIgISEHR7Y15OX9djgcn7Va0GQyEPM0cyCisdPyBfrxM0yk361
DKlxNLZrSdsZdAdp4/XNA+5XkcBr9Ic9hbcWbj83Cp1IHAUyEJ6ExPIiLFjYTqp3
FBblrFK/ePSQfS7chABPEfGO5xhUTn2caX4yGX8HJA48LG6Ir/1eaXWGZyXUgBaS
z+vA8oIBSETvTNCUXbw=
=v9co
-----END PGP SIGNATURE-----
diffstat for chrony-3.0 chrony-3.0

 changelog                                    |    8 ++++++++
 patches/allow_getpid_in_seccomp_filter.patch |   23 +++++++++++++++++++++++
 patches/series                               |    1 +
 3 files changed, 32 insertions(+)

diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog
--- chrony-3.0/debian/changelog	2017-02-07 00:37:24.000000000 +0100
+++ chrony-3.0/debian/changelog	2017-04-26 17:39:44.000000000 +0200
@@ -1,3 +1,11 @@
+chrony (3.0-4) unstable; urgency=medium
+
+  * debian/patches/*:
+    - Backport commit 768bce799bfe to make chrony operable with the syscall
+    filtering feature enabled in level 1. (Closes: #861258)
+
+ -- Vincent Blut <vincent.debian@free.fr>  Wed, 26 Apr 2017 17:39:44 +0200
+
 chrony (3.0-3) unstable; urgency=medium
 
   * debian/patches/*:
diff -Nru chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch
--- chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch	1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch	2017-04-26 17:39:44.000000000 +0200
@@ -0,0 +1,23 @@
+Description: Allow getpid in seccomp filter
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Origin: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=768bce799bfe009e7dbaad5742738f7d05280d6d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258
+Applied-Upstream: 3.1-10-g768bce7
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -465,9 +465,10 @@ SYS_Linux_EnableSystemCallFilter(int lev
+     SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday),
+     SCMP_SYS(settimeofday), SCMP_SYS(time),
+     /* Process */
+-    SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getrlimit),
+-    SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
+-    SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), SCMP_SYS(wait4),
++    SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
++    SCMP_SYS(getrlimit),SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
++    SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
++    SCMP_SYS(wait4),
+     /* Memory */
+     SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+     SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
diff -Nru chrony-3.0/debian/patches/series chrony-3.0/debian/patches/series
--- chrony-3.0/debian/patches/series	2017-02-06 20:03:25.000000000 +0100
+++ chrony-3.0/debian/patches/series	2017-04-26 17:39:44.000000000 +0200
@@ -1 +1,2 @@
+allow_getpid_in_seccomp_filter.patch
 fix_time_smoothing_in_interleaved_mode.patch

--- End Message ---
--- Begin Message ---
Vincent Blut:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package chrony
> 
> Removal of “cached PID/TID in clone” from glibc 2.24-10 exposed a 
> regression in chrony when running it with the system call filter 
> enabled. That’s due to getpid(2) not being allowed in the seccomp 
> filter. Chrony 3.0-4 fixes this and thus closes #861258¹ (severity 
> important.)
> 
> unblock chrony/3.0-4
> 
> Cheers,
> Vincent
> 
> ¹https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---

Reply to: