[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#986705: marked as done (unblock: chrony/4.0-7)

Your message dated Sat, 10 Apr 2021 09:59:11 +0000
with message-id <E1lVAOV-0001Cz-20@respighi.debian.org>
and subject line unblock chrony
has caused the Debian Bug report #986705,
regarding unblock: chrony/4.0-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986705
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Please unblock package chrony

[ Reason ]
The IP_TOS socket option is currently missing in chronyd's seccomp filter
which prevents users from using the 'dscp' directive in the chronyd
configuration file while the seccomp filter is enabled. This directive allows
one to set the Differentiated Services Code Point to a specific value.

[ Impact ]
Since chronyd's seccomp filter is enabled by default in Debian, chronyd would be
killed right after being started when using the 'dscp' directive. Consequently,
to use this feature, users have to disable the seccomp filter.

[ Tests ]
Since the issue is easy to trigger, I manually tested the proposed fix while
ensuring that autopkgtest reports no regressions. Here are some steps to
reproduce the issue encountered by chrony 4.0-6:

# echo 'dscp 22' > /etc/chrony/conf.d/dscp.conf
# systemctl restart chrony.service
# systemctl is-active chrony.service
failed

With chrony 4.0-7, the last command reports chrony.service as active.

[ Risks ]
Harmless. We just allow the IP_TOS setsockopt() option in the seccomp filter.

[ Checklist ]
  [✓] all changes are documented in the d/changelog
  [✓] I reviewed all changes and I approve them
  [✓] attach debdiff against the package in testing

unblock chrony/4.0-7

Cheers,
Vincent


-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYHC9bQAKCRAQn1qAt/bg
AbvgAQCCCKwtSJ/J5u9UJFT0KFVLrBo2b7wYV/uHY20Mq+WHZAEA0xNSEF/09KJi
JIMz/mzm/PGJ3Q9K3BT5zSewfjmLBwI=
=skob
-----END PGP SIGNATURE-----

diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog	2021-02-21 21:59:22.000000000 +0100
+++ chrony-4.0/debian/changelog	2021-04-08 16:21:16.000000000 +0200
@@ -1,3 +1,11 @@
+chrony (4.0-7) unstable; urgency=medium
+
+  * debian/patches/:
+    - Add allow-IP_TOS-socket-option-in-seccomp-filter.patch to enable the use
+    of the 'dscp' directive.
+
+ -- Vincent Blut <vincent.debian@free.fr>  Thu, 08 Apr 2021 16:21:16 +0200
+
 chrony (4.0-6) unstable; urgency=medium
 
   * debian/tests/helper-functions:
diff -Nru chrony-4.0/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch chrony-4.0/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
--- chrony-4.0/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch	1970-01-01 01:00:00.000000000 +0100
+++ chrony-4.0/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch	2021-04-08 16:21:16.000000000 +0200
@@ -0,0 +1,33 @@
+From 966e6fd939df724235a93e7a89dd7cf67178f99d Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@forstwoof.ru>
+Date: Sun, 4 Apr 2021 15:12:17 +0200
+Subject: sys_linux: allow setsockopt(SOL_IP, IP_TOS) in seccomp
+
+This system call is required by the DSCP marking feature introduced in commit
+6a5665ca5877 ("conf: add dscp directive").
+
+Before this change, enabling seccomp filtering (chronyd -F 1) and specifying a
+custom DSCP value in the configuration (for example "dscp 46") caused the
+process to be killed by seccomp due to IP_TOS not being allowed by the filter.
+
+Tested before and after the change on Ubuntu 21.04, kernel 5.11.0-13-generic.
+IP_TOS is available since Linux 1.0, so I didn't add any ifdefs for it.
+
+Signed-off-by: Foster Snowhill <forst@forstwoof.ru>
+
+Bug: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2021/04/msg00000.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=966e6fd939df724235a93e7a89dd7cf67178f99d
+Last-Update: 2021-04-08
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int lev
+   };
+ 
+   const static int socket_options[][2] = {
+-    { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND },
++    { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND }, { SOL_IP, IP_TOS },
+ #ifdef FEAT_IPV6
+     { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
+ #endif
diff -Nru chrony-4.0/debian/patches/series chrony-4.0/debian/patches/series
--- chrony-4.0/debian/patches/series	2021-02-21 21:59:22.000000000 +0100
+++ chrony-4.0/debian/patches/series	2021-04-08 16:21:16.000000000 +0200
@@ -1 +1,2 @@
+allow-IP_TOS-socket-option-in-seccomp-filter.patch
 nm-dispatcher-dhcp_Move-server_dir-to-run.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: