Bug#997597: bullseye-pu: package chrony/4.0-8+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
[ Reason ]
chrony 4.0 allows binding the NTP, NTS-KE, client and UDP command sockets
to a specific network device using the 'binddevice', 'bindacqdevice' and
'bindcmddevice' directives.
In Bullseye, using these directives with a network interface name longer
than 3 characters (e.g. binddevice eth0) will cause chronyd to crash because
of the way the system call filter handles the SO_BINDTODEVICE socket option.
[ Impact ]
To bind sockets to a network interface with a "long" name, users have to
disable chronyd's system call filter which is certainly not ideal.
[ Tests ]
I manually tested each of the aforementioned directives with a network
interface name longer than 3 characters. I also made sure that autopkgtests
still run fine.
[ Risks ]
The fix is trivial and well tested.
[ Checklist ]
[ ] *all* changes are documented in the d/changelog
[✓] I reviewed all changes and I approve them
[✓] attach debdiff against the package in (old)stable
[✓] the issue is verified as fixed in unstable
[ Changes ]
In addition to the patch fixing the issue with the system call filter, I also
made a few anecdotal but practical changes that I considered unnecessary to
mention for a revision targetting stable:
- pointing Vcs-Git to the 'debian/bullseye' branch
- running the Salsa CI pipeline on Bullseye
Cheers,
Vincent
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYXR7MQAKCRAQn1qAt/bg
AVlbAP9ZaHpjsgLA3HNcLPsWJXhMm/SUcU3DgEpdM9nMiJjDJgEAxYspGEhLBnGK
4n5lB38HAKdWm6aY1/VHGAcLZ0X9tQM=
=K28n
-----END PGP SIGNATURE-----
diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog 2021-05-13 16:51:41.000000000 +0200
+++ chrony-4.0/debian/changelog 2021-10-19 22:02:40.000000000 +0200
@@ -1,3 +1,12 @@
+chrony (4.0-8+deb11u1) bullseye; urgency=medium
+
+ * debian/patches/:
+ - Add fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch to be able
+ to bind a socket to a network device with a name longer than 3 characters
+ when the system call filter is enabled. (Closes: #995207)
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 19 Oct 2021 22:02:40 +0200
+
chrony (4.0-8) unstable; urgency=medium
* debian/patches/:
diff -Nru chrony-4.0/debian/control chrony-4.0/debian/control
--- chrony-4.0/debian/control 2021-05-13 16:51:41.000000000 +0200
+++ chrony-4.0/debian/control 2021-10-19 22:02:40.000000000 +0200
@@ -18,7 +18,7 @@
pps-tools (>= 0.20120406+g0deb9c7e-2) [linux-any],
procps <!nocheck>
Homepage: https://chrony.tuxfamily.org
-Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/bullseye
Vcs-Browser: https://salsa.debian.org/debian/chrony
Rules-Requires-Root: no
diff -Nru chrony-4.0/debian/.gitlab-ci.yml chrony-4.0/debian/.gitlab-ci.yml
--- chrony-4.0/debian/.gitlab-ci.yml 2021-05-13 16:51:41.000000000 +0200
+++ chrony-4.0/debian/.gitlab-ci.yml 2021-10-19 22:02:40.000000000 +0200
@@ -9,3 +9,6 @@
only:
variables:
- $SEE_YOU_SOON_REPROTEST
+
+variables:
+ RELEASE: 'bullseye'
diff -Nru chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
--- chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch 1970-01-01 01:00:00.000000000 +0100
+++ chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch 2021-10-19 22:02:40.000000000 +0200
@@ -0,0 +1,33 @@
+From 29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Wed, 6 Oct 2021 10:02:34 +0200
+Subject: sys_linux: fix seccomp filter for BINDTODEVICE option
+
+The BINDTODEVICE socket option is the first option in the seccomp filter
+setting a string instead of int. Remove the length check from the
+setsockopt rules to allow a device name longer than 3 characters.
+
+This was reported in Debian bug #995207.
+
+Fixes: b9f5ce83b02e ("sys_linux: allow BINDTODEVICE option in seccomp filter")
+
+Origin: upstream, https://git.tuxfamily.org/chrony/chrony.git/commit/?id=29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995207
+
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -694,10 +694,9 @@ SYS_Linux_EnableSystemCallFilter(int lev
+
+ /* Allow selected socket options */
+ for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
+- if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3,
++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
+ SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]),
+- SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]),
+- SCMP_A4(SCMP_CMP_LE, sizeof (int))) < 0)
++ SCMP_A2(SCMP_CMP_EQ, socket_options[i][1])))
+ goto add_failed;
+ }
+
diff -Nru chrony-4.0/debian/patches/series chrony-4.0/debian/patches/series
--- chrony-4.0/debian/patches/series 2021-05-13 16:51:41.000000000 +0200
+++ chrony-4.0/debian/patches/series 2021-10-19 22:02:40.000000000 +0200
@@ -2,3 +2,4 @@
nm-dispatcher-dhcp_Move-server_dir-to-run.patch
allow-BINDTODEVICE-option-in-seccomp-filter.patch
allow-getuid32-in-seccomp-filter.patch
+fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
Reply to: