ntpsec: Add glibc-2.34/kernel-5.14 seccomp fixes

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Signed-off-by: Alex Kiernan <alexk@zuma.ai> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-12-16 07:15:43 +01:00 · 2022-01-01 17:17:51 +00:00 · 2022-01-01 17:17:51 +00:00 · ccab46e8bf
commit ccab46e8bf
parent d195826983
4 changed files with 110 additions and 0 deletions
--- a/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch
+++ b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch
@ -0,0 +1,31 @@
+From d474682bb30b93d04b7b01c2dd09832e483265ed Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Sun, 14 Nov 2021 08:54:58 +0000
+Subject: [PATCH] ntpd/ntp_sandbox.c: allow clone3 for glibc-2.34 in seccomp
+ filter
+
+Bug: https://bugs.gentoo.org/823692
+Fixes: https://gitlab.com/NTPsec/ntpsec/-/issues/713
+Signed-off-by: Sam James <sam@gentoo.org>
+Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/d474682bb30b93d04b7b01c2dd09832e483265ed]
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index e66faaa8cbb0..3d6bccdfcf77 100644
+--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
+@@ -401,6 +401,7 @@ int scmp_sc[] = {
+  * rather than generate a trap.
+  */
+ 	SCMP_SYS(clone),	/* threads */
+	SCMP_SYS(clone3),
+ 	SCMP_SYS(kill),		/* generate signal */
+ 	SCMP_SYS(madvise),
+ 	SCMP_SYS(mprotect),
+-- 
+2.34.1
+
--- a/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch
+++ b/meta-networking/recipes-support/ntpsec/ntpsec/0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch
@ -0,0 +1,42 @@
+From a6c0847582305aaab122d54b635954829812922f Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Thu, 30 Dec 2021 09:32:26 +0000
+Subject: [PATCH 1/2] ntpd/ntp_sandbox.c: allow newfstatat on all archs for
+ glibc-2.34 in seccomp filter
+
+On Yocto Poky, newfstatat is used on (at least) arm64, x86_64 and
+riscv64:
+
+  2021-12-30T09:32:04 ntpd[341]: ERR: SIGSYS: got a trap.
+  2021-12-30T09:32:04 ntpd[341]: ERR: SIGSYS/seccomp bad syscall 262/0xc000003e
+
+Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/a6c0847582305aaab122d54b635954829812922f]
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index 3d6bccdfcf77..1ae82a671344 100644
+--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
+@@ -349,6 +349,7 @@ int scmp_sc[] = {
+ 	SCMP_SYS(lseek),
+ 	SCMP_SYS(membarrier),	/* Needed on Alpine 3.11.3 */
+ 	SCMP_SYS(munmap),
+	SCMP_SYS(newfstatat),
+ 	SCMP_SYS(open),
+ #ifdef __NR_openat
+ 	SCMP_SYS(openat),	/* SUSE */
+@@ -452,7 +453,6 @@ int scmp_sc[] = {
+ #endif
+ #if defined(__aarch64__)
+ 	SCMP_SYS(faccessat),
+-	SCMP_SYS(newfstatat),
+ 	SCMP_SYS(renameat),
+ 	SCMP_SYS(linkat),
+ 	SCMP_SYS(unlinkat),
+-- 
+2.34.1
+
--- a/meta-networking/recipes-support/ntpsec/ntpsec/0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch
+++ b/meta-networking/recipes-support/ntpsec/ntpsec/0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch
@ -0,0 +1,34 @@
+From 0f94870b84e68448f16b1304058bde4628dafde5 Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Thu, 30 Dec 2021 10:41:20 +0000
+Subject: [PATCH 2/2] ntpd/ntp_sandbox.c: match riscv to aarch in seccomp
+ filter
+
+On Yocto Poky, faccessat (et al) are also used on riscv64:
+
+  2018-03-09T12:35:32 ntpd[341]: ERR: SIGSYS: got a trap.
+  2018-03-09T12:35:32 ntpd[341]: ERR: SIGSYS/seccomp bad syscall 48/0xc00000f3
+
+Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/0f94870b84e68448f16b1304058bde4628dafde5]
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index 1ae82a671344..4a14ae224dc6 100644
+--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
+@@ -451,7 +451,7 @@ int scmp_sc[] = {
+ 	/* gentoo 64-bit and 32-bit, Intel and Arm use mmap */
+ 	SCMP_SYS(mmap),
+ #endif
+-#if defined(__aarch64__)
+#if defined(__aarch64__) || defined(__riscv)
+ 	SCMP_SYS(faccessat),
+ 	SCMP_SYS(renameat),
+ 	SCMP_SYS(linkat),
+-- 
+2.34.1
+
--- a/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb
+++ b/meta-networking/recipes-support/ntpsec/ntpsec_1.2.1.bb
@ -13,6 +13,9 @@ DEPENDS += "bison-native \

 SRC_URI = "https://ftp.ntpsec.org/pub/releases/ntpsec-${PV}.tar.gz \
           file://0001-Update-to-OpenSSL-3.0.0-alpha15.patch \
+           file://0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch \
+           file://0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch \
+           file://0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch \
           file://volatiles.ntpsec"

 SRC_URI[sha256sum] = "f2684835116c80b8f21782a5959a805ba3c44e3a681dd6c17c7cb00cc242c27a"