Your message dated Sat, 29 Apr 2017 07:31:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#861435: unblock: chrony/3.0-4
has caused the Debian Bug report #861435,
regarding unblock: chrony/3.0-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
861435: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861435
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please unblock package chrony
Removal of “cached PID/TID in clone” from glibc 2.24-10 exposed a
regression in chrony when running it with the system call filter
enabled. That’s due to getpid(2) not being allowed in the seccomp
filter. Chrony 3.0-4 fixes this and thus closes #861258¹ (severity
important.)
unblock chrony/3.0-4
Cheers,
Vincent
¹https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258
- -- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlkD5GcXHHZpbmNlbnQu
ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4ADJw/9ErKAa3uBO2vyw35vCY/gjgYZ
/x9jLhcTVaEgenj/x6Wo5mYTwrQV32Rmyrcmz2wie7S51nzE8Vc3p8WdtSFsS/te
khK0ptW6twA0OmLxckItzNfLzXCo9xEdqzJp5/VLoTF+z6cIbmMgA3BPqoFD74Tj
1fk99oSYIer3asGs56uoyvqV3xj3jc26QBKItK88sAy/l3Fl4fx/1UR0C9H6F8Hh
a1wcjzFbNPQAUcDZP5Qxkrbd1rLTU5udmYFavBs4PF+b/SN8wYfWwVlj8ySlgQHZ
qQa7lKCwHUBRBB99+UBpR906y3ifyaWrRR2t7xDp8ayQdeExh5j7YIJRR5/zEACN
2gmtITHXj2vn43C1MryTlHJvhkM8Doeqq3pn8xpQAENdCs9Z/03w5HZyux0dN9Nl
T5IBxdtE/nocHEq/ZO8Abn+lZrZ6KRLds2R8bRT+5qBVlOrthpsoV8GFg8WO5FkF
wrIe6xrCXuxKmhZIgISEHR7Y15OX9djgcn7Va0GQyEPM0cyCisdPyBfrxM0yk361
DKlxNLZrSdsZdAdp4/XNA+5XkcBr9Ic9hbcWbj83Cp1IHAUyEJ6ExPIiLFjYTqp3
FBblrFK/ePSQfS7chABPEfGO5xhUTn2caX4yGX8HJA48LG6Ir/1eaXWGZyXUgBaS
z+vA8oIBSETvTNCUXbw=
=v9co
-----END PGP SIGNATURE-----
diffstat for chrony-3.0 chrony-3.0
changelog | 8 ++++++++
patches/allow_getpid_in_seccomp_filter.patch | 23 +++++++++++++++++++++++
patches/series | 1 +
3 files changed, 32 insertions(+)
diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog
--- chrony-3.0/debian/changelog 2017-02-07 00:37:24.000000000 +0100
+++ chrony-3.0/debian/changelog 2017-04-26 17:39:44.000000000 +0200
@@ -1,3 +1,11 @@
+chrony (3.0-4) unstable; urgency=medium
+
+ * debian/patches/*:
+ - Backport commit 768bce799bfe to make chrony operable with the syscall
+ filtering feature enabled in level 1. (Closes: #861258)
+
+ -- Vincent Blut <[email protected]> Wed, 26 Apr 2017 17:39:44 +0200
+
chrony (3.0-3) unstable; urgency=medium
* debian/patches/*:
diff -Nru chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch
chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch
--- chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch
1970-01-01 01:00:00.000000000 +0100
+++ chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch
2017-04-26 17:39:44.000000000 +0200
@@ -0,0 +1,23 @@
+Description: Allow getpid in seccomp filter
+Author: Miroslav Lichvar <[email protected]>
+Origin:
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=768bce799bfe009e7dbaad5742738f7d05280d6d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258
+Applied-Upstream: 3.1-10-g768bce7
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -465,9 +465,10 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday),
+ SCMP_SYS(settimeofday), SCMP_SYS(time),
+ /* Process */
+- SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group),
SCMP_SYS(getrlimit),
+- SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
+- SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), SCMP_SYS(wait4),
++ SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
++ SCMP_SYS(getrlimit),SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
++ SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
++ SCMP_SYS(wait4),
+ /* Memory */
+ SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+ SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
diff -Nru chrony-3.0/debian/patches/series chrony-3.0/debian/patches/series
--- chrony-3.0/debian/patches/series 2017-02-06 20:03:25.000000000 +0100
+++ chrony-3.0/debian/patches/series 2017-04-26 17:39:44.000000000 +0200
@@ -1 +1,2 @@
+allow_getpid_in_seccomp_filter.patch
fix_time_smoothing_in_interleaved_mode.patch
--- End Message ---
--- Begin Message ---
Vincent Blut:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package chrony
>
> Removal of “cached PID/TID in clone” from glibc 2.24-10 exposed a
> regression in chrony when running it with the system call filter
> enabled. That’s due to getpid(2) not being allowed in the seccomp
> filter. Chrony 3.0-4 fixes this and thus closes #861258¹ (severity
> important.)
>
> unblock chrony/3.0-4
>
> Cheers,
> Vincent
>
> ¹https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258
>
> [...]
Unblocked, thanks.
~Niels
--- End Message ---