pool/chrony
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- boo#1190926: PrivateDevices is too strict, we might need to

Browse Source 
access the rtc and ptp devices.
- Add back support to build chrony on SLE12.
- Drop dependency on asciidoctor. It is only needed for building
  the HTML documentation which we don't package anyway.

OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=105
This commit is contained in:
Reinhard Max 2021-10-08 16:29:48 +00:00 committed by Git OBS Bridge
parent a94c383238
commit 902146d99c
3 changed files with 61 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
chrony.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Fri Oct 8 14:52:41 UTC 2021 - Reinhard Max <max@suse.com>
- boo#1190926: PrivateDevices is too strict, we might need to
access the rtc and ptp devices.
- Add back support to build chrony on SLE12.
- Drop dependency on asciidoctor. It is only needed for building
the HTML documentation which we don't package anyway.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 30 13:50:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com> Mon Aug 30 13:50:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

57
chrony.spec
View File

@ -16,10 +16,20 @@
# #
%if 0%{?suse_version} < 1500
# As of 2021 we still need to be able to build this on SLE12
%bcond_with pools
%bcond_with sysusers
%bcond_with pps
%else
%bcond_without pools
%bcond_without sysusers
%bcond_without pps
%endif
%bcond_without testsuite %bcond_without testsuite
%define _systemdutildir %(pkg-config --variable systemdutildir systemd) %define _systemdutildir %(pkg-config --variable systemdutildir systemd)
#global clknetsim_ver 79ffe44
%global clknetsim_ver f89702d %global clknetsim_ver f89702d
#Compat macro for new _fillupdir macro introduced in Nov 2017 #Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir} %if ! %{defined _fillupdir}
@ -59,23 +69,31 @@ Patch5: harden_chrony-wait.service.patch
Patch6: harden_chronyd.service.patch Patch6: harden_chronyd.service.patch
BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: findutils
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gnutls-devel BuildRequires: gnutls-devel
BuildRequires: libcap-devel BuildRequires: libcap-devel
BuildRequires: libedit-devel BuildRequires: libedit-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
%if %{with pps}
BuildRequires: pps-tools-devel BuildRequires: pps-tools-devel
%endif
# The timezone package is needed for the "make check" tests. It can be # The timezone package is needed for the "make check" tests. It can be
# removed if the call to make check is ever deleted. # removed if the call to make check is ever deleted.
BuildRequires: sysuser-tools BuildRequires: sysuser-tools
BuildRequires: timezone BuildRequires: timezone
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
BuildRequires: rubygem(asciidoctor)
Recommends: logrotate Recommends: logrotate
Requires(post): %fillup_prereq Requires(post): %fillup_prereq
%if %{with sysusers}
%sysusers_requires %sysusers_requires
%else
Requires(pre): %{_sbindir}/useradd
%endif
%if %{with pools}
Requires: %name-pool Requires: %name-pool
Recommends: %name-pool-nonempty Recommends: %name-pool-nonempty
%endif
Provides: ntp-daemon Provides: ntp-daemon
%ifarch s390 s390x ppc64le %ifarch s390 s390x ppc64le
BuildRequires: libseccomp-devel >= 2.2.0 BuildRequires: libseccomp-devel >= 2.2.0
@ -105,6 +123,7 @@ performance and configuring various settings. It can do so while
running on the same computer as the chronyd instance it is controlling running on the same computer as the chronyd instance it is controlling
or a different computer. or a different computer.
%if %{with pools}
%package pool-suse %package pool-suse
Summary: Chrony preconfiguration for SUSE Summary: Chrony preconfiguration for SUSE
Group: Productivity/Networking/Other Group: Productivity/Networking/Other
@ -149,16 +168,17 @@ This package provides an empty /etc/chrony.d/pool.conf file for
situations when having servers preconfigured in chrony is undesirable, situations when having servers preconfigured in chrony is undesirable,
e.g. because the servers will be set via DHCP. e.g. because the servers will be set via DHCP.
%endif
%prep %prep
%setup -q -a 10 %setup -q -a 10
sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5}
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 %patch3
%patch4 %patch4
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6
# Remove pool statements from the default /etc/chrony.conf. They will # Remove pool statements from the default /etc/chrony.conf. They will
# be provided by branding packages in /etc/chrony.d/pool.conf . # be provided by branding packages in /etc/chrony.d/pool.conf .
@ -190,8 +210,16 @@ export LDFLAGS="-pie -Wl,-z,relro,-z,now"
--with-hwclockfile=%{_sysconfdir}/adjtime \ --with-hwclockfile=%{_sysconfdir}/adjtime \
--with-sendmail=%{_sbindir}/sendmail \ --with-sendmail=%{_sbindir}/sendmail \
--enable-ntp-signd --enable-ntp-signd
make %{?_smp_mflags} all docs make %{?_smp_mflags} all
%if %{with sysusers}
%sysusers_generate_pre %{SOURCE14} chrony system-user-chrony.conf %sysusers_generate_pre %{SOURCE14} chrony system-user-chrony.conf
%else
cat > chrony.pre <<EOF
%{_sbindir}/groupadd -r chrony >/dev/null 2>&1 || :
%{_sbindir}/useradd -g chrony -s /bin/false -r -c "Chrony Daemon" \
-d "%{_localstatedir}/lib/chrony" chrony >/dev/null 2>&1 || :
EOF
%endif
%install %install
%make_install %make_install
@ -232,13 +260,17 @@ install -Dpm 755 %{SOURCE4} %{buildroot}%{chrony_helper}
install -d %{buildroot}%{_localstatedir}/log/chrony install -d %{buildroot}%{_localstatedir}/log/chrony
touch %{buildroot}%{_localstatedir}/lib/chrony/{drift,rtc} touch %{buildroot}%{_localstatedir}/lib/chrony/{drift,rtc}
%if %{with pools}
# Install the NTP pool files # Install the NTP pool files
install -Dpm 644 %{SOURCE12} %{SOURCE13} %{buildroot}/etc/chrony.d install -Dpm 644 %{SOURCE12} %{SOURCE13} %{buildroot}/etc/chrony.d
touch %{buildroot}/etc/chrony.d/pool.conf.empty echo '# Add ntp pools here' > %{buildroot}/etc/chrony.d/pool.conf.empty
%endif
mkdir -p %{buildroot}%{_sysusersdir} mkdir -p %{buildroot}%{_sysusersdir}
install -m 0644 %{SOURCE14} %{buildroot}%{_sysusersdir}/ install -m 0644 %{SOURCE14} %{buildroot}%{_sysusersdir}/
find %{buildroot} -type f | xargs sed -i 's-@CHRONY_HELPER@-%{chrony_helper}-g'
%if %{with testsuite} %if %{with testsuite}
%ifnarch %ix86 %ifnarch %ix86
%check %check
@ -265,7 +297,12 @@ make %{?_smp_mflags} check
%service_del_postun chronyd.service chrony-wait.service %service_del_postun chronyd.service chrony-wait.service
%files %files
%defattr(-,root,root)
%if 0%{?suse_version} >= 1500
%license COPYING %license COPYING
%else
%doc COPYING
%endif
%doc FAQ NEWS README %doc FAQ NEWS README
%doc examples %doc examples
%config(noreplace) %attr(0640,root,%{name}) %{_sysconfdir}/chrony.conf %config(noreplace) %attr(0640,root,%{name}) %{_sysconfdir}/chrony.conf
@ -295,13 +332,15 @@ make %{?_smp_mflags} check
%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
%ghost %attr(0750, %{name}, %{name}) %{_rundir}/%{name} %ghost %attr(0750, %{name}, %{name}) %{_rundir}/%{name}
%if %{with pools}
%files pool-empty %files pool-empty
%config (noreplace) /etc/chrony.d/pool.conf.empty %attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.empty
%files pool-suse %files pool-suse
%config (noreplace) /etc/chrony.d/pool.conf.suse %attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.suse
%files pool-openSUSE %files pool-openSUSE
%config (noreplace) /etc/chrony.d/pool.conf.opensuse %attr(-,root,root)%config (noreplace) /etc/chrony.d/pool.conf.opensuse
%endif
%changelog %changelog

10
harden_chronyd.service.patch
View File

@ -1,19 +1,17 @@
Index: chrony-4.1/examples/chronyd.service --- examples/chronyd.service.orig
=================================================================== +++ examples/chronyd.service
--- chrony-4.1.orig/examples/chronyd.service @@ -18,6 +18,15 @@ ExecStartPost=@CHRONY_HELPER@ update-dae
+++ chrony-4.1/examples/chronyd.service
@@ -17,6 +17,15 @@ ExecStart=/usr/sbin/chronyd $OPTIONS
PrivateTmp=yes PrivateTmp=yes
ProtectHome=yes ProtectHome=yes
ProtectSystem=full ProtectSystem=full
+# added automatically, for details please see +# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectHostname=true +ProtectHostname=true
+ProtectKernelModules=true +ProtectKernelModules=true
+ProtectKernelLogs=true +ProtectKernelLogs=true
+ProtectControlGroups=true +ProtectControlGroups=true
+DeviceAllow=char-rtc +DeviceAllow=char-rtc
+DeviceAllow=char-ptp
+# end of automatic additions +# end of automatic additions
[Install] [Install]