diff options
Diffstat (limited to 'meta-networking/recipes-support/chrony')
-rw-r--r-- | meta-networking/recipes-support/chrony/chrony/0001-Fix-compilation-with-musl.patch | 2 | ||||
-rw-r--r-- | meta-networking/recipes-support/chrony/chrony/arm_eabi.patch | 60 | ||||
-rw-r--r-- | meta-networking/recipes-support/chrony/chrony/chrony.conf | 7 | ||||
-rw-r--r-- | meta-networking/recipes-support/chrony/chrony_4.5.bb (renamed from meta-networking/recipes-support/chrony/chrony_4.0.bb) | 44 |
4 files changed, 64 insertions, 49 deletions
diff --git a/meta-networking/recipes-support/chrony/chrony/0001-Fix-compilation-with-musl.patch b/meta-networking/recipes-support/chrony/chrony/0001-Fix-compilation-with-musl.patch index 17b6353527..5e2bc64af3 100644 --- a/meta-networking/recipes-support/chrony/chrony/0001-Fix-compilation-with-musl.patch +++ b/meta-networking/recipes-support/chrony/chrony/0001-Fix-compilation-with-musl.patch @@ -8,6 +8,8 @@ Fixes: Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com> --- +Upstream-Status: Pending + hash_intmd5.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch b/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch index 97b44dc7aa..b9bb374e53 100644 --- a/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch +++ b/meta-networking/recipes-support/chrony/chrony/arm_eabi.patch @@ -1,49 +1,53 @@ -From f35e07aceb4a16121d83b47ee77990018bec98ea Mon Sep 17 00:00:00 2001 +From 71c44c214c0ab8dc8e9675e5e862f2e342fcb271 Mon Sep 17 00:00:00 2001 From: Joe Slater <jslater@windriver.com> Date: Thu, 9 Mar 2017 10:58:06 -0800 Subject: [PATCH] chrony: fix build failure for arma9 - Eliminate references to syscalls not available - for ARM_EABI. Also add a dependency on libseccomp - which is needed for scfilter to work. +Eliminate references to syscalls not available +for ARM_EABI. Also add a dependency on libseccomp +which is needed for scfilter to work. - Set PACKAGECONFIG to not enable scfilter, since - kernel CONFIG_SECCOMP is unlikely to be set. This - aligns the usage of libseccomp with that of other packages. +Set PACKAGECONFIG to not enable scfilter, since +kernel CONFIG_SECCOMP is unlikely to be set. This +aligns the usage of libseccomp with that of other packages. - Upstream-Status: Pending +Upstream-Status: Pending - Signed-off-by: Joe Slater <jslater@windriver.com> +Signed-off-by: Joe Slater <jslater@windriver.com> - Refresh patch for new upstream version. +Refresh patch for new upstream version. - Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> +Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> - Refreshed for 4.0 +Refreshed for 4.0 + +Signed-off-by: Khem Raj <raj.khem@gmail.com> - Signed-off-by: Khem Raj <raj.khem@gmail.com> --- - sys_linux.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) + sys_linux.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) +diff --git a/sys_linux.c b/sys_linux.c +index 6849637..10f9a57 100644 --- a/sys_linux.c +++ b/sys_linux.c -@@ -499,14 +499,12 @@ SYS_Linux_EnableSystemCallFilter(int lev +@@ -485,7 +485,6 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) #endif SCMP_SYS(gettimeofday), SCMP_SYS(settimeofday), - SCMP_SYS(time), - + /* Process */ SCMP_SYS(clone), +@@ -495,7 +494,6 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid), - SCMP_SYS(getrlimit), SCMP_SYS(getuid), - SCMP_SYS(rt_sigaction), - SCMP_SYS(rt_sigreturn), -@@ -519,7 +517,6 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(getuid32), + #ifdef __NR_membarrier +@@ -515,7 +513,6 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) /* Memory */ SCMP_SYS(brk), SCMP_SYS(madvise), @@ -51,28 +55,28 @@ Subject: [PATCH] chrony: fix build failure for arma9 SCMP_SYS(mmap2), SCMP_SYS(mprotect), SCMP_SYS(mremap), -@@ -573,8 +570,6 @@ SYS_Linux_EnableSystemCallFilter(int lev +@@ -575,8 +572,6 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(sendmsg), SCMP_SYS(sendto), SCMP_SYS(shutdown), - /* TODO: check socketcall arguments */ - SCMP_SYS(socketcall), - + /* General I/O */ SCMP_SYS(_newselect), -@@ -597,7 +592,6 @@ SYS_Linux_EnableSystemCallFilter(int lev +@@ -600,7 +595,6 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) #ifdef __NR_futex_time64 SCMP_SYS(futex_time64), #endif - SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write), - -@@ -605,6 +599,15 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(writev), +@@ -609,6 +603,15 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname), -+ /* not always available */ ++ /* not always available */ +#if ! defined(__ARM_EABI__) + SCMP_SYS(time), + SCMP_SYS(getrlimit), @@ -82,5 +86,5 @@ Subject: [PATCH] chrony: fix build failure for arma9 + SCMP_SYS(socketcall), +#endif }; - - const int socket_domains[] = { + + const int denied_any[] = { diff --git a/meta-networking/recipes-support/chrony/chrony/chrony.conf b/meta-networking/recipes-support/chrony/chrony/chrony.conf index 8d226d31a5..d11e2d4069 100644 --- a/meta-networking/recipes-support/chrony/chrony/chrony.conf +++ b/meta-networking/recipes-support/chrony/chrony/chrony.conf @@ -1,3 +1,6 @@ +# Load config files matching the /etc/chrony/conf.d/*.conf pattern. +confdir /etc/chrony/conf.d + # Use public NTP servers from the pool.ntp.org project. # Please consider joining the pool project if possible by running your own # server(s). @@ -17,6 +20,10 @@ pool 0.openembedded.pool.ntp.org iburst # gpios = <&ps7_gpio_0 56 0>; # }; +# Load source files matching the /etc/chrony/sources.d/*.sources pattern. +# These can be reloaded using 'chronyc reload sources'. +sourcedir /etc/chrony/sources.d + # In first three updates step the system clock instead of slew # if the adjustment is larger than 1 second. makestep 1.0 3 diff --git a/meta-networking/recipes-support/chrony/chrony_4.0.bb b/meta-networking/recipes-support/chrony/chrony_4.5.bb index c8987013bc..ed26e59879 100644 --- a/meta-networking/recipes-support/chrony/chrony_4.0.bb +++ b/meta-networking/recipes-support/chrony/chrony_4.5.bb @@ -27,7 +27,7 @@ the client program only." HOMEPAGE = "https://chrony.tuxfamily.org/" SECTION = "net" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" SRC_URI = "https://download.tuxfamily.org/chrony/chrony-${PV}.tar.gz \ @@ -36,26 +36,23 @@ SRC_URI = "https://download.tuxfamily.org/chrony/chrony-${PV}.tar.gz \ file://arm_eabi.patch \ " -SRC_URI_append_libc-musl = " \ +SRC_URI:append:libc-musl = " \ file://0001-Fix-compilation-with-musl.patch \ " -SRC_URI[sha256sum] = "be27ea14c55e7a4434b2fa51d53018c7051c42fa6a3198c9aa6a1658bae0c625" +SRC_URI[sha256sum] = "19fe1d9f4664d445a69a96c71e8fdb60bcd8df24c73d1386e02287f7366ad422" DEPENDS = "pps-tools" # Note: Despite being built via './configure; make; make install', # chrony does not use GNU Autotools. -inherit update-rc.d systemd +inherit update-rc.d systemd pkgconfig + +# Add chronyd user if privdrop packageconfig is selected +inherit ${@bb.utils.contains('PACKAGECONFIG', 'privdrop', 'useradd', '', d)} +USERADD_PACKAGES = "${@bb.utils.contains('PACKAGECONFIG', 'privdrop', '${PN}', '', d)}" +USERADD_PARAM:${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'privdrop', '--system -d / -M --shell /bin/nologin chronyd;', '', d)}" # Configuration options: -# - For command line editing support in chronyc, you may specify either -# 'editline' or 'readline' but not both. editline is smaller, but -# many systems already have readline for other purposes so you might want -# to choose that instead. However, beware license incompatibility -# since chrony is GPLv2 and readline versions after 6.0 are GPLv3+. -# You can of course choose neither, but if you're that tight on space -# consider dropping chronyc entirely (you can use it remotely with -# appropriate chrony.conf options). # - Security-related: # - 'sechash' is omitted by default because it pulls in nss which is huge. # - 'privdrop' allows chronyd to run as non-root; would need changes to @@ -65,14 +62,11 @@ inherit update-rc.d systemd PACKAGECONFIG ??= "editline \ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ " -PACKAGECONFIG[readline] = "--without-editline,--without-readline,readline" PACKAGECONFIG[editline] = ",--without-editline,libedit" PACKAGECONFIG[sechash] = "--without-tomcrypt,--disable-sechash,nss" PACKAGECONFIG[privdrop] = ",--disable-privdrop,libcap" PACKAGECONFIG[scfilter] = "--enable-scfilter,--without-seccomp,libseccomp" PACKAGECONFIG[ipv6] = ",--disable-ipv6," -PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss" -PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap" # --disable-static isn't supported by chrony's configure script. DISABLE_STATIC = "" @@ -97,6 +91,10 @@ do_install() { # Config file install -d ${D}${sysconfdir} install -m 644 ${WORKDIR}/chrony.conf ${D}${sysconfdir} + if ${@bb.utils.contains('PACKAGECONFIG', 'privdrop', 'true', 'false', d)}; then + echo "# Define user to drop to after dropping root privileges" >> ${D}${sysconfdir}/chrony.conf + echo "user chronyd" >> ${D}${sysconfdir}/chrony.conf + fi # System V init script install -d ${D}${sysconfdir}/init.d @@ -117,22 +115,26 @@ do_install() { ${D}${systemd_unitdir}/system/chronyd.service sed -i 's!^PATH=.*!PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}${sysconfdir}/init.d/chronyd sed -i 's!^EnvironmentFile=.*!EnvironmentFile=-${sysconfdir}/default/chronyd!' ${D}${systemd_unitdir}/system/chronyd.service + + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/lib/chrony 0755 root root -" > ${D}${sysconfdir}/tmpfiles.d/chronyd.conf + } -FILES_${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}/lib/chrony ${localstatedir}" -CONFFILES_${PN} = "${sysconfdir}/chrony.conf" +FILES:${PN} = "${sbindir}/chronyd ${sysconfdir} ${localstatedir}/lib/chrony ${localstatedir}" +CONFFILES:${PN} = "${sysconfdir}/chrony.conf" INITSCRIPT_NAME = "chronyd" INITSCRIPT_PARAMS = "defaults" SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "chronyd.service" +SYSTEMD_SERVICE:${PN} = "chronyd.service" # It's probably a bad idea to run chrony and another time daemon on # the same system. systemd includes the SNTP client 'timesyncd', which # will be disabled by chronyd.service, however it will remain on the rootfs -# wasting 150 kB unless you put 'PACKAGECONFIG_remove_pn-systemd = "timesyncd"' +# wasting 150 kB unless you put 'PACKAGECONFIG:remove:pn-systemd = "timesyncd"' # in a conf file or bbappend somewhere. -RCONFLICTS_${PN} = "ntp ntimed" +RCONFLICTS:${PN} = "ntp ntimed" # Separate the client program into its own package PACKAGES =+ "chronyc" -FILES_chronyc = "${bindir}/chronyc" +FILES:chronyc = "${bindir}/chronyc" |