Merge pull request #24573 from ambrop72/ntpd-fix

ntpd: Add patch to allow getpid syscall in seccomp filter.
2024-12-26 04:43:09 +03:00 · 2017-04-06 11:06:13 +01:00 · 2017-04-06 11:06:13 +01:00 · bb771e0405
commit bb771e0405
parent 0f9fd51b20 35e0eea053
2 changed files with 48 additions and 0 deletions
--- a/pkgs/tools/networking/ntp/default.nix
+++ b/pkgs/tools/networking/ntp/default.nix
@ -15,6 +15,10 @@ stdenv.mkDerivation rec {
    sha256 = "17xrk7gxrl3hgg0i73n8qm53knyh01lf0f3l1zx9x6r1cip3dlnx";
  };

+  # The hardcoded list of allowed system calls for seccomp is
+  # insufficient for NixOS, add more to make it work (issue #21136).
+  patches = [ ./seccomp.patch ];
+
  configureFlags = [
    "--sysconfdir=/etc"
    "--localstatedir=/var"
--- a/pkgs/tools/networking/ntp/seccomp.patch
+++ b/pkgs/tools/networking/ntp/seccomp.patch
@ -0,0 +1,44 @@
+diff -urN ntp-4.2.8p10.orig/ntpd/ntpd.c ntp-4.2.8p10/ntpd/ntpd.c
+--- ntp-4.2.8p10.orig/ntpd/ntpd.c	2017-04-02 20:21:17.371319663 +0200
+++ ntp-4.2.8p10/ntpd/ntpd.c	2017-04-02 21:26:02.766178723 +0200
+@@ -1157,10 +1157,12 @@
+ 	SCMP_SYS(close),
+ 	SCMP_SYS(connect),
+ 	SCMP_SYS(exit_group),
+	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fstat),
+ 	SCMP_SYS(fsync),
+ 	SCMP_SYS(futex),
+ 	SCMP_SYS(getitimer),
+	SCMP_SYS(getpid),
+ 	SCMP_SYS(getsockname),
+ 	SCMP_SYS(ioctl),
+ 	SCMP_SYS(lseek),
+@@ -1179,6 +1181,7 @@
+ 	SCMP_SYS(sendto),
+ 	SCMP_SYS(setitimer),
+ 	SCMP_SYS(setsid),
+        SCMP_SYS(setsockopt),
+ 	SCMP_SYS(socket),
+ 	SCMP_SYS(stat),
+ 	SCMP_SYS(time),
+@@ -1195,9 +1198,11 @@
+ 	SCMP_SYS(clock_settime),
+ 	SCMP_SYS(close),
+ 	SCMP_SYS(exit_group),
+	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fsync),
+ 	SCMP_SYS(futex),
+ 	SCMP_SYS(getitimer),
+	SCMP_SYS(getpid),
+ 	SCMP_SYS(madvise),
+ 	SCMP_SYS(mmap),
+ 	SCMP_SYS(mmap2),
+@@ -1211,6 +1216,7 @@
+ 	SCMP_SYS(select),
+ 	SCMP_SYS(setitimer),
+ 	SCMP_SYS(setsid),
+        SCMP_SYS(setsockopt),
+ 	SCMP_SYS(sigprocmask),
+ 	SCMP_SYS(sigreturn),
+ 	SCMP_SYS(socketcall),