pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #24573 from ambrop72/ntpd-fix

ntpd: Add patch to allow getpid syscall in seccomp filter.

authored by Joachim F and committed by GitHub bb771e04 0f9fd51b

+48
unified split
+4
pkgs/tools/networking/ntp/default.nix
··· 15 sha256 = "17xrk7gxrl3hgg0i73n8qm53knyh01lf0f3l1zx9x6r1cip3dlnx"; 16 }; 17 18 configureFlags = [ 19 "--sysconfdir=/etc" 20 "--localstatedir=/var"
··· 15 sha256 = "17xrk7gxrl3hgg0i73n8qm53knyh01lf0f3l1zx9x6r1cip3dlnx"; 16 }; 17 18 + # The hardcoded list of allowed system calls for seccomp is 19 + # insufficient for NixOS, add more to make it work (issue #21136). 20 + patches = [ ./seccomp.patch ]; 21 + 22 configureFlags = [ 23 "--sysconfdir=/etc" 24 "--localstatedir=/var"
+44
pkgs/tools/networking/ntp/seccomp.patch
···
··· 1 + diff -urN ntp-4.2.8p10.orig/ntpd/ntpd.c ntp-4.2.8p10/ntpd/ntpd.c 2 + --- ntp-4.2.8p10.orig/ntpd/ntpd.c 2017-04-02 20:21:17.371319663 +0200 3 + +++ ntp-4.2.8p10/ntpd/ntpd.c 2017-04-02 21:26:02.766178723 +0200 4 + @@ -1157,10 +1157,12 @@ 5 + SCMP_SYS(close), 6 + SCMP_SYS(connect), 7 + SCMP_SYS(exit_group), 8 + + SCMP_SYS(fcntl), 9 + SCMP_SYS(fstat), 10 + SCMP_SYS(fsync), 11 + SCMP_SYS(futex), 12 + SCMP_SYS(getitimer), 13 + + SCMP_SYS(getpid), 14 + SCMP_SYS(getsockname), 15 + SCMP_SYS(ioctl), 16 + SCMP_SYS(lseek), 17 + @@ -1179,6 +1181,7 @@ 18 + SCMP_SYS(sendto), 19 + SCMP_SYS(setitimer), 20 + SCMP_SYS(setsid), 21 + + SCMP_SYS(setsockopt), 22 + SCMP_SYS(socket), 23 + SCMP_SYS(stat), 24 + SCMP_SYS(time), 25 + @@ -1195,9 +1198,11 @@ 26 + SCMP_SYS(clock_settime), 27 + SCMP_SYS(close), 28 + SCMP_SYS(exit_group), 29 + + SCMP_SYS(fcntl), 30 + SCMP_SYS(fsync), 31 + SCMP_SYS(futex), 32 + SCMP_SYS(getitimer), 33 + + SCMP_SYS(getpid), 34 + SCMP_SYS(madvise), 35 + SCMP_SYS(mmap), 36 + SCMP_SYS(mmap2), 37 + @@ -1211,6 +1216,7 @@ 38 + SCMP_SYS(select), 39 + SCMP_SYS(setitimer), 40 + SCMP_SYS(setsid), 41 + + SCMP_SYS(setsockopt), 42 + SCMP_SYS(sigprocmask), 43 + SCMP_SYS(sigreturn), 44 + SCMP_SYS(socketcall),