pyrox.dev
ntp: remove seccomp support
it causes issues and most distros dont enable it
see https://github.com/NixOS/nixpkgs/issues/140996
+4
-17
pkgs/tools/networking/ntp/default.nix
+4
-17
pkgs/tools/networking/ntp/default.nix
···
1
-
{ stdenv, lib, fetchurl, openssl, perl, libcap ? null, libseccomp ? null, pps-tools }:
2
-
3
-
assert stdenv.isLinux -> libcap != null;
4
-
assert stdenv.isLinux -> libseccomp != null;
5
-
6
-
let
7
-
withSeccomp = stdenv.isLinux && (stdenv.isi686 || stdenv.isx86_64);
8
-
in
9
10
stdenv.mkDerivation rec {
11
pname = "ntp";
···
16
sha256 = "06cwhimm71safmwvp6nhxp6hvxsg62whnbgbgiflsqb8mgg40n7n";
17
};
18
19
-
# The hardcoded list of allowed system calls for seccomp is
20
-
# insufficient for NixOS, add more to make it work (issue #21136).
21
-
patches = [ ./seccomp.patch ];
22
-
23
configureFlags = [
24
"--sysconfdir=/etc"
25
"--localstatedir=/var"
···
27
"--with-openssl-incdir=${openssl.dev}/include"
28
"--enable-ignore-dns-errors"
29
"--with-yielding-select=yes"
30
-
] ++ lib.optional stdenv.isLinux "--enable-linuxcaps"
31
-
++ lib.optional withSeccomp "--enable-libseccomp";
32
33
-
buildInputs = [ libcap openssl perl ]
34
-
++ lib.optional withSeccomp libseccomp
35
-
++ lib.optional stdenv.isLinux pps-tools;
36
37
hardeningEnable = [ "pie" ];
38
···
1
+
{ stdenv, lib, fetchurl, openssl, perl, pps-tools, libcap }:
2
3
stdenv.mkDerivation rec {
4
pname = "ntp";
···
9
sha256 = "06cwhimm71safmwvp6nhxp6hvxsg62whnbgbgiflsqb8mgg40n7n";
10
};
11
12
configureFlags = [
13
"--sysconfdir=/etc"
14
"--localstatedir=/var"
···
16
"--with-openssl-incdir=${openssl.dev}/include"
17
"--enable-ignore-dns-errors"
18
"--with-yielding-select=yes"
19
+
] ++ lib.optional stdenv.isLinux "--enable-linuxcaps";
20
21
+
buildInputs = [ openssl perl ]
22
+
++ lib.optionals stdenv.isLinux [ pps-tools libcap ];
23
24
hardeningEnable = [ "pie" ];
25
-57
pkgs/tools/networking/ntp/seccomp.patch
-57
pkgs/tools/networking/ntp/seccomp.patch
···
1
-
From 881e427f3236046466bdb8235edf86e6dfa34391 Mon Sep 17 00:00:00 2001
2
-
From: Michael Bishop <cleverca22@gmail.com>
3
-
Date: Mon, 11 Jun 2018 08:30:48 -0300
4
-
Subject: [PATCH] fix the seccomp filter to include a few previously missed
5
-
syscalls
6
-
7
-
---
8
-
ntpd/ntpd.c | 8 ++++++++
9
-
1 file changed, 8 insertions(+)
10
-
11
-
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
12
-
index 2c7f02ec5..4c59dc2ba 100644
13
-
--- a/ntpd/ntpd.c
14
-
+++ b/ntpd/ntpd.c
15
-
@@ -1140,10 +1140,12 @@ int scmp_sc[] = {
16
-
SCMP_SYS(close),
17
-
SCMP_SYS(connect),
18
-
SCMP_SYS(exit_group),
19
-
+ SCMP_SYS(fcntl),
20
-
SCMP_SYS(fstat),
21
-
SCMP_SYS(fsync),
22
-
SCMP_SYS(futex),
23
-
SCMP_SYS(getitimer),
24
-
+ SCMP_SYS(getpid),
25
-
SCMP_SYS(getsockname),
26
-
SCMP_SYS(ioctl),
27
-
SCMP_SYS(lseek),
28
-
@@ -1162,6 +1164,8 @@ int scmp_sc[] = {
29
-
SCMP_SYS(sendto),
30
-
SCMP_SYS(setitimer),
31
-
SCMP_SYS(setsid),
32
-
+ SCMP_SYS(setsockopt),
33
-
+ SCMP_SYS(openat),
34
-
SCMP_SYS(socket),
35
-
SCMP_SYS(stat),
36
-
SCMP_SYS(time),
37
-
@@ -1178,9 +1182,11 @@ int scmp_sc[] = {
38
-
SCMP_SYS(clock_settime),
39
-
SCMP_SYS(close),
40
-
SCMP_SYS(exit_group),
41
-
+ SCMP_SYS(fcntl),
42
-
SCMP_SYS(fsync),
43
-
SCMP_SYS(futex),
44
-
SCMP_SYS(getitimer),
45
-
+ SCMP_SYS(getpid),
46
-
SCMP_SYS(madvise),
47
-
SCMP_SYS(mmap),
48
-
SCMP_SYS(mmap2),
49
-
@@ -1194,6 +1200,8 @@ int scmp_sc[] = {
50
-
SCMP_SYS(select),
51
-
SCMP_SYS(setitimer),
52
-
SCMP_SYS(setsid),
53
-
+ SCMP_SYS(setsockopt),
54
-
+ SCMP_SYS(openat),
55
-
SCMP_SYS(sigprocmask),
56
-
SCMP_SYS(sigreturn),
57
-
SCMP_SYS(socketcall),
···
+1
-3
pkgs/top-level/all-packages.nix
+1
-3
pkgs/top-level/all-packages.nix