After a series of amendments the seccomp.patch made ntpd work properly
but only on 32-bit systems.
This commit replaces that patch with the one submitted upstream by
cleverca22 and that fixes the issue also on 64-bit systems.
Close#38627, #45885
* treewide: http -> https sources
This updates the source urls of all top-level packages from http to
https where possible.
* buildtorrent: fix url and tab -> spaces
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/ntp/versions.
These checks were done:
- built on NixOS
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/calc_tickadj passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntp-wait passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntptrace passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/update-leap had a zero exit code or showed the expected version
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/sntp passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpd passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpdate had a zero exit code or showed the expected version
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpdc passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpq passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntp-keygen passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntptime had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/tickadj had a zero exit code or showed the expected version
- 8 of 12 passed binary check by having a zero exit code.
- 0 of 12 passed binary check by having the new version present in output.
- found 4.2.8p11 with grep in /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11
- directory tree listing: https://gist.github.com/643849ae077bac0514537c8aa923dd6d
- du listing: https://gist.github.com/1b2abf7cee80b022945ff72be1eb7070
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
The package would no longer build without libcrypto,
and it wouldn't find it without pkgconfig.
I checked that Debian and Arch do use openssl as a dependency,
so it's probably not so bad a thing to have.
CC maintainer @edolstra.