components/network/chrony/patches/01-illumos.patch

   1 diff -wpruN --no-dereference '--exclude=*.orig' a~/configure a/configure
   2 --- a~/configure        1970-01-01 00:00:00
   3 +++ a/configure 1970-01-01 00:00:00
   4 @@ -208,6 +208,11 @@ get_features () {
   5
   6
   7  OPERATINGSYSTEM=`uname -s`
   8 +if [ "$OPERATINGSYSTEM" = "SunOS" ]; then
   9 +  KERNEL=`uname -o`
  10 +  [ -n "$KERNEL" ] && OPERATINGSYSTEM="$KERNEL"
  11 +fi
  12 +
  13  VERSION=`uname -r`
  14  MACHINE=`uname -m`
  15
  16 @@ -472,7 +477,7 @@ case $OPERATINGSYSTEM in
  17          fi
  18          echo "Configuring for macOS (" $SYSTEM "macOS version" $VERSION ")"
  19      ;;
  20 -    SunOS)
  21 +    SunOS|Solaris)
  22          EXTRA_OBJECTS="sys_generic.o sys_solaris.o sys_timex.o sys_posix.o"
  23          LIBS="$LIBS -lsocket -lnsl -lkvm -lelf -lresolv"
  24          try_setsched=1
  25 @@ -488,6 +493,21 @@ case $OPERATINGSYSTEM in
  26          fi
  27          echo "Configuring for illumos (" $SYSTEM "SunOS version" $VERSION ")"
  28      ;;
  29 +    illumos)
  30 +        EXTRA_OBJECTS="sys_generic.o sys_solaris.o sys_timex.o sys_posix.o"
  31 +        LIBS="$LIBS -lsocket -lnsl -lresolv"
  32 +        try_setsched=1
  33 +        try_lockmem=1
  34 +        add_def SOLARIS
  35 +        # These are needed to have msg_control in struct msghdr
  36 +        add_def _XOPEN_SOURCE 600
  37 +        add_def __EXTENSIONS__ 1
  38 +        if [ $feat_droproot = "1" ]; then
  39 +          add_def FEAT_PRIVDROP
  40 +          priv_ops="ADJUSTTIMEX SETTIME BINDSOCKET"
  41 +        fi
  42 +        echo "Configuring for illumos (" $SYSTEM "version" $VERSION ")"
  43 +    ;;
  44      * )
  45          echo "error: $SYSTEM is not supported (yet?)"
  46          exit 1
  47 diff -wpruN --no-dereference '--exclude=*.orig' a~/privops.c a/privops.c
  48 --- a~/privops.c        1970-01-01 00:00:00
  49 +++ a/privops.c 1970-01-01 00:00:00
  50 @@ -34,6 +34,7 @@
  51  #include "logging.h"
  52  #include "privops.h"
  53  #include "socket.h"
  54 +#include "sys.h"
  55  #include "util.h"
  56
  57  #define OP_ADJUSTTIME     1024
  58 @@ -667,6 +668,8 @@ PRV_StartHelper(void)
  59      /* ignore signals, the process will exit on OP_QUIT request */
  60      UTI_SetQuitSignalsHandler(SIG_IGN, 1);
  61
  62 +    SYS_DropRoot(0, 0, SYS_PRIV_HELPER);
  63 +
  64      helper_main(sock_fd2);
  65
  66    } else {
  67 diff -wpruN --no-dereference '--exclude=*.orig' a~/sys.h a/sys.h
  68 --- a~/sys.h    1970-01-01 00:00:00
  69 +++ a/sys.h     1970-01-01 00:00:00
  70 @@ -38,6 +38,7 @@ extern void SYS_Finalise(void);
  71  typedef enum {
  72    SYS_MAIN_PROCESS,
  73    SYS_NTSKE_HELPER,
  74 +  SYS_PRIV_HELPER,
  75  } SYS_ProcessContext;
  76
  77  /* Switch to the specified user and group in given context */
  78 diff -wpruN --no-dereference '--exclude=*.orig' a~/sys_solaris.c a/sys_solaris.c
  79 --- a~/sys_solaris.c    1970-01-01 00:00:00
  80 +++ a/sys_solaris.c     1970-01-01 00:00:00
  81 @@ -34,41 +34,13 @@
  82  #include "sys_timex.h"
  83  #include "util.h"
  84
  85 -#include <kvm.h>
  86 -#include <nlist.h>
  87 -
  88 -/* ================================================== */
  89 -
  90 -static void
  91 -set_dosynctodr(int on_off)
  92 -{
  93 -  struct nlist nl[] = { {"dosynctodr"}, {NULL} };
  94 -  kvm_t *kt;
  95 -
  96 -  kt = kvm_open(NULL, NULL, NULL, O_RDWR, NULL);
  97 -  if (!kt)
  98 -    LOG_FATAL("Could not open kvm");
  99 -
 100 -  if (kvm_nlist(kt, nl) < 0 || !nl[0].n_value)
 101 -    LOG_FATAL("Could not get dosynctodr address");
 102 -
 103 -  if (kvm_kwrite(kt, nl[0].n_value, &on_off, sizeof (on_off)) < 0)
 104 -    LOG_FATAL("Could not write to dosynctodr");
 105 -
 106 -  kvm_close(kt);
 107 -}
 108 +#include "logging.h"
 109
 110  /* ================================================== */
 111
 112  void
 113  SYS_Solaris_Initialise(void)
 114  {
 115 -  /* The kernel keeps the system clock and hardware clock synchronised to each
 116 -     other.  The dosynctodr variable needs to be set to zero to prevent the
 117 -     the system clock from following the hardware clock when the system clock
 118 -     is not adjusted by adjtime() or ntp_adjtime(modes=MOD_OFFSET). */
 119 -  set_dosynctodr(0);
 120 -
 121    /* The kernel allows the frequency to be set in the full range off int32_t */
 122    SYS_Timex_InitialiseWithFunctions(32500, 1.0 / 100, NULL, NULL, NULL,
 123                                      0.0, 0.0, NULL, NULL);
 124 @@ -85,11 +57,75 @@ SYS_Solaris_Finalise(void)
 125  /* ================================================== */
 126
 127  #ifdef FEAT_PRIVDROP
 128 +
 129 +#include <priv.h>
 130 +
 131  void
 132  SYS_Solaris_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context)
 133  {
 134 +       priv_set_t *privs, *basicprivs;
 135 +
 136 +#if DEBUG > 0
 137 +       setpflags(PRIV_DEBUG, 1);
 138 +#endif
 139 +
 140 +       privs = priv_allocset();
 141 +       basicprivs = priv_allocset();
 142 +
 143 +       if (privs == NULL || basicprivs == NULL)
 144 +               LOG_FATAL("Failed to allocate privilege sets");
 145 +
 146 +       if (getppriv(PRIV_PERMITTED, privs) != 0)
 147 +               LOG_FATAL("Failed to retrieve current privileges");
 148 +
 149 +       priv_basicset(basicprivs);
 150 +       priv_intersect(basicprivs, privs);
 151 +
 152 +       if (context == SYS_PRIV_HELPER) {
 153 +               /* for OP_BINDSOCKET */
 154 +               priv_addset(privs, PRIV_NET_PRIVADDR);
 155 +               /* for OP_SETTIME and OP_ADJUSTTIMEX */
 156 +               priv_addset(privs, PRIV_SYS_TIME);
 157 +
 158 +               priv_delset(privs, PRIV_FILE_LINK_ANY);
 159 +               priv_delset(privs, PRIV_FILE_READ);
 160 +               priv_delset(privs, PRIV_FILE_WRITE);
 161 +               priv_delset(privs, PRIV_NET_ACCESS);
 162 +               priv_delset(privs, PRIV_PROC_FORK);
 163 +               priv_delset(privs, PRIV_PROC_EXEC);
 164 +               priv_delset(privs, PRIV_PROC_SECFLAGS);
 165 +               priv_delset(privs, PRIV_PROC_INFO);
 166 +               priv_delset(privs, PRIV_PROC_SESSION);
 167 +
 168 +       } else {
 169 +               int mail_enabled;
 170 +               double mail_threshold;
 171 +               char *mail_user;
 172 +
 173    if (context == SYS_MAIN_PROCESS)
 174      PRV_StartHelper();
 175 +
 176    UTI_DropRoot(uid, gid);
 177 +
 178 +               priv_delset(privs, PRIV_FILE_LINK_ANY);
 179 +               priv_delset(privs, PRIV_PROC_INFO);
 180 +               priv_delset(privs, PRIV_PROC_SESSION);
 181 +
 182 +               CNF_GetMailOnChange(&mail_enabled, &mail_threshold, &mail_user);
 183 +               if (!mail_enabled) {
 184 +                       priv_delset(privs, PRIV_PROC_FORK);
 185 +                       priv_delset(privs, PRIV_PROC_EXEC);
 186 +               }
 187 +       }
 188 +
 189 +       if (setppriv(PRIV_SET, PRIV_PERMITTED, privs) != 0)
 190 +               LOG_FATAL("Failed to reduce permitted privileges");
 191 +       if (setppriv(PRIV_SET, PRIV_INHERITABLE, privs) != 0)
 192 +               LOG_FATAL("Failed to reduce inheritable privileges");
 193 +       if (setppriv(PRIV_SET, PRIV_LIMIT, privs) != 0)
 194 +               LOG_FATAL("Failed to reduce limit privileges");
 195 +
 196 +       priv_freeset(privs);
 197 +       priv_freeset(basicprivs);
 198  }
 199  #endif