diff options
| author |   Sam James (sam_c) <sam@cmpct.info> | 2020-03-15 20:53:29 +0000 |
|---|---|---|
| committer |   Thomas Deutschmann <whissi@gentoo.org> | 2020-03-30 20:36:44 +0200 |
| commit | a2c99543bfd3245724e21089a617f28d828c5548 (patch) | |
| tree | 9dfdc2ed107c3b2f1a0f5599940420c91682343c /net-misc/chrony/chrony-9999.ebuild | |
| parent | net-misc/chrony: Run as non-root when USE=caps, revbump (diff) | |
| download | gentoo-a2c99543bfd3245724e21089a617f28d828c5548.tar.gz gentoo-a2c99543bfd3245724e21089a617f28d828c5548.tar.bz2 gentoo-a2c99543bfd3245724e21089a617f28d828c5548.zip | |
net-misc/chrony: Enable seccomp filtering when USE=seccomp
We already have USE=seccomp but chronyd won't do anything unless
-F is set to 1. We could also set -F -1 which will log any syscalls
which would've been blocked but won't deny them.
Also fixes systemd for previous commit.
Bug: https://bugs.gentoo.org/711058
Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
Closes: https://github.com/gentoo/gentoo/pull/14973
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Diffstat (limited to 'net-misc/chrony/chrony-9999.ebuild')
| -rw-r--r-- | net-misc/chrony/chrony-9999.ebuild | 30 |
1 files changed, 16 insertions, 14 deletions
diff --git a/net-misc/chrony/chrony-9999.ebuild b/net-misc/chrony/chrony-9999.ebuild index 5b03ec4fe426..543cabf61d5c 100644 --- a/net-misc/chrony/chrony-9999.ebuild +++ b/net-misc/chrony/chrony-9999.ebuild @@ -12,8 +12,8 @@ SLOT="0" KEYWORDS="" IUSE=" - +adns caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc - seccomp selinux + +adns +caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc + +seccomp selinux " REQUIRED_USE=" ?? ( libedit readline ) @@ -40,7 +40,7 @@ S="${WORKDIR}/${P/_/-}" PATCHES=( "${FILESDIR}"/${PN}-3.5-pool-vendor-gentoo.patch - "${FILESDIR}"/${PN}-3.5-systemd-gentoo.patch + "${FILESDIR}"/${PN}-3.5-r3-systemd-gentoo.patch ) src_prepare() { @@ -50,13 +50,20 @@ src_prepare() { doc/* examples/* || die # Copy for potential user fixup - cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf + cp "${FILESDIR}"/chronyd.conf "${T}"/chronyd.conf + cp examples/chronyd.service "${T}"/chronyd.service # Set config for privdrop if ! use caps; then sed -i \ -e 's/-u ntp//' \ - "${T}"/chronyd.conf || die + "${T}"/chronyd.conf "${T}"/chronyd.service || die + fi + + if ! use seccomp; then + sed -i \ + -e 's/-F 1//' \ + "${T}"/chronyd.conf "${T}"/chronyd.service || die fi } @@ -131,16 +138,11 @@ src_install() { insinto /etc/logrotate.d newins "${FILESDIR}"/chrony-2.4-r1.logrotate chrony - systemd_dounit examples/{chronyd,chrony-wait}.service + systemd_dounit "${T}"/chronyd.service + systemd_dounit examples/chrony-wait.service systemd_enable_ntpunit 50-chrony chronyd.service } -pkg_preinst() { - if use caps && has_version net-misc/chrony[-caps]; then - elog "/run/chronyd needs ntp:ntp permissions; please check." - elog "The safest option is reboot, but you may chown manually." - elif ! use caps && has_version net-misc/chrony[caps]; then - elog "/run/chronyd needs root:root permissions; please check." - elog "The safest option is reboot, but you may chown manually." - fi +pkg_postinst() { + tmpfiles_process chronyd.conf } |