| components/network/chrony/Makefile | ●●●●● patch | view | raw | blame | history | |
| components/network/chrony/chrony.p5m | ●●●●● patch | view | raw | blame | history | |
| components/network/chrony/files/chrony.conf | ●●●●● patch | view | raw | blame | history | |
| components/network/chrony/files/chrony.keys | ●●●●● patch | view | raw | blame | history | |
| components/network/chrony/files/chrony.xml | ●●●●● patch | view | raw | blame | history | |
| components/network/chrony/manifests/sample-manifest.p5m | ●●●●● patch | view | raw | blame | history | |
| components/network/chrony/patches/01-illumos.patch | ●●●●● patch | view | raw | blame | history | |
| components/network/chrony/pkg5 | ●●●●● patch | view | raw | blame | history | |
| components/network/chrony/test/results-all.master | ●●●●● patch | view | raw | blame | history |
components/network/chrony/Makefile
New file @@ -0,0 +1,70 @@ # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # # Copyright (c) 2023, Andreas Wacknitz # BUILD_BITS= 64 include ../../../make-rules/shared-macros.mk COMPONENT_NAME= chrony COMPONENT_VERSION= 4.5 COMPONENT_SUMMARY= network time services COMPONENT_DESCRIPTION= A versatile implementation of the Network Time Protocol (NTP) COMPONENT_PROJECT_URL= https://chrony-project.org COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_URL= $(COMPONENT_PROJECT_URL)/releases/$(COMPONENT_ARCHIVE) COMPONENT_ARCHIVE_HASH= sha256:19fe1d9f4664d445a69a96c71e8fdb60bcd8df24c73d1386e02287f7366ad422 COMPONENT_SIG_URL= $(COMPONENT_PROJECT_URL)/releases/$(COMPONENT_SRC)-tar-gz-asc.txt COMPONENT_FMRI= service/network/$(COMPONENT_NAME) COMPONENT_CLASSIFICATION= System/Services COMPONENT_LICENSE= GPLv2 COMPONENT_LICENSE_FILE= COPYING ASLR_MODE= $(ASLR_ENABLE) include $(WS_MAKE_RULES)/common.mk COMPONENT_PRE_CONFIGURE_ACTION= ( $(CLONEY) $(SOURCE_DIR) $(@D) ) CFLAGS += $(XPG6MODE) CONFIGURE_OPTIONS += --libexecdir=$(USRLIBDIR)/inet CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR)/inet CONFIGURE_OPTIONS += --disable-shared CONFIGURE_OPTIONS += --enable-ntp-signd CONFIGURE_OPTIONS += --with-user=chrony unexport SHELLOPTS COMPONENT_TEST_TRANSFORMS += \ ' -n ' \ ' -e "/Testing/p" ' # Auto-generated dependencies REQUIRED_PACKAGES += SUNWcs REQUIRED_PACKAGES += library/gnutls-3 REQUIRED_PACKAGES += library/libedit REQUIRED_PACKAGES += library/nettle REQUIRED_PACKAGES += system/library REQUIRED_PACKAGES += system/library/math components/network/chrony/chrony.p5m
New file @@ -0,0 +1,50 @@ # # This file and its contents are supplied under the terms of the # Common Development and Distribution License ("CDDL"), version 1.0. # You may only use this file in accordance with the terms of version # 1.0 of the CDDL. # # A full copy of the text of the CDDL should have accompanied this # source. A copy of the CDDL is also available via the Internet at # http://www.illumos.org/license/CDDL. # # # Copyright 2023 Andreas Wacknitz # set name=pkg.fmri value=pkg:/$(COMPONENT_FMRI)@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.human-version value=$(HUMAN_VERSION) set name=pkg.summary value="$(COMPONENT_SUMMARY)" set name=pkg.description value="$(COMPONENT_DESCRIPTION)" set name=info.classification value="$(COMPONENT_CLASSIFICATION)" set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=org.opensolaris.consolidation value=$(CONSOLIDATION) license $(COMPONENT_LICENSE_FILE) license='$(COMPONENT_LICENSE)' group groupname=chrony gid=23 user ftpuser=false username=chrony uid=23 group=chrony \ gcos-field="chrony user" \ home-dir=/var/lib/chrony password=NP <transform dir path=var/lib/chrony$ -> set owner chrony> <transform dir path=var/lib/chrony$ -> set group chrony> # Restart chrony on binary change <transform file path=usr/sbin/chronyd$ -> \ set restart_fmri svc:/network/chrony:default> # Install files file files/chrony.xml path=lib/svc/manifest/network/chrony.xml file files/chrony.conf path=etc/inet/chrony.conf owner=root group=chrony \ mode=0644 overlay=allow preserve=renamenew file files/chrony.keys path=etc/inet/chrony.keys owner=root group=chrony \ mode=0640 overlay=allow preserve=renamenew file path=usr/bin/chronyc file path=usr/sbin/chronyd file path=usr/share/man/man1/chronyc.1 file path=usr/share/man/man5/chrony.conf.5 file path=usr/share/man/man8/chronyd.8 components/network/chrony/files/chrony.conf
New file @@ -0,0 +1,269 @@ ### COMMENTS # Any of the following lines are comments (you have a choice of # comment start character): # a comment % a comment ! a comment ; a comment # # Below, the '!' form is used for lines that you might want to # uncomment and edit to make your own chrony.conf file. # ####################################################################### ####################################################################### ### SPECIFY YOUR NTP SERVERS # Most computers using chrony will send measurement requests to one or # more 'NTP servers'. You will probably find that your Internet Service # Provider or company have one or more NTP servers that you can specify. # Failing that, there are a lot of public NTP servers. There is a list # you can access at http://support.ntp.org/bin/view/Servers/WebHome or # you can use servers from the pool.ntp.org project. ! server foo.example.net iburst ! server bar.example.net iburst ! server baz.example.net iburst #server 0.openindiana.pool.ntp.org iburst #server 1.openindiana.pool.ntp.org iburst #server 2.openindiana.pool.ntp.org iburst #server 3.openindiana.pool.ntp.org iburst pool 0.openindiana.pool.ntp.org iburst ####################################################################### ### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK # # To avoid changes being made to your computer's gain/loss compensation # when the measurement history is too erratic, you might want to enable # one of the following lines. The first seems good with servers on the # Internet, the second seems OK for a LAN environment. ! maxupdateskew 100 ! maxupdateskew 5 # If you want to increase the minimum number of selectable sources # required to update the system clock in order to make the # synchronisation more reliable, uncomment (and edit) the following # line. ! minsources 2 # If your computer has a good stable clock (e.g. it is not a virtual # machine), you might also want to reduce the maximum assumed drift # (frequency error) of the clock (the value is specified in ppm). ! maxdrift 100 # By default, chronyd allows synchronisation to an unauthenticated NTP # source (i.e. specified without the nts and key options) if it agrees with # a majority of authenticated NTP sources, or if no authenticated source is # specified. If you don't want chronyd to ever synchronise to an # unauthenticated NTP source, uncomment the first from the following lines. # If you don't want to synchronise to an unauthenticated NTP source only # when an authenticated source is specified, uncomment the second line. # If you want chronyd to ignore authentication in the source selection, # uncomment the third line. ! authselectmode require ! authselectmode prefer ! authselectmode ignore ####################################################################### ### FILENAMES ETC # Chrony likes to keep information about your computer's clock in files. # The 'driftfile' stores the computer's clock gain/loss rate in parts # per million. When chronyd starts, the system clock can be tuned # immediately so that it doesn't gain or lose any more time. You # generally want this, so it is uncommented. driftfile /var/lib/chrony/drift # If you want to enable NTP authentication with symmetric keys, you will need # to uncomment the following line and edit the file to set up the keys. ! keyfile /etc/inet/chrony.keys # If you specify an NTP server with the nts option to enable authentication # with the Network Time Security (NTS) mechanism, or enable server NTS with # the ntsservercert and ntsserverkey directives below, the following line will # allow the client/server to save the NTS keys and cookies in order to reduce # the number of key establishments (NTS-KE sessions). ntsdumpdir /var/lib/chrony # If chronyd is configured to act as an NTP server and you want to enable NTS # for its clients, you will need a TLS certificate and private key. Uncomment # and edit the following lines to specify the locations of the certificate and # key. ! ntsservercert /etc/.../foo.example.net.crt ! ntsserverkey /etc/.../foo.example.net.key # chronyd can save the measurement history for the servers to files when # it exits. This is useful: # # 1. If you stop chronyd and restart it with the '-r' option (e.g. after # an upgrade), the old measurements will still be relevant when chronyd # is restarted. This will reduce the time needed to get accurate # gain/loss measurements. # # Uncomment the following line to use this. ! dumpdir /var/lib/chrony # chronyd writes its process ID to a file. If you try to start a second # copy of chronyd, it will detect that the process named in the file is # still running and bail out. If you want to change the path to the PID # file, uncomment this line and edit it. The default path is shown. pidfile /var/run/chrony/chronyd.pid # If the system timezone database is kept up to date and includes the # right/UTC timezone, chronyd can use it to determine the current # TAI-UTC offset and when will the next leap second occur. ! leapsectz right/UTC # This directive specifies the location of the Samba ntp_signd socket # when it is running as a Domain Controller (DC). If chronyd is # compiled with this feature, responses to MS-SNTP clients will be # signed by the smbd daemon. ! ntpsigndsocket /var/lib/samba/ntp_signd ####################################################################### ### INITIAL CLOCK CORRECTION # This option is useful to quickly correct the clock on start if it's # off by a large amount. The value '1.0' means that if the error is less # than 1 second, it will be gradually removed by speeding up or slowing # down your computer's clock until it is correct. If the error is above # 1 second, an immediate time jump will be applied to correct it. The # value '3' means the step is allowed only in the first three updates of # the clock. Some software can get upset if the system clock jumps # (especially backwards), so be careful! ! makestep 1.0 3 ####################################################################### ### LEAP SECONDS # A leap second is an occasional one-second correction of the UTC # time scale. By default, chronyd tells the kernel to insert/delete # the leap second, which makes a backward/forward step to correct the # clock for it. As with the makestep directive, this jump can upset # some applications. If you prefer chronyd to make a gradual # correction, causing the clock to be off for a longer time, uncomment # the following line. ! leapsecmode slew ####################################################################### ### LOGGING # If you want to log information about the time measurements chronyd has # gathered, you might want to enable the following lines. You probably # only need this if you really enjoy looking at the logs, you want to # produce some graphs of your system's timekeeping performance, or you # need help in debugging a problem. ! logdir /var/log/chrony ! log measurements statistics tracking # If you have real time clock support enabled (see below), you might want # this line instead: ! log measurements statistics tracking rtc ####################################################################### ### ACTING AS AN NTP SERVER # You might want the computer to be an NTP server for other computers. # # By default, chronyd does not allow any clients to access it. You need # to explicitly enable access using 'allow' and 'deny' directives. # # e.g. to enable client access from the 192.168.*.* class B subnet, ! allow 192.168/16 # .. but disallow the 192.168.100.* subnet of that, ! deny 192.168.100/24 # You can have as many allow and deny directives as you need. The order # is unimportant. # If you want to present your computer's time for others to synchronise # with, even if you don't seem to be synchronised to any NTP servers # yourself, enable the following line. The value 10 may be varied # between 1 and 15. You should avoid small values because you will look # like a real NTP server. The value 10 means that you appear to be 10 # NTP 'hops' away from an authoritative source (atomic clock, GPS # receiver, radio clock etc). ! local stratum 10 # Normally, chronyd will keep track of how many times each client # machine accesses it. The information can be accessed by the 'clients' # command of chronyc. You can disable this facility by uncommenting the # following line. This will save a bit of memory if you have many # clients and it will also disable support for the interleaved mode. ! noclientlog # The clientlog size is limited to 512KB by default. If you have many # clients, you might want to increase the limit. ! clientloglimit 4194304 # By default, chronyd tries to respond to all valid NTP requests from # allowed addresses. If you want to limit the response rate for NTP # clients that are sending requests too frequently, uncomment and edit # the following line. ! ratelimit interval 3 burst 8 ####################################################################### ### REPORTING BIG CLOCK CHANGES # Perhaps you want to know if chronyd suddenly detects any large error # in your computer's clock. This might indicate a fault or a problem # with the server(s) you are using, for example. # # The next option causes a message to be written to syslog when chronyd # has to correct an error above 0.5 seconds (you can use any amount you # like). ! logchange 0.5 # The next option will send email to the named person when chronyd has # to correct an error above 0.5 seconds. (If you need to send mail to # several people, you need to set up a mailing list or sendmail alias # for them and use the address of that.) ! mailonchange wibble@foo.example.net 0.5 ####################################################################### ### COMMAND ACCESS # The program chronyc is used to show the current operation of chronyd # and to change parts of its configuration whilst it is running. # By default chronyd binds to the loopback interface. Uncomment the # following lines to allow receiving command packets from remote hosts. ! bindcmdaddress 0.0.0.0 ! bindcmdaddress :: # Normally, chronyd will only allow connections from chronyc on the same # machine as itself. This is for security. If you have a subnet # 192.168.*.* and you want to be able to use chronyc from any machine on # it, you could uncomment the following line. (Edit this to your own # situation.) ! cmdallow 192.168/16 # You can add as many 'cmdallow' and 'cmddeny' lines as you like. The # syntax and meaning is the same as for 'allow' and 'deny', except that # 'cmdallow' and 'cmddeny' control access to the chronyd's command port. # Rate limiting can be enabled also for command packets. (Note, # commands from localhost are never limited.) ! cmdratelimit interval -4 burst 16
New file @@ -0,0 +1,13 @@ # This is an example chrony keys file. It enables authentication of NTP # packets with symmetric keys when its location is specified by the keyfile # directive in chrony.conf(5). It should be readable only by root and the # user under which chronyd is running. # # Don't use the example keys! It's recommended to generate random keys using # the chronyc keygen command. # Examples of valid keys: #1 MD5 AVeryLongAndRandomPassword #2 MD5 HEX:12114855C7931009B4049EF3EFC48A139C3F989F #3 SHA1 HEX:B2159C05D6A219673A3B7E896B6DE07F6A440995 components/network/chrony/files/chrony.xml
New file @@ -0,0 +1,101 @@ <?xml version="1.0"?> <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <!-- This file and its contents are supplied under the terms of the Common Development and Distribution License ("CDDL"), version 1.0. You may only use this file in accordance with the terms of version 1.0 of the CDDL. A full copy of the text of the CDDL should have accompanied this source. A copy of the CDDL is also available via the Internet at http://www.illumos.org/license/CDDL. Copyright 2021 OmniOS Community Edition (OmniOSce) Association. --> <service_bundle type='manifest' name='chrony:default'> <service name='network/chrony' type='service' version='1'> <create_default_instance enabled='false' /> <dependency name='network' grouping='require_any' restart_on='error' type='service'> <service_fmri value='svc:/network/service' /> </dependency> <dependency name='filesystem' grouping='require_all' restart_on='error' type='service'> <service_fmri value='svc:/system/filesystem/minimal' /> </dependency> <dependency name='name-services' grouping='optional_all' restart_on='none' type='service'> <service_fmri value='svc:/milestone/name-services' /> </dependency> <dependency name='routing-setup' grouping='optional_all' restart_on='none' type='service'> <service_fmri value='svc:/network/routing-setup' /> </dependency> <dependency name='config-file' grouping='require_all' restart_on='refresh' type='path'> <service_fmri value='file://localhost/etc/inet/chrony.conf' /> </dependency> <dependency name='open-vm-tools' grouping='exclude_all' restart_on='none' type='service'> <service_fmri value='svc:/system/virtualization/open-vm-tools:default' /> </dependency> <!-- ntpsec/vmtoolsd also adjust the system time. Prevent chrony running at the same time. --> <dependency name='ntpsec' grouping='exclude_all' restart_on='none' type='service'> <service_fmri value='svc:/network/ntp:default' /> </dependency> <exec_method type='method' name='start' exec='/usr/sbin/chronyd' timeout_seconds='600'> <method_context security_flags='aslr'> <method_credential user='root' group='root' privileges='basic,!file_link_any,!proc_info,!proc_session,file_chown_self,file_dac_search,file_dac_write,net_privaddr,proc_lock_memory,proc_priocntl,proc_setid,sys_time' /> </method_context> </exec_method> <exec_method type='method' name='stop' exec=':kill' timeout_seconds='60' /> <stability value='Unstable' /> <template> <common_name> <loctext xml:lang='C'>Network Time Protocol (NTP)</loctext> </common_name> <documentation> <manpage title='chronyc' section='1' /> <manpage title='chronyd' section='8' /> </documentation> </template> </service> </service_bundle> components/network/chrony/manifests/sample-manifest.p5m
New file @@ -0,0 +1,30 @@ # # This file and its contents are supplied under the terms of the # Common Development and Distribution License ("CDDL"), version 1.0. # You may only use this file in accordance with the terms of version # 1.0 of the CDDL. # # A full copy of the text of the CDDL should have accompanied this # source. A copy of the CDDL is also available via the Internet at # http://www.illumos.org/license/CDDL. # # # Copyright 2023 <contributor> # set name=pkg.fmri value=pkg:/$(COMPONENT_FMRI)@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.human-version value=$(HUMAN_VERSION) set name=pkg.summary value="$(COMPONENT_SUMMARY)" set name=info.classification value="$(COMPONENT_CLASSIFICATION)" set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=org.opensolaris.consolidation value=$(CONSOLIDATION) license $(COMPONENT_LICENSE_FILE) license='$(COMPONENT_LICENSE)' file path=usr/bin/chronyc file path=usr/sbin/chronyd file path=usr/share/man/man1/chronyc.1 file path=usr/share/man/man5/chrony.conf.5 file path=usr/share/man/man8/chronyd.8 components/network/chrony/patches/01-illumos.patch
New file @@ -0,0 +1,199 @@ diff -wpruN --no-dereference '--exclude=*.orig' a~/configure a/configure --- a~/configure 1970-01-01 00:00:00 +++ a/configure 1970-01-01 00:00:00 @@ -208,6 +208,11 @@ get_features () { OPERATINGSYSTEM=`uname -s` +if [ "$OPERATINGSYSTEM" = "SunOS" ]; then + KERNEL=`uname -o` + [ -n "$KERNEL" ] && OPERATINGSYSTEM="$KERNEL" +fi + VERSION=`uname -r` MACHINE=`uname -m` @@ -472,7 +477,7 @@ case $OPERATINGSYSTEM in fi echo "Configuring for macOS (" $SYSTEM "macOS version" $VERSION ")" ;; - SunOS) + SunOS|Solaris) EXTRA_OBJECTS="sys_generic.o sys_solaris.o sys_timex.o sys_posix.o" LIBS="$LIBS -lsocket -lnsl -lkvm -lelf -lresolv" try_setsched=1 @@ -488,6 +493,21 @@ case $OPERATINGSYSTEM in fi echo "Configuring for illumos (" $SYSTEM "SunOS version" $VERSION ")" ;; + illumos) + EXTRA_OBJECTS="sys_generic.o sys_solaris.o sys_timex.o sys_posix.o" + LIBS="$LIBS -lsocket -lnsl -lresolv" + try_setsched=1 + try_lockmem=1 + add_def SOLARIS + # These are needed to have msg_control in struct msghdr + add_def _XOPEN_SOURCE 600 + add_def __EXTENSIONS__ 1 + if [ $feat_droproot = "1" ]; then + add_def FEAT_PRIVDROP + priv_ops="ADJUSTTIMEX SETTIME BINDSOCKET" + fi + echo "Configuring for illumos (" $SYSTEM "version" $VERSION ")" + ;; * ) echo "error: $SYSTEM is not supported (yet?)" exit 1 diff -wpruN --no-dereference '--exclude=*.orig' a~/privops.c a/privops.c --- a~/privops.c 1970-01-01 00:00:00 +++ a/privops.c 1970-01-01 00:00:00 @@ -34,6 +34,7 @@ #include "logging.h" #include "privops.h" #include "socket.h" +#include "sys.h" #include "util.h" #define OP_ADJUSTTIME 1024 @@ -667,6 +668,8 @@ PRV_StartHelper(void) /* ignore signals, the process will exit on OP_QUIT request */ UTI_SetQuitSignalsHandler(SIG_IGN, 1); + SYS_DropRoot(0, 0, SYS_PRIV_HELPER); + helper_main(sock_fd2); } else { diff -wpruN --no-dereference '--exclude=*.orig' a~/sys.h a/sys.h --- a~/sys.h 1970-01-01 00:00:00 +++ a/sys.h 1970-01-01 00:00:00 @@ -38,6 +38,7 @@ extern void SYS_Finalise(void); typedef enum { SYS_MAIN_PROCESS, SYS_NTSKE_HELPER, + SYS_PRIV_HELPER, } SYS_ProcessContext; /* Switch to the specified user and group in given context */ diff -wpruN --no-dereference '--exclude=*.orig' a~/sys_solaris.c a/sys_solaris.c --- a~/sys_solaris.c 1970-01-01 00:00:00 +++ a/sys_solaris.c 1970-01-01 00:00:00 @@ -34,41 +34,13 @@ #include "sys_timex.h" #include "util.h" -#include <kvm.h> -#include <nlist.h> - -/* ================================================== */ - -static void -set_dosynctodr(int on_off) -{ - struct nlist nl[] = { {"dosynctodr"}, {NULL} }; - kvm_t *kt; - - kt = kvm_open(NULL, NULL, NULL, O_RDWR, NULL); - if (!kt) - LOG_FATAL("Could not open kvm"); - - if (kvm_nlist(kt, nl) < 0 || !nl[0].n_value) - LOG_FATAL("Could not get dosynctodr address"); - - if (kvm_kwrite(kt, nl[0].n_value, &on_off, sizeof (on_off)) < 0) - LOG_FATAL("Could not write to dosynctodr"); - - kvm_close(kt); -} +#include "logging.h" /* ================================================== */ void SYS_Solaris_Initialise(void) { - /* The kernel keeps the system clock and hardware clock synchronised to each - other. The dosynctodr variable needs to be set to zero to prevent the - the system clock from following the hardware clock when the system clock - is not adjusted by adjtime() or ntp_adjtime(modes=MOD_OFFSET). */ - set_dosynctodr(0); - /* The kernel allows the frequency to be set in the full range off int32_t */ SYS_Timex_InitialiseWithFunctions(32500, 1.0 / 100, NULL, NULL, NULL, 0.0, 0.0, NULL, NULL); @@ -85,11 +57,75 @@ SYS_Solaris_Finalise(void) /* ================================================== */ #ifdef FEAT_PRIVDROP + +#include <priv.h> + void SYS_Solaris_DropRoot(uid_t uid, gid_t gid, SYS_ProcessContext context) { + priv_set_t *privs, *basicprivs; + +#if DEBUG > 0 + setpflags(PRIV_DEBUG, 1); +#endif + + privs = priv_allocset(); + basicprivs = priv_allocset(); + + if (privs == NULL || basicprivs == NULL) + LOG_FATAL("Failed to allocate privilege sets"); + + if (getppriv(PRIV_PERMITTED, privs) != 0) + LOG_FATAL("Failed to retrieve current privileges"); + + priv_basicset(basicprivs); + priv_intersect(basicprivs, privs); + + if (context == SYS_PRIV_HELPER) { + /* for OP_BINDSOCKET */ + priv_addset(privs, PRIV_NET_PRIVADDR); + /* for OP_SETTIME and OP_ADJUSTTIMEX */ + priv_addset(privs, PRIV_SYS_TIME); + + priv_delset(privs, PRIV_FILE_LINK_ANY); + priv_delset(privs, PRIV_FILE_READ); + priv_delset(privs, PRIV_FILE_WRITE); + priv_delset(privs, PRIV_NET_ACCESS); + priv_delset(privs, PRIV_PROC_FORK); + priv_delset(privs, PRIV_PROC_EXEC); + priv_delset(privs, PRIV_PROC_SECFLAGS); + priv_delset(privs, PRIV_PROC_INFO); + priv_delset(privs, PRIV_PROC_SESSION); + + } else { + int mail_enabled; + double mail_threshold; + char *mail_user; + if (context == SYS_MAIN_PROCESS) PRV_StartHelper(); + UTI_DropRoot(uid, gid); + + priv_delset(privs, PRIV_FILE_LINK_ANY); + priv_delset(privs, PRIV_PROC_INFO); + priv_delset(privs, PRIV_PROC_SESSION); + + CNF_GetMailOnChange(&mail_enabled, &mail_threshold, &mail_user); + if (!mail_enabled) { + priv_delset(privs, PRIV_PROC_FORK); + priv_delset(privs, PRIV_PROC_EXEC); + } + } + + if (setppriv(PRIV_SET, PRIV_PERMITTED, privs) != 0) + LOG_FATAL("Failed to reduce permitted privileges"); + if (setppriv(PRIV_SET, PRIV_INHERITABLE, privs) != 0) + LOG_FATAL("Failed to reduce inheritable privileges"); + if (setppriv(PRIV_SET, PRIV_LIMIT, privs) != 0) + LOG_FATAL("Failed to reduce limit privileges"); + + priv_freeset(privs); + priv_freeset(basicprivs); } #endif components/network/chrony/pkg5
New file @@ -0,0 +1,14 @@ { "dependencies": [ "SUNWcs", "library/gnutls-3", "library/libedit", "library/nettle", "system/library", "system/library/math" ], "fmris": [ "service/network/chrony" ], "name": "chrony" } components/network/chrony/test/results-all.master
New file @@ -0,0 +1,25 @@ Testing addrfilt PASS Testing array PASS Testing clientlog PASS Testing cmac PASS Testing hash PASS Testing hwclock SKIP (on line 115) Testing keys PASS Testing ntp_auth PASS Testing ntp_core PASS Testing ntp_ext PASS Testing ntp_sources PASS Testing nts_ke_client PASS Testing nts_ke_server PASS Testing nts_ke_session PASS Testing nts_ntp_auth PASS Testing nts_ntp_client PASS Testing nts_ntp_server PASS Testing quantiles PASS Testing regress PASS Testing samplefilt PASS Testing siv PASS Testing smooth PASS Testing socket PASS Testing sources PASS Testing util PASS
