net-misc/chrony: Disable non-default seccomp filter option

With `-F 1' chronyd sets up a syscall filter and has itself killed when
a "forbidden" syscall is made. Since we cannot control that (as
explained in the chronyd(8) manual) we should disable the filter by
default.

Package-Manager: Portage-3.0.4, Repoman-3.0.1
Bug: https://bugs.gentoo.org/739714
Signed-off-by: Jeroen Roovers <jer@gentoo.org>

4 files changed, 19 insertions, 16 deletions

diff --git a/net-misc/chrony/chrony-3.5.1-r1.ebuild b/net-misc/chrony/chrony-3.5.1-r1.ebuild
index f112b3307064..f0c66705c223 100644
--- a/net-misc/chrony/chrony-3.5.1-r1.ebuild
+++ b/net-misc/chrony/chrony-3.5.1-r1.ebuild
@@ -67,13 +67,14 @@ src_prepare() {
 		-e 's|pkg-config|${PKG_CONFIG}|g' \
 		configure || die
 
-	# Copy for potential user fixup
-	cp "${FILESDIR}"/chronyd.conf-r1 "${T}"/chronyd.conf
-	cp examples/chronyd.service "${T}"/chronyd.service
+	sed \
+		-e 's/-F 1/-F 0/' \
+		examples/chronyd.service > "${T}"/chronyd.service || die
+
+	cp "${FILESDIR}"/chronyd.conf-r1 "${T}"/chronyd.conf || die
 }
 
 src_configure() {
-	# Set config for privdrop
 	if ! use caps; then
 		sed -i \
 			-e 's/-u ntp//' \
@@ -82,7 +83,7 @@ src_configure() {
 
 	if ! use seccomp; then
 		sed -i \
-			-e 's/-F 1//' \
+			-e 's/-F 0//' \
 			"${T}"/chronyd.conf "${T}"/chronyd.service || die
 	fi
 
diff --git a/net-misc/chrony/chrony-4.0_pre3.ebuild b/net-misc/chrony/chrony-4.0_pre3.ebuild
index f08fcf89f2e4..e8f5a46d753f 100644
--- a/net-misc/chrony/chrony-4.0_pre3.ebuild
+++ b/net-misc/chrony/chrony-4.0_pre3.ebuild
@@ -67,13 +67,14 @@ src_prepare() {
 		-e 's|pkg-config|${PKG_CONFIG}|g' \
 		configure || die
 
-	# Copy for potential user fixup
-	cp "${FILESDIR}"/chronyd.conf-r1 "${T}"/chronyd.conf
-	cp examples/chronyd.service "${T}"/chronyd.service
+	sed \
+		-e 's/-F 1/-F 0/' \
+		examples/chronyd.service > "${T}"/chronyd.service || die
+
+	cp "${FILESDIR}"/chronyd.conf-r1 "${T}"/chronyd.conf || die
 }
 
 src_configure() {
-	# Set config for privdrop
 	if ! use caps; then
 		sed -i \
 			-e 's/-u ntp//' \
@@ -82,7 +83,7 @@ src_configure() {
 
 	if ! use seccomp; then
 		sed -i \
-			-e 's/-F 1//' \
+			-e 's/-F 0//' \
 			"${T}"/chronyd.conf "${T}"/chronyd.service || die
 	fi
 
diff --git a/net-misc/chrony/chrony-9999.ebuild b/net-misc/chrony/chrony-9999.ebuild
index f08fcf89f2e4..e8f5a46d753f 100644
--- a/net-misc/chrony/chrony-9999.ebuild
+++ b/net-misc/chrony/chrony-9999.ebuild
@@ -67,13 +67,14 @@ src_prepare() {
 		-e 's|pkg-config|${PKG_CONFIG}|g' \
 		configure || die
 
-	# Copy for potential user fixup
-	cp "${FILESDIR}"/chronyd.conf-r1 "${T}"/chronyd.conf
-	cp examples/chronyd.service "${T}"/chronyd.service
+	sed \
+		-e 's/-F 1/-F 0/' \
+		examples/chronyd.service > "${T}"/chronyd.service || die
+
+	cp "${FILESDIR}"/chronyd.conf-r1 "${T}"/chronyd.conf || die
 }
 
 src_configure() {
-	# Set config for privdrop
 	if ! use caps; then
 		sed -i \
 			-e 's/-u ntp//' \
@@ -82,7 +83,7 @@ src_configure() {
 
 	if ! use seccomp; then
 		sed -i \
-			-e 's/-F 1//' \
+			-e 's/-F 0//' \
 			"${T}"/chronyd.conf "${T}"/chronyd.service || die
 	fi
 
diff --git a/net-misc/chrony/files/chronyd.conf-r1 b/net-misc/chrony/files/chronyd.conf-r1
index c04f3525f0b7..2783f29e6844 100644
--- a/net-misc/chrony/files/chronyd.conf-r1
+++ b/net-misc/chrony/files/chronyd.conf-r1
@@ -9,4 +9,4 @@ CFGFILE="/etc/chrony/chrony.conf"
 # The combination of "-s -r" allows chronyd to perform long term averaging of
 # the gain or loss rate across system reboots and shutdowns.
 
-ARGS="-u ntp -F 1"
+ARGS="-u ntp -F 0"