diff --git a/.chrony.metadata b/.chrony.metadata
index 40fb2fc..b0c5d0d 100644
--- a/.chrony.metadata
+++ b/.chrony.metadata
@@ -1,3 +1,3 @@
-0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz
-2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz
+bc7884eb4fde69478a00faee3d42092d426d57c1 SOURCES/chrony-4.3.tar.gz
+9c453ae65e5c1a6983cd1121410faf1ffd2d9092 SOURCES/clknetsim-f00531.tar.gz
1395afa521d2e3302a31083edcf568bbc036aafc SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
diff --git a/.gitignore b/.gitignore
index 65f6088..422eb36 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-SOURCES/chrony-4.2.tar.gz
-SOURCES/clknetsim-824c48.tar.gz
+SOURCES/chrony-4.3.tar.gz
+SOURCES/clknetsim-f00531.tar.gz
SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/chrony-4.2-tar-gz-asc.txt b/SOURCES/chrony-4.2-tar-gz-asc.txt
deleted file mode 100644
index 23c7755..0000000
--- a/SOURCES/chrony-4.2-tar-gz-asc.txt
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo
-Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN
-NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ
-CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz
-R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum
-ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM
-TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1
-2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI
-cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/
-QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS
-9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn
-2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA=
-=F4BS
------END PGP SIGNATURE-----
diff --git a/SOURCES/chrony-4.3-tar-gz-asc.txt b/SOURCES/chrony-4.3-tar-gz-asc.txt
new file mode 100644
index 0000000..995ffc5
--- /dev/null
+++ b/SOURCES/chrony-4.3-tar-gz-asc.txt
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmMPLJAACgkQU34rdvdo
+DaxDKRAAh5wfl990Q6sTPxXI92GegZYIGUxJDlCkJtemoI98g+DQbuCJ46AXsAn/
+CIBTbPU3Brvq2KR1nDze/G/YOXkaqoFyaJD00H73qBI7MOMiSS4KbMQ26xLNrnHL
+MCHrgZs+MHhyo6IEpesvr7F/+qyGHZifFlHT+HtCM+SBU1qooYUyQAdnhyK0rb16
+j7/Jc5A28jROZB4lcRQyvB085whPj299FsB/0wJW5RjwA5tcpPH0sTozain3vvlo
+64BAJXcQsyRsilcaPFlkY5zPgFiAuaEJnfTe/uMdfDO/V/g6wADt64+HhaxNPO+z
+p3vzEGpio4Oi1HyYiXpDx9bMM1RLTpmKt9p1V5Y98Fn5Ymx6I7yAe1qwvA7T8eoC
+hK8C27jPytiOgaWSYqPYb0WaHY3JZZpFzdtr0bAPSkEzL4EwrxVmbgTnkuzk2hxk
+6MiIuDLUd9Zl1oroqv+rTd0XA8lXUcoyFhqtsMXHWdAC3yzteaPcJKzv7l9DT6xV
+YadKrSBkzob9jRWRngY3FMKjTvcwnxLE8dfsNlsDNGyLNtTEOJ/QYgh6muOHh80L
+MAayI8hSWPTR/3IXKlathjLIeilsrFthIZcrPq520FoS4A7E3A80vR3uKOqAIDwh
+Y+6ASvEkCHAUneJqlLihqglYTNJlFnVhGw9/LV85JsmRsCZ0+j8=
+=2xMP
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/chrony-nm-dispatcher-dhcp.patch b/SOURCES/chrony-nm-dispatcher-dhcp.patch
index d424737..dd9fc2a 100644
--- a/SOURCES/chrony-nm-dispatcher-dhcp.patch
+++ b/SOURCES/chrony-nm-dispatcher-dhcp.patch
@@ -1,146 +1,3 @@
-commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date: Mon Feb 7 13:27:25 2022 +0100
-
- examples: support DHCPv6 NTP servers in NM dispatcher script
-
- Latest NetworkManager code provides NTP servers from the DHCPv6 NTP
- option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher
- scripts.
-
- Check for invalid characters (which can come from the FQDN suboption)
- and include the servers in the interface-specific sources file.
-
-diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
-index 6ea4c370..4454f037 100644
---- a/examples/chrony.nm-dispatcher.dhcp
-+++ b/examples/chrony.nm-dispatcher.dhcp
-@@ -1,8 +1,7 @@
- #!/bin/sh
- # This is a NetworkManager dispatcher script for chronyd to update
--# its NTP sources passed from DHCP options. Note that this script is
--# specific to NetworkManager-dispatcher due to use of the
--# DHCP4_NTP_SERVERS environment variable.
-+# its NTP sources with servers from DHCP options passed by NetworkManager
-+# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables.
-
- export LC_ALL=C
-
-@@ -10,17 +9,19 @@ interface=$1
- action=$2
-
- chronyc=/usr/bin/chronyc
--default_server_options=iburst
-+server_options=iburst
- server_dir=/var/run/chrony-dhcp
-
- dhcp_server_file=$server_dir/$interface.sources
--# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
--nm_dhcp_servers=$DHCP4_NTP_SERVERS
-+dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
-
- add_servers_from_dhcp() {
- rm -f "$dhcp_server_file"
-- for server in $nm_dhcp_servers; do
-- echo "server $server $default_server_options" >> "$dhcp_server_file"
-+ for server in $dhcp_ntp_servers; do
-+ # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
-+ printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
-+
-+ printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
- done
- $chronyc reload sources > /dev/null 2>&1 || :
- }
-@@ -34,10 +35,11 @@ clear_servers_from_dhcp() {
-
- mkdir -p $server_dir
-
--if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
-- add_servers_from_dhcp
--elif [ "$action" = "down" ]; then
-- clear_servers_from_dhcp
--fi
-+case "$action" in
-+ up|dhcp4-change|dhcp6-change)
-+ add_servers_from_dhcp;;
-+ down)
-+ clear_servers_from_dhcp;;
-+esac
-
- exit 0
-
-commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date: Mon Feb 7 13:27:48 2022 +0100
-
- examples: handle more actions in NM dispatcher script
-
- Run the chronyc onoffline command also when the connectivity-change
- and dhcp6-change actions are reported by the NetworkManager dispatcher.
-
- The latter should not be necessary, but there currently doesn't seem to
- be any action for IPv6 becoming routable after duplicate address
- detection, so at least in networks using DHCPv6, IPv6 NTP servers should
- not be stuck in the offline state from a previously reported action.
-
-diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline
-index 34cfa0db..01e6fdb1 100644
---- a/examples/chrony.nm-dispatcher.onoffline
-+++ b/examples/chrony.nm-dispatcher.onoffline
-@@ -7,8 +7,18 @@ export LC_ALL=C
-
- chronyc=/usr/bin/chronyc
-
--# For NetworkManager consider only up/down events
--[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
-+# For NetworkManager consider only selected events
-+if [ $# -ge 2 ]; then
-+ case "$2" in
-+ up|down|connectivity-change)
-+ ;;
-+ dhcp6-change)
-+ # No other action is reported for routable IPv6
-+ ;;
-+ *)
-+ exit 0;;
-+ esac
-+fi
-
- # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
-
-commit fca8966adaaf8376536af86ba2afe02501463588
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date: Wed Mar 23 15:17:03 2022 +0100
-
- examples: replace grep command in NM dispatcher script
-
- Some grep implementations detect binary data and return success without
- matching whole line. This might be an issue for the DHCPv6 NTP FQDN
- check. The GNU grep in the C locale seems to check only for the NUL
- character, which cannot be passed in an environment variable, but other
- implementations might behave differently and there doesn't seem to be a
- portable way to force matching the whole line.
-
- Instead of the grep command, check for invalid characters by comparing
- the length of the input passed through "tr -d -c".
-
-diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
-index 4454f037..547ce83f 100644
---- a/examples/chrony.nm-dispatcher.dhcp
-+++ b/examples/chrony.nm-dispatcher.dhcp
-@@ -19,7 +19,11 @@ add_servers_from_dhcp() {
- rm -f "$dhcp_server_file"
- for server in $dhcp_ntp_servers; do
- # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
-- printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
-+ len1=$(printf '%s' "$server" | wc -c)
-+ len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c)
-+ if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then
-+ continue
-+ fi
-
- printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
- done
From: Robert Fairley <rfairley@redhat.com>
Date: Wed, 17 Jun 2020 10:14:19 -0400
Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig
diff --git a/SOURCES/chrony-seccomp.patch b/SOURCES/chrony-seccomp.patch
deleted file mode 100644
index 523759c..0000000
--- a/SOURCES/chrony-seccomp.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d
-Author: Michael Hudson-Doyle <michael.hudson@canonical.com>
-Date: Wed Feb 9 09:06:13 2022 +0100
-
- sys_linux: allow rseq in seccomp filter
-
- Libc 2.35 will use rseq syscalls [1][2] by default and thereby
- break chrony in seccomp isolation.
-
- [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
- [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
-
- Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
- Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
- Signed-off-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
- Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-
-diff --git a/sys_linux.c b/sys_linux.c
-index 9cab2efa..cc3c9311 100644
---- a/sys_linux.c
-+++ b/sys_linux.c
-@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
- SCMP_SYS(getrlimit),
- SCMP_SYS(getuid),
- SCMP_SYS(getuid32),
-+#ifdef __NR_rseq
-+ SCMP_SYS(rseq),
-+#endif
- SCMP_SYS(rt_sigaction),
- SCMP_SYS(rt_sigreturn),
- SCMP_SYS(rt_sigprocmask),
diff --git a/SOURCES/chrony.sysusers b/SOURCES/chrony.sysusers
new file mode 100644
index 0000000..b02f5fe
--- /dev/null
+++ b/SOURCES/chrony.sysusers
@@ -0,0 +1,2 @@
+#Type Name ID GECOS Home directory Shell
+u chrony - "chrony system user" /var/lib/chrony /sbin/nologin
diff --git a/SPECS/chrony.spec b/SPECS/chrony.spec
index 3525920..b2a8358 100644
--- a/SPECS/chrony.spec
+++ b/SPECS/chrony.spec
@@ -1,5 +1,5 @@
%global _hardened_build 1
-%global clknetsim_ver 824c48
+%global clknetsim_ver f00531
%bcond_without debug
%bcond_without nts
@@ -8,7 +8,7 @@
%endif
Name: chrony
-Version: 4.2
+Version: 4.3
Release: 1%{?dist}
Summary: An NTP client/server
@@ -18,14 +18,13 @@ Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerel
Source1: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt
Source2: https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
Source3: chrony.dhclient
+Source4: chrony.sysusers
# simulator for test suite
Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
%{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
-# add IPv6 support and distribution-specific bits to DHCP dispatcher
+# add distribution-specific bits to DHCP dispatcher
Patch1: chrony-nm-dispatcher-dhcp.patch
-# update seccomp filter for new glibc
-Patch2: chrony-seccomp.patch
# revert some hardening options in service files
Patch3: chrony-services.patch
@@ -34,8 +33,8 @@ BuildRequires: gcc gcc-c++ make bison systemd gnupg2
%{?with_nts:BuildRequires: gnutls-utils}
%{?with_seccomp:BuildRequires: libseccomp-devel}
-Requires(pre): shadow-utils
%{?systemd_requires}
+%{?sysusers_requires_compat}
# Old NetworkManager expects the dispatcher scripts in a different place
Conflicts: NetworkManager < 1.20
@@ -59,7 +58,6 @@ service to other computers in the network.
%setup -q -n %{name}-%{version}%{?prerelease} -a 10
%{?gitpatch:%patch0 -p1}
%patch1 -p1 -b .nm-dispatcher-dhcp
-%patch2 -p1 -b .seccomp
%patch3 -p1 -b .services
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
@@ -123,6 +121,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{sysconfig,logrotate.d}
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/{lib,log}/chrony
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dhcp/dhclient.d
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
+mkdir -p $RPM_BUILD_ROOT%{_sysusersdir}
mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d
mkdir -p $RPM_BUILD_ROOT{%{_unitdir},%{_prefix}/lib/systemd/ntp-units.d}
@@ -143,6 +142,8 @@ install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
$RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
install -m 644 -p examples/chrony-wait.service \
$RPM_BUILD_ROOT%{_unitdir}/chrony-wait.service
+install -m 644 -p %{SOURCE4} \
+ $RPM_BUILD_ROOT%{_sysusersdir}/chrony.conf
cat > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/chronyd <<EOF
# Command-line options for chronyd
@@ -161,9 +162,7 @@ export CLKNETSIM_RANDOM_SEED=24505
make quickcheck
%pre
-getent group chrony > /dev/null || /usr/sbin/groupadd -r chrony
-getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
- -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony
+%sysusers_create_compat %{SOURCE4}
:
%post
@@ -199,6 +198,7 @@ fi
%{_prefix}/lib/NetworkManager
%{_prefix}/lib/systemd/ntp-units.d/*.list
%{_unitdir}/chrony*.service
+%{_sysusersdir}/chrony.conf
%{_mandir}/man[158]/%{name}*.[158]*
%dir %attr(750,chrony,chrony) %{_localstatedir}/lib/chrony
%ghost %attr(-,chrony,chrony) %{_localstatedir}/lib/chrony/drift
@@ -206,6 +206,10 @@ fi
%dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
%changelog
+* Wed Oct 12 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.3-1
+- update to 4.3 (#2133754)
+- add sysusers.d fragment for chrony user/group (#2095374)
+
* Wed Mar 23 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
- update to 4.2 (#2051441)
- fully switch from nettle to gnutls (#1953463 #1954483)