2016-11-26 19:38:17 +01:00
|
|
|
{ stdenv, lib, fetchurl, openssl, perl, libcap ? null, libseccomp ? null }:
|
2006-12-22 20:22:57 +01:00
|
|
|
|
|
|
|
assert stdenv.isLinux -> libcap != null;
|
2016-11-21 23:11:05 +01:00
|
|
|
assert stdenv.isLinux -> libseccomp != null;
|
2014-02-03 23:15:25 +01:00
|
|
|
|
2016-11-26 19:38:17 +01:00
|
|
|
let
|
|
|
|
withSeccomp = stdenv.isLinux && (stdenv.isi686 || stdenv.isx86_64);
|
|
|
|
in
|
|
|
|
|
2009-03-31 11:26:20 +02:00
|
|
|
stdenv.mkDerivation rec {
|
2017-04-02 22:59:23 +02:00
|
|
|
name = "ntp-4.2.8p10";
|
2014-02-03 23:15:25 +01:00
|
|
|
|
2006-12-21 23:23:17 +01:00
|
|
|
src = fetchurl {
|
2009-03-31 11:26:20 +02:00
|
|
|
url = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/${name}.tar.gz";
|
2017-04-02 22:59:23 +02:00
|
|
|
sha256 = "17xrk7gxrl3hgg0i73n8qm53knyh01lf0f3l1zx9x6r1cip3dlnx";
|
2006-12-21 23:23:17 +01:00
|
|
|
};
|
2014-02-03 23:15:25 +01:00
|
|
|
|
ntpd: Allow additional syscalls in seccomp filter.
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
2017-04-02 20:29:30 +02:00
|
|
|
# The hardcoded list of allowed system calls for seccomp is
|
|
|
|
# insufficient for NixOS, add more to make it work (issue #21136).
|
|
|
|
patches = [ ./seccomp.patch ];
|
|
|
|
|
2015-04-25 00:28:48 +02:00
|
|
|
configureFlags = [
|
|
|
|
"--sysconfdir=/etc"
|
|
|
|
"--localstatedir=/var"
|
2016-11-21 22:49:02 +01:00
|
|
|
"--with-openssl-libdir=${openssl.out}/lib"
|
|
|
|
"--with-openssl-incdir=${openssl.dev}/include"
|
2015-04-25 00:28:48 +02:00
|
|
|
"--enable-ignore-dns-errors"
|
2016-11-26 19:38:17 +01:00
|
|
|
] ++ stdenv.lib.optional stdenv.isLinux "--enable-linuxcaps"
|
|
|
|
++ stdenv.lib.optional withSeccomp "--enable-libseccomp";
|
2014-02-03 23:15:25 +01:00
|
|
|
|
2016-11-26 19:38:17 +01:00
|
|
|
buildInputs = [ libcap openssl perl ] ++ lib.optional withSeccomp libseccomp;
|
2014-12-28 19:14:50 +01:00
|
|
|
|
2016-02-26 18:38:15 +01:00
|
|
|
hardeningEnable = [ "pie" ];
|
2016-02-26 18:26:03 +01:00
|
|
|
|
2015-04-25 00:28:48 +02:00
|
|
|
postInstall = ''
|
|
|
|
rm -rf $out/share/doc
|
|
|
|
'';
|
2008-09-18 23:15:14 +02:00
|
|
|
|
2017-04-02 22:59:23 +02:00
|
|
|
meta = with stdenv.lib; {
|
2008-09-18 23:15:14 +02:00
|
|
|
homepage = http://www.ntp.org/;
|
|
|
|
description = "An implementation of the Network Time Protocol";
|
2017-04-02 22:59:23 +02:00
|
|
|
maintainers = [ maintainers.eelco ];
|
|
|
|
platforms = platforms.linux;
|
2008-09-18 23:15:14 +02:00
|
|
|
};
|
2006-12-21 23:23:17 +01:00
|
|
|
}
|