diff --git a/CVE-2021-3570.patch b/CVE-2021-3570.patch deleted file mode 100644 index e868972ce8d53263989dd47b104319c5b611b793..0000000000000000000000000000000000000000 --- a/CVE-2021-3570.patch +++ /dev/null @@ -1,91 +0,0 @@ -From ce15e4de5926724557e8642ec762a210632f15ca Mon Sep 17 00:00:00 2001 -From: Richard Cochran -Date: Sat, 17 Apr 2021 15:15:18 -0700 -Subject: [PATCH] Validate the messageLength field of incoming messages. - -The PTP messageLength field is redundant because the length of a PTP -message is precisely determined by the message type and the appended -TLVs. The current implementation validates the sizes of both the main -message (according to the fixed header length and fixed length by -type) and the TLVs (by using the 'L' of the TLV). - -However, when forwarding a message, the messageLength field is used. -If a message arrives with a messageLength field larger than the actual -message size, the code will read and possibly write data beyond the -allocated buffer. - -Fix the issue by validating the field on ingress. This prevents -reading and sending data past the message buffer when forwarding a -management message or other messages when operating as a transparent -clock, and it also prevents a memory corruption in msg_post_recv() -after forwarding a management message. - -Reported-by: Miroslav Lichvar -Signed-off-by: Richard Cochran ---- - msg.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/msg.c b/msg.c -index d1619d49..5ae8ebbf 100644 ---- a/msg.c -+++ b/msg.c -@@ -186,7 +186,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len) - { - uint8_t *ptr = msg_suffix(msg); - struct tlv_extra *extra; -- int err; -+ int err, suffix_len = 0; - - if (!ptr) - return 0; -@@ -204,12 +204,14 @@ static int suffix_post_recv(struct ptp_message *msg, int len) - tlv_extra_recycle(extra); - return -EBADMSG; - } -+ suffix_len += sizeof(struct TLV); - len -= sizeof(struct TLV); - ptr += sizeof(struct TLV); - if (extra->tlv->length > len) { - tlv_extra_recycle(extra); - return -EBADMSG; - } -+ suffix_len += extra->tlv->length; - len -= extra->tlv->length; - ptr += extra->tlv->length; - err = tlv_post_recv(extra); -@@ -219,7 +221,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len) - } - msg_tlv_attach(msg, extra); - } -- return 0; -+ return suffix_len; - } - - static void suffix_pre_send(struct ptp_message *msg) -@@ -337,7 +339,7 @@ void msg_get(struct ptp_message *m) - - int msg_post_recv(struct ptp_message *m, int cnt) - { -- int pdulen, type, err; -+ int err, pdulen, suffix_len, type; - - if (cnt < sizeof(struct ptp_header)) - return -EBADMSG; -@@ -422,9 +424,13 @@ int msg_post_recv(struct ptp_message *m, int cnt) - break; - } - -- err = suffix_post_recv(m, cnt - pdulen); -- if (err) -- return err; -+ suffix_len = suffix_post_recv(m, cnt - pdulen); -+ if (suffix_len < 0) { -+ return suffix_len; -+ } -+ if (pdulen + suffix_len != m->header.messageLength) { -+ return -EBADMSG; -+ } - - return 0; - } diff --git a/CVE-2021-3571.patch b/CVE-2021-3571.patch deleted file mode 100644 index 57525147c5e0d05c229d1f9c90391e2a8e11ccb2..0000000000000000000000000000000000000000 --- a/CVE-2021-3571.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d61d77e163dbee247819f3d88593ba111577af15 Mon Sep 17 00:00:00 2001 -From: Miroslav Lichvar -Date: Fri, 26 Mar 2021 09:57:43 +0100 -Subject: [PATCH] tc: Fix length of follow-up message of one-step sync. - -Convert the length of the generated follow-up message to network order. -This fixes reading and sending of data past the message buffer. - -Signed-off-by: Miroslav Lichvar ---- - tc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tc.c b/tc.c -index d9e4853..2e3830c 100644 ---- a/tc.c -+++ b/tc.c -@@ -452,7 +452,7 @@ int tc_fwd_sync(struct port *q, struct ptp_message *msg) - } - fup->header.tsmt = FOLLOW_UP | (msg->header.tsmt & 0xf0); - fup->header.ver = msg->header.ver; -- fup->header.messageLength = sizeof(struct follow_up_msg); -+ fup->header.messageLength = htons(sizeof(struct follow_up_msg)); - fup->header.domainNumber = msg->header.domainNumber; - fup->header.sourcePortIdentity = msg->header.sourcePortIdentity; - fup->header.sequenceId = msg->header.sequenceId; diff --git a/clknetsim-9ed48d.tar.gz b/clknetsim-9ed48d.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..e3b191181428c1652ac28d752e122b9c50c54f33 Binary files /dev/null and b/clknetsim-9ed48d.tar.gz differ diff --git a/clknetsim-phc2sys.patch b/clknetsim-phc2sys.patch new file mode 100644 index 0000000000000000000000000000000000000000..1d2b6491052c1bf0846d316586d6eb36a6958529 --- /dev/null +++ b/clknetsim-phc2sys.patch @@ -0,0 +1,22 @@ +commit 2c62b9a3d8aa61bbb45a522c47be1ff2261e9b0e +Author: Miroslav Lichvar +Date: Mon Mar 14 11:40:50 2022 +0100 + + bash: remove default options for phc2sys + + Don't set any options by default for phc2sys to avoid conflict between + -O and -a. + +diff --git a/clknetsim.bash b/clknetsim.bash +index becc94d..eed622c 100644 +--- a/clknetsim.bash ++++ b/clknetsim.bash +@@ -82,7 +82,7 @@ start_client() { + args+=($opts) + ;; + phc2sys) +- args=(-s /dev/ptp0 -O 0 $opts $config) ++ args=($opts $config) + ;; + nsm) + args=($opts) diff --git a/linuxptp-2.0.tgz b/linuxptp-2.0.tgz deleted file mode 100644 index a42e8c1fc42203710f5cdd8da2493d19d02ad626..0000000000000000000000000000000000000000 Binary files a/linuxptp-2.0.tgz and /dev/null differ diff --git a/linuxptp-3.1.1.tgz b/linuxptp-3.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c60ac19df2392923354d01eb050ea69dbccd5992 Binary files /dev/null and b/linuxptp-3.1.1.tgz differ diff --git a/linuxptp-testsuite-ff37e2.tar.gz b/linuxptp-testsuite-ff37e2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..917ebbc99ebdf63e71b5eec00446c3f047283952 Binary files /dev/null and b/linuxptp-testsuite-ff37e2.tar.gz differ diff --git a/linuxptp-zerolength.patch b/linuxptp-zerolength.patch new file mode 100644 index 0000000000000000000000000000000000000000..0ab5ed460201a41520b2a060aeca819f9494851b --- /dev/null +++ b/linuxptp-zerolength.patch @@ -0,0 +1,37 @@ +commit 9633ab52460f58c92c6daa35e9d24e4ce9c5ab1c +Author: Miroslav Lichvar +Date: Tue Feb 23 11:01:43 2021 +0100 + + sk: Don't return error for zero-length messages. + + The recvmsg() call can return zero for a zero-length UDP message, which + should be handled as a bad message and not a fault of the port. This was + addressed in commit 6b61ba29c78e ("Avoid fault when receiving zero + length packets"), but later regressed in commit a6e0b83bd503 + ("sk: Convey transmit path errors to the caller."). + + Signed-off-by: Miroslav Lichvar + Fixes: a6e0b83bd503 ("sk: Convey transmit path errors to the caller.") + +diff --git a/sk.c b/sk.c +index c9ef4d2..8be0708 100644 +--- a/sk.c ++++ b/sk.c +@@ -391,7 +391,7 @@ int sk_receive(int fd, void *buf, int buflen, + + if (!ts) { + memset(&hwts->ts, 0, sizeof(hwts->ts)); +- return cnt < 1 ? -errno : cnt; ++ return cnt < 0 ? -errno : cnt; + } + + switch (hwts->type) { +@@ -407,7 +407,7 @@ int sk_receive(int fd, void *buf, int buflen, + hwts->ts = timespec_to_tmv(ts[1]); + break; + } +- return cnt < 1 ? -errno : cnt; ++ return cnt < 0 ? -errno : cnt; + } + + int sk_set_priority(int fd, int family, uint8_t dscp) diff --git a/linuxptp.fc b/linuxptp.fc new file mode 100644 index 0000000000000000000000000000000000000000..d2061a9e4c732e742bd8d8d65af5e987e69b3046 --- /dev/null +++ b/linuxptp.fc @@ -0,0 +1,11 @@ +/usr/lib/systemd/system/phc2sys.* -- gen_context(system_u:object_r:phc2sys_unit_file_t,s0) + +/usr/lib/systemd/system/ptp4l.* -- gen_context(system_u:object_r:ptp4l_unit_file_t,s0) + +/usr/lib/systemd/system/timemaster.* -- gen_context(system_u:object_r:timemaster_unit_file_t,s0) + +/usr/sbin/ptp4l -- gen_context(system_u:object_r:ptp4l_exec_t,s0) +/usr/sbin/phc2sys -- gen_context(system_u:object_r:phc2sys_exec_t,s0) +/usr/sbin/timemaster -- gen_context(system_u:object_r:timemaster_exec_t,s0) + +/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0) diff --git a/linuxptp.if b/linuxptp.if new file mode 100644 index 0000000000000000000000000000000000000000..e2c96f4a80027e9e5ad6ec4c6e19a37d8d292c34 --- /dev/null +++ b/linuxptp.if @@ -0,0 +1,142 @@ +## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. + +######################################## +## +## Execute domain in the phc2sys domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`linuxptp_domtrans_phc2sys',` + gen_require(` + type phc2sys_t, phc2sys_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, phc2sys_exec_t, phc2sys_t) +') + +######################################## +## +## Execute domain in the phc2sys domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`linuxptp_domtrans_ptp4l',` + gen_require(` + type ptp4l_t, ptp4l_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ptp4l_exec_t, ptp4l_t) +') +###################################### +## +## Connect to timemaster using a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`timemaster_stream_connect',` + gen_require(` + type timemaster_t, timemaster_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t) +') + +######################################## +## +## Read timemaster conf files. +## +## +## +## Domain allowed access. +## +## +# +interface(`timemaster_read_pid_files',` + gen_require(` + type timemaster_var_run_t; + ') + + read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t) +') + +######################################## +## +## Read and write timemaster shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`timemaster_rw_shm',` + gen_require(` + type timemaster_t, timemaster_tmpfs_t; + ') + + allow $1 timemaster_t:shm rw_shm_perms; + list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## +## Read and write ptp4l_t shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`ptp4l_rw_shm',` + gen_require(` + type ptp4l_t, timemaster_tmpfs_t; + ') + + allow $1 ptp4l_t:shm rw_shm_perms; + list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## +## Read and write phc2sys_t shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`phc2sys_rw_shm',` + gen_require(` + type phc2sys_t, timemaster_tmpfs_t; + ') + + allow $1 phc2sys_t:shm rw_shm_perms; + list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + fs_search_tmpfs($1) +') diff --git a/linuxptp.spec b/linuxptp.spec index ceee79aa991e8bae0e42d614b80f5c6dd0224ad8..d5267f5d118d74d59cee469757adb6a373cc5ef7 100644 --- a/linuxptp.spec +++ b/linuxptp.spec @@ -1,73 +1,155 @@ +%global _hardened_build 1 +%global testsuite_ver ff37e2 +%global clknetsim_ver 9ed48d +%global selinuxtype targeted +%bcond_without selinux + Name: linuxptp -Version: 2.0 -Release: 5 -Summary: Linuxptp is an implementation of the Precision Time Protocol (PTP) -Group: System Environment/Base +Version: 3.1.1 +Release: 1 +Summary: PTP implementation for Linux License: GPLv2+ -URL: http://linuxptp.sourceforge.net/ +URL: https://linuxptp.sourceforge.net/ + Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tgz Source1: phc2sys.service Source2: ptp4l.service - -patch0000: CVE-2021-3571.patch -Patch0001: CVE-2021-3570.patch - -BuildRequires: gcc gcc-c++ systemd git net-tools - +Source3: timemaster.service +Source4: timemaster.conf +Source5: ptp4l.conf +# external test suite +Source10: https://github.com/mlichvar/linuxptp-testsuite/archive/%{testsuite_ver}/linuxptp-testsuite-%{testsuite_ver}.tar.gz +# simulator for test suite +Source11: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz +# selinux policy +Source20: linuxptp.fc +Source21: linuxptp.if +Source22: linuxptp.te + +# fix handling of zero-length messages +Patch1: linuxptp-zerolength.patch +# revert phc2sys options needed by the older version of test suite +Patch2: clknetsim-phc2sys.patch + +BuildRequires: gcc gcc-c++ make systemd + +%{?systemd_requires} + +%if 0%{?with_selinux} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif %description -Linuxptp is an implementation of the Precision Time Protocol (PTP) according to -IEEE standard 1588 for Linux. The dual design goals are to provide a robust -implementation of the standard and to use the most relevant and modern Application -Programming Interfaces (API) offered by the Linux kernel. Supporting legacy APIs -and other platforms is not a goal. - - -%package help -Summary: Help files for %{name} -BuildArch: noarch +This software is an implementation of the Precision Time Protocol (PTP) +according to IEEE standard 1588 for Linux. The dual design goals are to provide +a robust implementation of the standard and to use the most relevant and modern +Application Programming Interfaces (API) offered by the Linux kernel. +Supporting legacy APIs and other platforms is not a goal. + +%if 0%{?with_selinux} +%package selinux +Summary: linuxptp SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +linuxptp SELinux policy module + +%endif +%prep +%setup -q -a 10 -a 11 -n %{name}-%{!?gitfullver:%{version}}%{?gitfullver} +%patch1 -p1 -b .zerolength +mv linuxptp-testsuite-%{testsuite_ver}* testsuite +mv clknetsim-%{clknetsim_ver}* testsuite/clknetsim -%description help -Help files for %{name} +pushd testsuite/clknetsim +%patch2 -p1 -R -b .phc2sys +popd - -%prep -%autosetup -n %{name}-%{version} +mkdir selinux +cp -p %{SOURCE20} %{SOURCE21} %{SOURCE22} selinux %build -%make_build EXTRA_CFLAGS="$RPM_OPT_FLAGS" \ - EXTRA_LDFLAGS="$RPM_LD_FLAGS" +%{make_build} \ + EXTRA_CFLAGS="$RPM_OPT_FLAGS" \ + EXTRA_LDFLAGS="$RPM_LD_FLAGS" +%if 0%{?with_selinux} +make -C selinux -f %{_datadir}/selinux/devel/Makefile linuxptp.pp +bzip2 -9 selinux/linuxptp.pp +%endif %install %makeinstall -mkdir -p %{buildroot}{%{_sysconfdir}/sysconfig,%{_unitdir}} -install -m 644 -p configs/default.cfg %{buildroot}%{_sysconfdir}/ptp4l.conf -install -m 644 -p %{SOURCE1} %{SOURCE2} %{buildroot}%{_unitdir} +mkdir -p $RPM_BUILD_ROOT{%{_sysconfdir}/sysconfig,%{_unitdir},%{_mandir}/man5} +install -m 644 -p %{SOURCE1} %{SOURCE2} %{SOURCE3} $RPM_BUILD_ROOT%{_unitdir} +install -m 644 -p %{SOURCE4} %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir} + +echo 'OPTIONS="-f /etc/ptp4l.conf"' > \ + $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/ptp4l +echo 'OPTIONS="-a -r"' > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/phc2sys + +echo '.so man8/ptp4l.8' > $RPM_BUILD_ROOT%{_mandir}/man5/ptp4l.conf.5 +echo '.so man8/timemaster.8' > $RPM_BUILD_ROOT%{_mandir}/man5/timemaster.conf.5 + +%if 0%{?with_selinux} +install -D -m 0644 selinux/linuxptp.pp.bz2 \ + $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.bz2 +install -D -p -m 0644 selinux/linuxptp.if \ + $RPM_BUILD_ROOT%{_datadir}/selinux/devel/include/distributed/linuxptp.if +%endif + +%check +cd testsuite +# set random seed to get deterministic results +export CLKNETSIM_RANDOM_SEED=26743 +%{make_build} -C clknetsim +PATH=..:$PATH ./run -echo 'OPTIONS="-f /etc/ptp4l.conf -i eth0"' > \ - %{buildroot}%{_sysconfdir}/sysconfig/ptp4l -echo 'OPTIONS="-a -r"' > %{buildroot}%{_sysconfdir}/sysconfig/phc2sys %post -%systemd_post phc2sys.service ptp4l.service +%systemd_post phc2sys.service ptp4l.service timemaster.service %preun -%systemd_preun phc2sys.service ptp4l.service +%systemd_preun phc2sys.service ptp4l.service timemaster.service %postun -%systemd_postun_with_restart phc2sys.service ptp4l.service +%systemd_postun_with_restart phc2sys.service ptp4l.service timemaster.service + +%if 0%{?with_selinux} +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} linuxptp + %selinux_relabel_post -s %{selinuxtype} +fi + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/linuxptp.pp.* +%{_datadir}/selinux/devel/include/distributed/linuxptp.if +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/linuxptp + +%endif %files -%doc README.org configs -%license COPYING +%doc COPYING README.org configs %config(noreplace) %{_sysconfdir}/ptp4l.conf %config(noreplace) %{_sysconfdir}/sysconfig/phc2sys %config(noreplace) %{_sysconfdir}/sysconfig/ptp4l +%config(noreplace) %{_sysconfdir}/timemaster.conf %{_unitdir}/phc2sys.service %{_unitdir}/ptp4l.service +%{_unitdir}/timemaster.service %{_sbindir}/hwstamp_ctl %{_sbindir}/nsm %{_sbindir}/phc2sys @@ -75,12 +157,14 @@ echo 'OPTIONS="-a -r"' > %{buildroot}%{_sysconfdir}/sysconfig/phc2sys %{_sbindir}/pmc %{_sbindir}/ptp4l %{_sbindir}/timemaster - - -%files help +%{_sbindir}/ts2phc +%{_mandir}/man5/*.5* %{_mandir}/man8/*.8* %changelog +* Mon Nov 14 2022 hkgy - 3.1.1-1 +- Upgrade to v3.1.1 + * Wed Sep 22 2021 yaoxin - 2.0-5 - Fix CVE-2021-3570 diff --git a/linuxptp.te b/linuxptp.te new file mode 100644 index 0000000000000000000000000000000000000000..a8dc3d19803482c4b39158664de701883b606cbc --- /dev/null +++ b/linuxptp.te @@ -0,0 +1,191 @@ +policy_module(linuxptp, 1.0.0) + + +######################################## +# +# Declarations +# + +type timemaster_t; +type timemaster_exec_t; +init_daemon_domain(timemaster_t, timemaster_exec_t) + +type timemaster_var_run_t; +files_pid_file(timemaster_var_run_t) + +type timemaster_tmpfs_t; +files_tmpfs_file(timemaster_tmpfs_t) + +type timemaster_unit_file_t; +systemd_unit_file(timemaster_unit_file_t) + +type phc2sys_t; +type phc2sys_exec_t; +init_daemon_domain(phc2sys_t, phc2sys_exec_t) + +type phc2sys_unit_file_t; +systemd_unit_file(phc2sys_unit_file_t) + +type ptp4l_t; +type ptp4l_exec_t; +init_daemon_domain(ptp4l_t, ptp4l_exec_t) + +type ptp4l_unit_file_t; +systemd_unit_file(ptp4l_unit_file_t) + +######################################## +# +# timemaster local policy +# + +allow timemaster_t self:process { signal_perms setcap}; +allow timemaster_t self:fifo_file rw_fifo_file_perms; +allow timemaster_t self:capability { setuid sys_time kill setgid }; +allow timemaster_t self:unix_stream_socket create_stream_socket_perms; +allow timemaster_t self:shm create_shm_perms; +allow timemaster_t self:udp_socket create_socket_perms; + +allow timemaster_t ptp4l_t:process signal; +allow timemaster_t phc2sys_t:process signal; + +allow timemaster_t ptp4l_t:shm rw_shm_perms; + +manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) +manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) +manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) +files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t) +manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t) +fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file }) + +kernel_read_network_state(timemaster_t) + +auth_use_nsswitch(timemaster_t) + +corenet_udp_bind_generic_node(timemaster_t) +corenet_udp_bind_ntp_port(timemaster_t) + +dev_read_urand(timemaster_t) + +logging_send_syslog_msg(timemaster_t) + +sysnet_read_config(timemaster_t) + +optional_policy(` + ntp_domtrans(timemaster_t) + ntp_signal(timemaster_t) +') + +optional_policy(` + chronyd_domtrans(timemaster_t) + chronyd_rw_shm(timemaster_t) +') + +optional_policy(` + gpsd_rw_shm(timemaster_t) +') + + +optional_policy(` + chronyd_signal(timemaster_t) +') + + +optional_policy(` + linuxptp_domtrans_ptp4l(timemaster_t) +') + +optional_policy(` + linuxptp_domtrans_phc2sys(timemaster_t) +') + +######################################## +# +# phc2sys local policy +# + +allow phc2sys_t self:capability sys_time; +allow phc2sys_t self:fifo_file rw_fifo_file_perms; +allow phc2sys_t self:unix_stream_socket create_stream_socket_perms; +allow phc2sys_t self:shm create_shm_perms; +allow phc2sys_t self:udp_socket create_socket_perms; + +allow phc2sys_t ptp4l_t:unix_dgram_socket sendto; + +allow phc2sys_t timemaster_t:shm rw_shm_perms; + +manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) +manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) +manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) +files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t) +manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t) +fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file }) + +dev_rw_realtime_clock(phc2sys_t) + +logging_send_syslog_msg(phc2sys_t) + +optional_policy(` + chronyd_rw_shm(phc2sys_t) +') + +optional_policy(` + gpsd_rw_shm(phc2sys_t) +') + +optional_policy(` + ntp_rw_shm(phc2sys_t) +') + +optional_policy(` + ptp4l_rw_shm(phc2sys_t) +') + +######################################## +# +# ptp4l local policy +# + +allow ptp4l_t self:fifo_file rw_fifo_file_perms; +allow ptp4l_t self:packet_socket create_socket_perms; +allow ptp4l_t self:unix_stream_socket create_stream_socket_perms; +allow ptp4l_t self:shm create_shm_perms; +allow ptp4l_t self:udp_socket create_socket_perms; +allow ptp4l_t self:capability { net_admin net_raw sys_time }; +allow ptp4l_t self:capability2 { bpf wake_alarm }; +allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms; + +allow ptp4l_t phc2sys_t:unix_dgram_socket sendto; + +manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) +manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) +manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) +files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t) +manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t) +fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file }) + +corenet_udp_bind_generic_node(ptp4l_t) +corenet_udp_bind_reserved_port(ptp4l_t) + +kernel_read_network_state(ptp4l_t) + +dev_rw_realtime_clock(ptp4l_t) + +files_write_generic_pid_sockets(ptp4l_t) + +logging_send_syslog_msg(ptp4l_t) + +userdom_dgram_send(ptp4l_t) + +optional_policy(` + chronyd_rw_shm(ptp4l_t) +') + +optional_policy(` + gpsd_rw_shm(ptp4l_t) +') diff --git a/phc2sys.service b/phc2sys.service index ddc7dbec4d78013a0bd82595f753d07d334bbb82..ff2f77edc6f2108bc1bfc8a2dafcf60384876543 100644 --- a/phc2sys.service +++ b/phc2sys.service @@ -1,6 +1,6 @@ [Unit] -Description=PTP: Synchronize two clocks -After=ntpdate.service +Description=Synchronize system clock or PTP hardware clock (PHC) +After=ntpdate.service ptp4l.service [Service] Type=simple diff --git a/ptp4l.conf b/ptp4l.conf new file mode 100644 index 0000000000000000000000000000000000000000..4b4b1db475b4f819f49f78f4304243070324ecb5 --- /dev/null +++ b/ptp4l.conf @@ -0,0 +1,14 @@ +# For more information about this file, see the ptp4l(8) man page. +# Examples are available in /usr/share/doc/linuxptp/configs. + +[global] +domainNumber 0 +slaveOnly 1 +time_stamping hardware +tx_timestamp_timeout 1 +logging_level 6 +summary_interval 0 + +[eth0] +network_transport UDPv4 +hybrid_e2e 0 diff --git a/ptp4l.service b/ptp4l.service index 597005bd30008d28b20cf9bfe47923ef8a6e0505..fbb26d1631732c5c67b2860075930d76bd1fac26 100644 --- a/ptp4l.service +++ b/ptp4l.service @@ -1,5 +1,7 @@ [Unit] -Description=PTP: Boundary/Ordinary Clock +Description=Precision Time Protocol (PTP) service +After=network-online.target +Wants=network-online.target [Service] Type=simple diff --git a/timemaster.conf b/timemaster.conf new file mode 100644 index 0000000000000000000000000000000000000000..14762099e07e93d7252dcde51fd73cbf10067e48 --- /dev/null +++ b/timemaster.conf @@ -0,0 +1,26 @@ +# Configuration file for timemaster + +#[ntp_server ntp-server.local] +#minpoll 4 +#maxpoll 4 + +#[ptp_domain 0] +#interfaces eth0 +#delay 10e-6 + +[timemaster] +ntp_program chronyd + +[chrony.conf] +include /etc/chrony.conf + +[ptp4l.conf] + +[chronyd] +path /usr/sbin/chronyd + +[phc2sys] +path /usr/sbin/phc2sys + +[ptp4l] +path /usr/sbin/ptp4l diff --git a/timemaster.service b/timemaster.service new file mode 100644 index 0000000000000000000000000000000000000000..a6bda33623fa42ec7f5973b0d4c7e544170edf53 --- /dev/null +++ b/timemaster.service @@ -0,0 +1,12 @@ +[Unit] +Description=Synchronize system clock to NTP and PTP time sources +After=chronyd.service ntpd.service ntpdate.service sntp.service network-online.target +Conflicts=chronyd.service ntpd.service phc2sys.service ptp4l.service +Wants=network-online.target + +[Service] +Type=simple +ExecStart=/usr/sbin/timemaster -f /etc/timemaster.conf + +[Install] +WantedBy=multi-user.target