From 35e0eea053d81f7aa933cd2747f43d3b4524c326 Mon Sep 17 00:00:00 2001
From: Ambroz Bizjak <ambrop7@gmail.com>
Date: Sun, 2 Apr 2017 20:29:30 +0200
Subject: [PATCH] ntpd: Allow additional syscalls in seccomp filter.

Fixes issue #21136.

The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid()                                = ?

I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.

The fcntl and setsockopt system calls also had to be added.
---
 pkgs/tools/networking/ntp/default.nix   |  4 +++
 pkgs/tools/networking/ntp/seccomp.patch | 44 +++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 pkgs/tools/networking/ntp/seccomp.patch

diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix
index 64f4b9008b1..37078d39fe6 100644
--- a/pkgs/tools/networking/ntp/default.nix
+++ b/pkgs/tools/networking/ntp/default.nix
@@ -15,6 +15,10 @@ stdenv.mkDerivation rec {
     sha256 = "0whbyf82lrczbri4adbsa4hg1ppfa6c7qcj7nhjwdfp1g1vjh95p";
   };
 
+  # The hardcoded list of allowed system calls for seccomp is
+  # insufficient for NixOS, add more to make it work (issue #21136).
+  patches = [ ./seccomp.patch ];
+
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"
diff --git a/pkgs/tools/networking/ntp/seccomp.patch b/pkgs/tools/networking/ntp/seccomp.patch
new file mode 100644
index 00000000000..28de2f01d07
--- /dev/null
+++ b/pkgs/tools/networking/ntp/seccomp.patch
@@ -0,0 +1,44 @@
+diff -urN ntp-4.2.8p10.orig/ntpd/ntpd.c ntp-4.2.8p10/ntpd/ntpd.c
+--- ntp-4.2.8p10.orig/ntpd/ntpd.c	2017-04-02 20:21:17.371319663 +0200
++++ ntp-4.2.8p10/ntpd/ntpd.c	2017-04-02 21:26:02.766178723 +0200
+@@ -1157,10 +1157,12 @@
+ 	SCMP_SYS(close),
+ 	SCMP_SYS(connect),
+ 	SCMP_SYS(exit_group),
++	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fstat),
+ 	SCMP_SYS(fsync),
+ 	SCMP_SYS(futex),
+ 	SCMP_SYS(getitimer),
++	SCMP_SYS(getpid),
+ 	SCMP_SYS(getsockname),
+ 	SCMP_SYS(ioctl),
+ 	SCMP_SYS(lseek),
+@@ -1179,6 +1181,7 @@
+ 	SCMP_SYS(sendto),
+ 	SCMP_SYS(setitimer),
+ 	SCMP_SYS(setsid),
++        SCMP_SYS(setsockopt),
+ 	SCMP_SYS(socket),
+ 	SCMP_SYS(stat),
+ 	SCMP_SYS(time),
+@@ -1195,9 +1198,11 @@
+ 	SCMP_SYS(clock_settime),
+ 	SCMP_SYS(close),
+ 	SCMP_SYS(exit_group),
++	SCMP_SYS(fcntl),
+ 	SCMP_SYS(fsync),
+ 	SCMP_SYS(futex),
+ 	SCMP_SYS(getitimer),
++	SCMP_SYS(getpid),
+ 	SCMP_SYS(madvise),
+ 	SCMP_SYS(mmap),
+ 	SCMP_SYS(mmap2),
+@@ -1211,6 +1216,7 @@
+ 	SCMP_SYS(select),
+ 	SCMP_SYS(setitimer),
+ 	SCMP_SYS(setsid),
++        SCMP_SYS(setsockopt),
+ 	SCMP_SYS(sigprocmask),
+ 	SCMP_SYS(sigreturn),
+ 	SCMP_SYS(socketcall),