third_party/chrony: support dropping privileges
Enables the configuration flags to build with privdrop and
capabilities support and adds the libcap dependency.
This makes chrony capable of running without root privileges.
Change-Id: Ia80dcde80cc7a72c47a1fd30ab4dfb21c902f737
Reviewed-on: https://review.monogon.dev/c/monogon/+/318
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
diff --git a/third_party/chrony/chrony.bzl b/third_party/chrony/chrony.bzl
index 7c15ff3..fd5c7e9 100644
--- a/third_party/chrony/chrony.bzl
+++ b/third_party/chrony/chrony.bzl
@@ -7,7 +7,7 @@
substitutions = {
# ONCHANGE(//third_party/chrony:external.bzl): version needs to be kept in sync
"%CHRONY_VERSION%": "4.1-monogon",
- }
+ },
)
# Headers which couldn't be decoupled into sub-libraries.
@@ -88,7 +88,6 @@
],
)
-
# MD5 library used by keys.c, which does #include "md5.c".
cc_library(
name = "md5",
@@ -120,7 +119,6 @@
"nts_ntp_auth.h",
"nts_ntp_server.h",
"nts_ntp.h",
-
"ntp_auth.h",
"ntp_auth.c",
"ntp_core.c",
@@ -155,6 +153,7 @@
deps = [
":common",
"@seccomp//:seccomp",
+ "@cap//:cap",
],
)
@@ -190,7 +189,6 @@
"main.h",
"main.c",
"stubs.c",
-
],
deps = [
":common",
diff --git a/third_party/chrony/config.h.in b/third_party/chrony/config.h.in
index 5be1b28..09694b3 100644
--- a/third_party/chrony/config.h.in
+++ b/third_party/chrony/config.h.in
@@ -8,6 +8,8 @@
#define FEAT_RTC
#define FEAT_SCFILTER
#define FEAT_ASYNCDNS
+#define FEAT_PRIVDROP
+#define CAP_IS_SUPPORTED
#define DEFAULT_COMMAND_SOCKET "/todo/chronyd.sock"
#define DEFAULT_CONF_FILE "/todo/chrony.conf"