new file mode 100644
@@ -0,0 +1,31 @@
+From d474682bb30b93d04b7b01c2dd09832e483265ed Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Sun, 14 Nov 2021 08:54:58 +0000
+Subject: [PATCH] ntpd/ntp_sandbox.c: allow clone3 for glibc-2.34 in seccomp
+ filter
+
+Bug: https://bugs.gentoo.org/823692
+Fixes: https://gitlab.com/NTPsec/ntpsec/-/issues/713
+Signed-off-by: Sam James <sam@gentoo.org>
+Upstream-Status: Backport [https://gitlab.com/NTPsec/ntpsec/-/commit/d474682bb30b93d04b7b01c2dd09832e483265ed]
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index e66faaa8cbb0..3d6bccdfcf77 100644
+--- a/ntpd/ntp_sandbox.c
++++ b/ntpd/ntp_sandbox.c
+@@ -401,6 +401,7 @@ int scmp_sc[] = {
+ * rather than generate a trap.
+ */
+ SCMP_SYS(clone), /* threads */
++ SCMP_SYS(clone3),
+ SCMP_SYS(kill), /* generate signal */
+ SCMP_SYS(madvise),
+ SCMP_SYS(mprotect),
+--
+2.34.1
+
new file mode 100644
@@ -0,0 +1,43 @@
+From 1e58cdd2ee488e1b20fbfcf80faa438d22820d0c Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Thu, 30 Dec 2021 09:32:26 +0000
+Subject: [PATCH 1/2] ntpd/ntp_sandbox.c: allow newfstatat on all archs for
+ glibc-2.34 in seccomp filter
+
+On Yocto Poky, newfstatat is used on (at least) arm64, x86_64 and
+riscv64:
+
+ 2021-12-30T09:32:04 ntpd[341]: ERR: SIGSYS: got a trap.
+ 2021-12-30T09:32:04 ntpd[341]: ERR: SIGSYS/seccomp bad syscall 262/0xc000003e
+
+Upstream-Status: Submitted
+ https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1248
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index 3d6bccdfcf77..1ae82a671344 100644
+--- a/ntpd/ntp_sandbox.c
++++ b/ntpd/ntp_sandbox.c
+@@ -349,6 +349,7 @@ int scmp_sc[] = {
+ SCMP_SYS(lseek),
+ SCMP_SYS(membarrier), /* Needed on Alpine 3.11.3 */
+ SCMP_SYS(munmap),
++ SCMP_SYS(newfstatat),
+ SCMP_SYS(open),
+ #ifdef __NR_openat
+ SCMP_SYS(openat), /* SUSE */
+@@ -452,7 +453,6 @@ int scmp_sc[] = {
+ #endif
+ #if defined(__aarch64__)
+ SCMP_SYS(faccessat),
+- SCMP_SYS(newfstatat),
+ SCMP_SYS(renameat),
+ SCMP_SYS(linkat),
+ SCMP_SYS(unlinkat),
+--
+2.34.1
+
new file mode 100644
@@ -0,0 +1,35 @@
+From 7536e2e4bc25fc8db4d5a2f00a91e91ba82d7d7b Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Thu, 30 Dec 2021 10:41:20 +0000
+Subject: [PATCH 2/2] ntpd/ntp_sandbox.c: match riscv to aarch in seccomp
+ filter
+
+On Yocto Poky, faccessat (et al) are also used on riscv64:
+
+ 2018-03-09T12:35:32 ntpd[341]: ERR: SIGSYS: got a trap.
+ 2018-03-09T12:35:32 ntpd[341]: ERR: SIGSYS/seccomp bad syscall 48/0xc00000f3
+
+Upstream-Status: Submitted
+ https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1248
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+---
+ ntpd/ntp_sandbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
+index 1ae82a671344..4a14ae224dc6 100644
+--- a/ntpd/ntp_sandbox.c
++++ b/ntpd/ntp_sandbox.c
+@@ -451,7 +451,7 @@ int scmp_sc[] = {
+ /* gentoo 64-bit and 32-bit, Intel and Arm use mmap */
+ SCMP_SYS(mmap),
+ #endif
+-#if defined(__aarch64__)
++#if defined(__aarch64__) || defined(__riscv)
+ SCMP_SYS(faccessat),
+ SCMP_SYS(renameat),
+ SCMP_SYS(linkat),
+--
+2.34.1
+
@@ -13,6 +13,9 @@ DEPENDS += "bison-native \
SRC_URI = "https://ftp.ntpsec.org/pub/releases/ntpsec-${PV}.tar.gz \
file://0001-Update-to-OpenSSL-3.0.0-alpha15.patch \
+ file://0001-ntpd-ntp_sandbox.c-allow-clone3-for-glibc-2.34-in-se.patch \
+ file://0001-ntpd-ntp_sandbox.c-allow-newfstatat-on-all-archs-for.patch \
+ file://0002-ntpd-ntp_sandbox.c-match-riscv-to-aarch-in-seccomp-f.patch \
file://volatiles.ntpsec"
SRC_URI[sha256sum] = "f2684835116c80b8f21782a5959a805ba3c44e3a681dd6c17c7cb00cc242c27a"