Merge branch 'maint-0.4.7' into release-0.4.7

3 files changed, 24 insertions, 10 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d033b7ca30..3bb2a9a40f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -49,6 +49,7 @@ variables:
       echo Etc/UTC > /etc/timezone
       mkdir -p apt-cache
       export APT_CACHE_DIR="$(pwd)/apt-cache"
+      rm -f /etc/apt/apt.conf.d/docker-clean
       echo 'quiet "1";' \
            'APT::Install-Recommends "0";' \
            'APT::Install-Suggests "0";' \
@@ -79,9 +80,11 @@ variables:
     - *apt-template
     # Install patches unconditionally.
     - apt-get install
+        apt-utils
         automake
         build-essential
         ca-certificates
+        file
         git
         libevent-dev
         liblzma-dev
@@ -106,7 +109,7 @@ variables:
 # Minimal check on debian: just make, make check.
 #
 debian-minimal:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   script:
     - ./scripts/ci/ci-driver.sh
@@ -114,7 +117,7 @@ debian-minimal:
 # Minmal check on debian/i386: just make, make check.
 #
 debian-i386-minimal:
-  image: i386/debian:buster
+  image: i386/debian:bullseye
   <<: *debian-template
   script:
     - ./scripts/ci/ci-driver.sh
@@ -137,7 +140,7 @@ debian-hardened:
 #####
 # Distcheck on debian stable
 debian-distcheck:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     DISTCHECK: "yes"
@@ -148,7 +151,7 @@ debian-distcheck:
 #####
 # Documentation tests on debian stable: doxygen and asciidoc.
 debian-docs:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     DOXYGEN: "yes"
@@ -166,7 +169,7 @@ debian-docs:
 #       with the 'artifacts' mechanism, in theory, but it would be good to
 #       avoid having to have a system with hundreds of artifacts.
 debian-integration:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     CHECK: "no"
@@ -180,7 +183,7 @@ debian-integration:
 #####
 # Tracing build on Debian stable.
 debian-tracing:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     TRACING: "yes"
@@ -192,7 +195,7 @@ debian-tracing:
 #####
 # No-authority mode
 debian-disable-dirauth:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     DISABLE_DIRAUTH: "yes"
@@ -202,7 +205,7 @@ debian-disable-dirauth:
 #####
 # No-relay mode
 debian-disable-relay:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     DISABLE_RELAY: "yes"
@@ -212,7 +215,7 @@ debian-disable-relay:
 #####
 # NSS check on debian
 debian-nss:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     NSS: "yes"
diff --git a/changes/ticket40799 b/changes/ticket40799
new file mode 100644
index 0000000000..4e2afe6e4b
--- /dev/null
+++ b/changes/ticket40799
@@ -0,0 +1,6 @@
+  o Minor bugfixes (sandbox):
+    - Allow membarrier for the sandbox. And allow rt_sigprocmask when compiled
+      with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
+
+  o Minor feature (CI):
+    - Update CI to use Debian Bullseye for runners.
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index 6800fa062b..5dace3a8a2 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -220,6 +220,10 @@ static int filter_nopar_gen[] = {
 #endif
     // glob uses this..
     SCMP_SYS(lstat),
+#ifdef __NR_membarrier
+    /* Inter-processor synchronization, needed for tracing support */
+    SCMP_SYS(membarrier),
+#endif
     SCMP_SYS(mkdir),
     SCMP_SYS(mlockall),
 #ifdef __NR_mmap
@@ -1165,7 +1169,8 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   int rc = 0;
   (void) filter;
 
-#ifdef ENABLE_FRAGILE_HARDENING
+#if defined(ENABLE_FRAGILE_HARDENING) || \
+    defined(USE_TRACING_INSTRUMENTATION_LTTNG)
   rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
       SCMP_CMP(0, SCMP_CMP_EQ, SIG_BLOCK));
   if (rc)