diff options
author | David Goulet <dgoulet@torproject.org> | 2023-05-31 14:32:07 -0400 |
---|---|---|
committer | David Goulet <dgoulet@torproject.org> | 2023-05-31 14:32:07 -0400 |
commit | eeb1f8b0fd2555bba847b6ddaf2b2d89e65581b4 (patch) | |
tree | 9c5f9cb1043a80844ca8c12bb7a40b073ead05b0 | |
parent | aef76beccc6b7422613d1fddc0369eb7c9f558e4 (diff) | |
parent | 066da91521946fa45c637e6006f4e397fc65ee90 (diff) | |
download | tor-eeb1f8b0fd2555bba847b6ddaf2b2d89e65581b4.tar.gz tor-eeb1f8b0fd2555bba847b6ddaf2b2d89e65581b4.zip |
Merge branch 'maint-0.4.7' into release-0.4.7
-rw-r--r-- | .gitlab-ci.yml | 21 | ||||
-rw-r--r-- | changes/ticket40799 | 6 | ||||
-rw-r--r-- | src/lib/sandbox/sandbox.c | 7 |
3 files changed, 24 insertions, 10 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d033b7ca30..3bb2a9a40f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -49,6 +49,7 @@ variables: echo Etc/UTC > /etc/timezone mkdir -p apt-cache export APT_CACHE_DIR="$(pwd)/apt-cache" + rm -f /etc/apt/apt.conf.d/docker-clean echo 'quiet "1";' \ 'APT::Install-Recommends "0";' \ 'APT::Install-Suggests "0";' \ @@ -79,9 +80,11 @@ variables: - *apt-template # Install patches unconditionally. - apt-get install + apt-utils automake build-essential ca-certificates + file git libevent-dev liblzma-dev @@ -106,7 +109,7 @@ variables: # Minimal check on debian: just make, make check. # debian-minimal: - image: debian:buster + image: debian:bullseye <<: *debian-template script: - ./scripts/ci/ci-driver.sh @@ -114,7 +117,7 @@ debian-minimal: # Minmal check on debian/i386: just make, make check. # debian-i386-minimal: - image: i386/debian:buster + image: i386/debian:bullseye <<: *debian-template script: - ./scripts/ci/ci-driver.sh @@ -137,7 +140,7 @@ debian-hardened: ##### # Distcheck on debian stable debian-distcheck: - image: debian:buster + image: debian:bullseye <<: *debian-template variables: DISTCHECK: "yes" @@ -148,7 +151,7 @@ debian-distcheck: ##### # Documentation tests on debian stable: doxygen and asciidoc. debian-docs: - image: debian:buster + image: debian:bullseye <<: *debian-template variables: DOXYGEN: "yes" @@ -166,7 +169,7 @@ debian-docs: # with the 'artifacts' mechanism, in theory, but it would be good to # avoid having to have a system with hundreds of artifacts. debian-integration: - image: debian:buster + image: debian:bullseye <<: *debian-template variables: CHECK: "no" @@ -180,7 +183,7 @@ debian-integration: ##### # Tracing build on Debian stable. debian-tracing: - image: debian:buster + image: debian:bullseye <<: *debian-template variables: TRACING: "yes" @@ -192,7 +195,7 @@ debian-tracing: ##### # No-authority mode debian-disable-dirauth: - image: debian:buster + image: debian:bullseye <<: *debian-template variables: DISABLE_DIRAUTH: "yes" @@ -202,7 +205,7 @@ debian-disable-dirauth: ##### # No-relay mode debian-disable-relay: - image: debian:buster + image: debian:bullseye <<: *debian-template variables: DISABLE_RELAY: "yes" @@ -212,7 +215,7 @@ debian-disable-relay: ##### # NSS check on debian debian-nss: - image: debian:buster + image: debian:bullseye <<: *debian-template variables: NSS: "yes" diff --git a/changes/ticket40799 b/changes/ticket40799 new file mode 100644 index 0000000000..4e2afe6e4b --- /dev/null +++ b/changes/ticket40799 @@ -0,0 +1,6 @@ + o Minor bugfixes (sandbox): + - Allow membarrier for the sandbox. And allow rt_sigprocmask when compiled + with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha. + + o Minor feature (CI): + - Update CI to use Debian Bullseye for runners. diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c index 6800fa062b..5dace3a8a2 100644 --- a/src/lib/sandbox/sandbox.c +++ b/src/lib/sandbox/sandbox.c @@ -220,6 +220,10 @@ static int filter_nopar_gen[] = { #endif // glob uses this.. SCMP_SYS(lstat), +#ifdef __NR_membarrier + /* Inter-processor synchronization, needed for tracing support */ + SCMP_SYS(membarrier), +#endif SCMP_SYS(mkdir), SCMP_SYS(mlockall), #ifdef __NR_mmap @@ -1165,7 +1169,8 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; -#ifdef ENABLE_FRAGILE_HARDENING +#if defined(ENABLE_FRAGILE_HARDENING) || \ + defined(USE_TRACING_INSTRUMENTATION_LTTNG) rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), SCMP_CMP(0, SCMP_CMP_EQ, SIG_BLOCK)); if (rc) |