summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2023-05-31 14:32:07 -0400
committerDavid Goulet <dgoulet@torproject.org>2023-05-31 14:32:07 -0400
commit97008526db53ce77cc65fbf93a4f5760c242082b (patch)
tree84e3ab5266f70251a0697108db1ce39dfabc0478
parent925201c946accdc322279f09b311326479d5461c (diff)
parent066da91521946fa45c637e6006f4e397fc65ee90 (diff)
downloadtor-97008526db53ce77cc65fbf93a4f5760c242082b.tar.gz
tor-97008526db53ce77cc65fbf93a4f5760c242082b.zip
Merge branch 'maint-0.4.7'
-rw-r--r--.gitlab-ci.yml21
-rw-r--r--changes/ticket407996
-rw-r--r--src/lib/sandbox/sandbox.c7
3 files changed, 24 insertions, 10 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6839f76a6b..17ce0af43b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -49,6 +49,7 @@ variables:
echo Etc/UTC > /etc/timezone
mkdir -p apt-cache
export APT_CACHE_DIR="$(pwd)/apt-cache"
+ rm -f /etc/apt/apt.conf.d/docker-clean
echo 'quiet "1";' \
'APT::Install-Recommends "0";' \
'APT::Install-Suggests "0";' \
@@ -79,9 +80,11 @@ variables:
- *apt-template
# Install patches unconditionally.
- apt-get install
+ apt-utils
automake
build-essential
ca-certificates
+ file
git
libevent-dev
liblzma-dev
@@ -108,7 +111,7 @@ variables:
# Minimal check on debian: just make, make check.
#
debian-minimal:
- image: debian:buster
+ image: debian:bullseye
<<: *debian-template
script:
- ./scripts/ci/ci-driver.sh
@@ -116,7 +119,7 @@ debian-minimal:
# Minimal check on debian/i386: just make, make check.
#
debian-i386-minimal:
- image: i386/debian:buster
+ image: i386/debian:bullseye
<<: *debian-template
script:
- ./scripts/ci/ci-driver.sh
@@ -139,7 +142,7 @@ debian-hardened:
#####
# Distcheck on debian stable
debian-distcheck:
- image: debian:buster
+ image: debian:bullseye
<<: *debian-template
variables:
DISTCHECK: "yes"
@@ -150,7 +153,7 @@ debian-distcheck:
#####
# Documentation tests on debian stable: doxygen and asciidoc.
debian-docs:
- image: debian:buster
+ image: debian:bullseye
<<: *debian-template
variables:
DOXYGEN: "yes"
@@ -168,7 +171,7 @@ debian-docs:
# with the 'artifacts' mechanism, in theory, but it would be good to
# avoid having to have a system with hundreds of artifacts.
debian-integration:
- image: debian:buster
+ image: debian:bullseye
<<: *debian-template
variables:
CHECK: "no"
@@ -182,7 +185,7 @@ debian-integration:
#####
# Tracing build on Debian stable.
debian-tracing:
- image: debian:buster
+ image: debian:bullseye
<<: *debian-template
variables:
TRACING: "yes"
@@ -194,7 +197,7 @@ debian-tracing:
#####
# No-authority mode
debian-disable-dirauth:
- image: debian:buster
+ image: debian:bullseye
<<: *debian-template
variables:
DISABLE_DIRAUTH: "yes"
@@ -204,7 +207,7 @@ debian-disable-dirauth:
#####
# No-relay mode
debian-disable-relay:
- image: debian:buster
+ image: debian:bullseye
<<: *debian-template
variables:
DISABLE_RELAY: "yes"
@@ -224,7 +227,7 @@ debian-gpl:
#####
# NSS check on debian
debian-nss:
- image: debian:buster
+ image: debian:bullseye
<<: *debian-template
variables:
NSS: "yes"
diff --git a/changes/ticket40799 b/changes/ticket40799
new file mode 100644
index 0000000000..4e2afe6e4b
--- /dev/null
+++ b/changes/ticket40799
@@ -0,0 +1,6 @@
+ o Minor bugfixes (sandbox):
+ - Allow membarrier for the sandbox. And allow rt_sigprocmask when compiled
+ with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
+
+ o Minor feature (CI):
+ - Update CI to use Debian Bullseye for runners.
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index 3340eda892..8ac07abfc9 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -222,6 +222,10 @@ static int filter_nopar_gen[] = {
#endif
// glob uses this..
SCMP_SYS(lstat),
+#ifdef __NR_membarrier
+ /* Inter-processor synchronization, needed for tracing support */
+ SCMP_SYS(membarrier),
+#endif
SCMP_SYS(mkdir),
SCMP_SYS(mlockall),
#ifdef __NR_mmap
@@ -1251,7 +1255,8 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0;
(void) filter;
-#ifdef ENABLE_FRAGILE_HARDENING
+#if defined(ENABLE_FRAGILE_HARDENING) || \
+ defined(USE_TRACING_INSTRUMENTATION_LTTNG)
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
SCMP_CMP(0, SCMP_CMP_EQ, SIG_BLOCK));
if (rc)