From 84d6f977e72aa71c19c65c9a8fa3ff922854510b Mon Sep 17 00:00:00 2001
From: Alexander Færøy <ahf@torproject.org>
Date: Mon, 13 Sep 2021 18:05:58 +0200
Subject: Force amd64 for CI builds.

---
 .gitlab-ci.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1e9d03caf5..915f242f26 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -37,6 +37,12 @@ variables:
     paths:
       - artifacts/
 
+
+# This template is used for x86-64 builds.
+.x86-64-template: &x86-64-template
+  tags:
+    - amd64
+
 # This template should be usable on any system that's based on apt.
 .apt-template: &apt-template |
       export LC_ALL=C.UTF-8
@@ -57,6 +63,7 @@ variables:
 # This template sets us up for Debian system in particular.
 .debian-template: &debian-template
   <<: *artifacts-template
+  <<: *x86-64-template
   variables:
     DEBIAN_FRONTEND: "noninteractive"
   # TODO: Using "cache" in this way speeds up our downloads.  It would be
-- 
cgit v1.2.3-54-g00ecf


From 12b64845aebf08e45db94e5610d0ced95b5c1667 Mon Sep 17 00:00:00 2001
From: Alexander Færøy <ahf@torproject.org>
Date: Mon, 16 Aug 2021 13:52:58 +0000
Subject: Use Debian bullseye for our hardened build.

---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 915f242f26..b83079aa4a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -117,7 +117,7 @@ debian-minimal:
 #
 # TODO: This will be faster once we merge #40098 and #40099.
 debian-hardened:
-  image: debian:testing
+  image: debian:bullseye
   <<: *debian-template
   variables:
     ALL_BUGS_ARE_FATAL: "yes"
-- 
cgit v1.2.3-54-g00ecf


From fcef8e3f75cf39ae7eb6195713d4855b4fc4d08c Mon Sep 17 00:00:00 2001
From: Alexander Færøy <ahf@torproject.org>
Date: Thu, 4 Feb 2021 23:11:11 +0000
Subject: Only check for bindable ports if we are unsure if it will fail.

We currently assume that the only way for Tor to listen on ports in the
privileged port range (1 to 1023), on Linux, is if we are granted the
NET_BIND_SERVICE capability. Today on Linux, it's possible to specify
the beginning of the unprivileged port range using a sysctl
configuration option. Docker (and thus the CI service Tor uses) recently
changed this sysctl value to 0, which causes our tests to fail as they
assume that we should NOT be able to bind to a privileged port *without*
the NET_BIND_SERVICE capability.

In this patch, we read the value of the sysctl value via the /proc/sys/
filesystem iff it's present, otherwise we assume the default
unprivileged port range begins at port 1024.

See: tor#40275
---
 src/test/test_switch_id.c | 60 ++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 57 insertions(+), 3 deletions(-)

diff --git a/src/test/test_switch_id.c b/src/test/test_switch_id.c
index baddf8d66e..91277e374f 100644
--- a/src/test/test_switch_id.c
+++ b/src/test/test_switch_id.c
@@ -31,7 +31,47 @@ static const struct {
   { NULL, 0 }
 };
 
+/* Returns the first port that we think we can bind to without special
+ * permissions. Usually this function returns 1024. */
+static uint16_t
+unprivileged_port_range_start(void)
+{
+  uint16_t result = 1024;
+
+#if defined(__linux__)
+  char *content = NULL;
+
+  content = read_file_to_str(
+              "/proc/sys/net/ipv4/ip_unprivileged_port_start",
+              0,
+              NULL);
+
+  if (content != NULL) {
+    int ok = 1;
+    uint16_t tmp_result;
+
+    tmp_result = (uint16_t)tor_parse_long(content, 10, 0, 65535, &ok, NULL);
+
+    if (ok) {
+      result = tmp_result;
+    } else {
+      fprintf(stderr,
+              "Unable to convert ip_unprivileged_port_start to integer: %s\n",
+              content);
+    }
+  }
+
+  tor_free(content);
+#endif /* defined(__linux__) */
+
+  return result;
+}
+
 #if !defined(_WIN32)
+
+#define PORT_TEST_RANGE_START 600
+#define PORT_TEST_RANGE_END   1024
+
 /* 0 on no, 1 on yes, -1 on failure. */
 static int
 check_can_bind_low_ports(void)
@@ -41,7 +81,7 @@ check_can_bind_low_ports(void)
   memset(&sin, 0, sizeof(sin));
   sin.sin_family = AF_INET;
 
-  for (port = 600; port < 1024; ++port) {
+  for (port = PORT_TEST_RANGE_START; port < PORT_TEST_RANGE_END; ++port) {
     sin.sin_port = htons(port);
     tor_socket_t fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
     if (! SOCKET_OK(fd)) {
@@ -149,10 +189,24 @@ main(int argc, char **argv)
       /* Succeed if we can do a setuid with capability retention, and doing so
        * does not make us lose the ability to bind low ports */
     {
-      int keepcaps = (test_id == TEST_SETUID_KEEPCAPS);
+      const int keepcaps = (test_id == TEST_SETUID_KEEPCAPS);
       okay = switch_id(username, keepcaps ? SWITCH_ID_KEEP_BINDLOW : 0) == 0;
+
       if (okay) {
-        okay = check_can_bind_low_ports() == keepcaps;
+        /* Only run this check if there are ports we may not be able to bind
+         * to. */
+        const uint16_t min_port = unprivileged_port_range_start();
+
+        if (min_port >= PORT_TEST_RANGE_START &&
+            min_port < PORT_TEST_RANGE_END) {
+          okay = check_can_bind_low_ports() == keepcaps;
+        } else {
+          fprintf(stderr,
+                  "Skipping check for whether we can bind to any "
+                  "privileged ports as the user system seems to "
+                  "allow us to bind to ports even without any "
+                  "capabilities set.\n");
+        }
       }
       break;
     }
-- 
cgit v1.2.3-54-g00ecf