nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-30 15:43:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update CI builds to Debian Bullseye, fix associated compatibility bugs

Browse Source 
This is a change intended for 0.4.7 maintenance as well as main.

The CI builds use Debian Buster which is now end of life, and I was
experiencing inconsistent CI failures with accessing its security update
server. I wanted to update CI to a distro that isn't EOL, and Bullseye
is the current stable release of Debian.

This opened up a small can of worms that this commit also deals with.
In particular there's a docker engine bug that we work around by
removing the docker-specific apt cleanup script if it exists, and
there's a new incompatibility between tracing and sandbox support.

The tracing/sandbox incompatibility itself had two parts:

  - The membarrier() syscall is used to deliver inter-processor
    synchronization events, and the external "userspace-rcu"
    data structure library would make assumptions that if membarrier
    is available at initialization it always will be. This caused
    segfaults in some cases when running trace + sandbox. Resolved this
    by allowing membarrier entirely, in the sandbox.

  - userspace-rcu also assumes it can block signals, and fails
    hard if this can't be done. We already include a similar carveout
    to allow this in the sandbox for fragile-hardening, so I extended
    that to cover tracing as well.

Addresses issue #40799

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
This commit is contained in:
Micah Elizabeth Scott 2023-05-30 09:53:09 -07:00
parent e390a7cdee
commit 3036bedf30
2 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.gitlab-ci.yml
View File

@ -49,6 +49,7 @@ variables:
echo Etc/UTC > /etc/timezone echo Etc/UTC > /etc/timezone
mkdir -p apt-cache mkdir -p apt-cache
export APT_CACHE_DIR="$(pwd)/apt-cache" export APT_CACHE_DIR="$(pwd)/apt-cache"
rm -f /etc/apt/apt.conf.d/docker-clean
echo 'quiet "1";' \ echo 'quiet "1";' \
'APT::Install-Recommends "0";' \ 'APT::Install-Recommends "0";' \
'APT::Install-Suggests "0";' \ 'APT::Install-Suggests "0";' \
@ -79,9 +80,11 @@ variables:
- *apt-template - *apt-template
# Install patches unconditionally. # Install patches unconditionally.
- apt-get install - apt-get install
apt-utils
automake automake
build-essential build-essential
ca-certificates ca-certificates
file
git git
libevent-dev libevent-dev
liblzma-dev liblzma-dev
@ -106,7 +109,7 @@ variables:
# Minimal check on debian: just make, make check. # Minimal check on debian: just make, make check.
# #
debian-minimal: debian-minimal:
image: debian:buster image: debian:bullseye
<<: *debian-template <<: *debian-template
script: script:
- ./scripts/ci/ci-driver.sh - ./scripts/ci/ci-driver.sh
@ -114,7 +117,7 @@ debian-minimal:
# Minmal check on debian/i386: just make, make check. # Minmal check on debian/i386: just make, make check.
# #
debian-i386-minimal: debian-i386-minimal:
image: i386/debian:buster image: i386/debian:bullseye
<<: *debian-template <<: *debian-template
script: script:
- ./scripts/ci/ci-driver.sh - ./scripts/ci/ci-driver.sh
@ -137,7 +140,7 @@ debian-hardened:
##### #####
# Distcheck on debian stable # Distcheck on debian stable
debian-distcheck: debian-distcheck:
image: debian:buster image: debian:bullseye
<<: *debian-template <<: *debian-template
variables: variables:
DISTCHECK: "yes" DISTCHECK: "yes"
@ -148,7 +151,7 @@ debian-distcheck:
##### #####
# Documentation tests on debian stable: doxygen and asciidoc. # Documentation tests on debian stable: doxygen and asciidoc.
debian-docs: debian-docs:
image: debian:buster image: debian:bullseye
<<: *debian-template <<: *debian-template
variables: variables:
DOXYGEN: "yes" DOXYGEN: "yes"
@ -166,7 +169,7 @@ debian-docs:
# with the 'artifacts' mechanism, in theory, but it would be good to # with the 'artifacts' mechanism, in theory, but it would be good to
# avoid having to have a system with hundreds of artifacts. # avoid having to have a system with hundreds of artifacts.
debian-integration: debian-integration:
image: debian:buster image: debian:bullseye
<<: *debian-template <<: *debian-template
variables: variables:
CHECK: "no" CHECK: "no"
@ -180,7 +183,7 @@ debian-integration:
##### #####
# Tracing build on Debian stable. # Tracing build on Debian stable.
debian-tracing: debian-tracing:
image: debian:buster image: debian:bullseye
<<: *debian-template <<: *debian-template
variables: variables:
TRACING: "yes" TRACING: "yes"
@ -192,7 +195,7 @@ debian-tracing:
##### #####
# No-authority mode # No-authority mode
debian-disable-dirauth: debian-disable-dirauth:
image: debian:buster image: debian:bullseye
<<: *debian-template <<: *debian-template
variables: variables:
DISABLE_DIRAUTH: "yes" DISABLE_DIRAUTH: "yes"
@ -202,7 +205,7 @@ debian-disable-dirauth:
##### #####
# No-relay mode # No-relay mode
debian-disable-relay: debian-disable-relay:
image: debian:buster image: debian:bullseye
<<: *debian-template <<: *debian-template
variables: variables:
DISABLE_RELAY: "yes" DISABLE_RELAY: "yes"
@ -212,7 +215,7 @@ debian-disable-relay:
##### #####
# NSS check on debian # NSS check on debian
debian-nss: debian-nss:
image: debian:buster image: debian:bullseye
<<: *debian-template <<: *debian-template
variables: variables:
NSS: "yes" NSS: "yes"

7
src/lib/sandbox/sandbox.c
View File

@ -220,6 +220,10 @@ static int filter_nopar_gen[] = {
#endif #endif
// glob uses this.. // glob uses this..
SCMP_SYS(lstat), SCMP_SYS(lstat),
#ifdef __NR_membarrier
/* Inter-processor synchronization, needed for tracing support */
SCMP_SYS(membarrier),
#endif
SCMP_SYS(mkdir), SCMP_SYS(mkdir),
SCMP_SYS(mlockall), SCMP_SYS(mlockall),
#ifdef __NR_mmap #ifdef __NR_mmap
@ -1165,7 +1169,8 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
int rc = 0; int rc = 0;
(void) filter; (void) filter;
#ifdef ENABLE_FRAGILE_HARDENING #if defined(ENABLE_FRAGILE_HARDENING) || \
defined(USE_TRACING_INSTRUMENTATION_LTTNG)
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
SCMP_CMP(0, SCMP_CMP_EQ, SIG_BLOCK)); SCMP_CMP(0, SCMP_CMP_EQ, SIG_BLOCK));
if (rc) if (rc)