Merge branch 'maint-0.4.7'

.gitlab-ci.yml

@@ -49,6 +49,7 @@ variables:
       echo Etc/UTC > /etc/timezone
       mkdir -p apt-cache
       export APT_CACHE_DIR="$(pwd)/apt-cache"
+      rm -f /etc/apt/apt.conf.d/docker-clean
       echo 'quiet "1";' \
            'APT::Install-Recommends "0";' \
            'APT::Install-Suggests "0";' \
@@ -79,9 +80,11 @@ variables:
     - *apt-template
     # Install patches unconditionally.
     - apt-get install
+        apt-utils
         automake
         build-essential
         ca-certificates
+        file
         git
         libevent-dev
         liblzma-dev
@@ -108,7 +111,7 @@ variables:
 # Minimal check on debian: just make, make check.
 #
 debian-minimal:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   script:
     - ./scripts/ci/ci-driver.sh
@@ -116,7 +119,7 @@ debian-minimal:
 # Minimal check on debian/i386: just make, make check.
 #
 debian-i386-minimal:
-  image: i386/debian:buster
+  image: i386/debian:bullseye
   <<: *debian-template
   script:
     - ./scripts/ci/ci-driver.sh
@@ -139,7 +142,7 @@ debian-hardened:
 #####
 # Distcheck on debian stable
 debian-distcheck:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     DISTCHECK: "yes"
@@ -150,7 +153,7 @@ debian-distcheck:
 #####
 # Documentation tests on debian stable: doxygen and asciidoc.
 debian-docs:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     DOXYGEN: "yes"
@@ -168,7 +171,7 @@ debian-docs:
 #       with the 'artifacts' mechanism, in theory, but it would be good to
 #       avoid having to have a system with hundreds of artifacts.
 debian-integration:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     CHECK: "no"
@@ -182,7 +185,7 @@ debian-integration:
 #####
 # Tracing build on Debian stable.
 debian-tracing:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     TRACING: "yes"
@@ -194,7 +197,7 @@ debian-tracing:
 #####
 # No-authority mode
 debian-disable-dirauth:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     DISABLE_DIRAUTH: "yes"
@@ -204,7 +207,7 @@ debian-disable-dirauth:
 #####
 # No-relay mode
 debian-disable-relay:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     DISABLE_RELAY: "yes"
@@ -224,7 +227,7 @@ debian-gpl:
 #####
 # NSS check on debian
 debian-nss:
-  image: debian:buster
+  image: debian:bullseye
   <<: *debian-template
   variables:
     NSS: "yes"

changes/ticket40799

@@ -0,0 +1,6 @@
+  o Minor bugfixes (sandbox):
+    - Allow membarrier for the sandbox. And allow rt_sigprocmask when compiled
+      with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
+
+  o Minor feature (CI):
+    - Update CI to use Debian Bullseye for runners.

src/lib/sandbox/sandbox.c

@@ -222,6 +222,10 @@ static int filter_nopar_gen[] = {
 #endif
     // glob uses this..
     SCMP_SYS(lstat),
+#ifdef __NR_membarrier
+    /* Inter-processor synchronization, needed for tracing support */
+    SCMP_SYS(membarrier),
+#endif
     SCMP_SYS(mkdir),
     SCMP_SYS(mlockall),
 #ifdef __NR_mmap
@@ -1251,7 +1255,8 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   int rc = 0;
   (void) filter;
 
-#ifdef ENABLE_FRAGILE_HARDENING
+#if defined(ENABLE_FRAGILE_HARDENING) || \
+    defined(USE_TRACING_INSTRUMENTATION_LTTNG)
   rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
       SCMP_CMP(0, SCMP_CMP_EQ, SIG_BLOCK));
   if (rc)