Draft: Only check for bindable ports if we are unsure if it will fail.
We currently assume that the only way for Tor to listen on ports in the privileged port range (1 to 1023), on Linux, is if we are granted the NET_BIND_SERVICE capability. Today on Linux, it's possible to specify the beginning of the unprivileged port range using a sysctl configuration option. Docker (and thus the CI service Tor uses) recently changed this sysctl value to 0, which causes our tests to fail as they assume that we should NOT be able to bind to a privileged port without the NET_BIND_SERVICE capability.
In this patch, we read the value of the sysctl value via the /proc/sys/ filesystem iff it's present, otherwise we assume the default unprivileged port range begins at port 1024.
See: #40275 (closed)
Merge request reports
Activity
added CI label
Assigning @nickm as reviewer as I think he might know this code the best.
Test run with master branch can be seen at https://gitlab.torproject.org/ahf/tor/-/pipelines/2529
added 1 commit
- b5099682 - Only check for bindable ports if we are unsure if it will fail.
35 * permissions. Usually this function returns 1024. */ 36 static uint16_t 37 unprivileged_port_range_start(void) 38 { 39 uint16_t result = 1024; 40 41 #if defined(__linux__) 42 char *content = NULL; 43 44 content = read_file_to_str( 45 "/proc/sys/net/ipv4/ip_unprivileged_port_start", 46 0, 47 NULL); 48 49 if (content != NULL) 50 result = (uint16_t)atoi(content); changed this line in version 3 of the diff
Fixed in 7a90a6aa.
150 178 * does not make us lose the ability to bind low ports */ 151 179 { 152 int keepcaps = (test_id == TEST_SETUID_KEEPCAPS); 180 const int keepcaps = (test_id == TEST_SETUID_KEEPCAPS); 153 181 okay = switch_id(username, keepcaps ? SWITCH_ID_KEEP_BINDLOW : 0) == 0; 182 154 183 if (okay) { 155 okay = check_can_bind_low_ports() == keepcaps; 184 /* Only run this check if there are ports we may not be able to bind 185 * to. */ 186 const uint16_t min_port = unprivileged_port_range_start(); 187 188 if (min_port >= PORT_TEST_RANGE_START && 189 min_port < PORT_TEST_RANGE_END) { 190 okay = check_can_bind_low_ports() == keepcaps; 191 } Fixed in 861c0fe3, but if you think the wording is off let me know.
marked this merge request as draft from ahf/tor@7a90a6aa