From 48ca75555522716f0f686dcae3dd6cf3d8ad714d Mon Sep 17 00:00:00 2001 From: davidovski Date: Tue, 31 May 2022 11:05:19 +0100 Subject: removed idea of repos --- repo/tor/0002-disable-wildcard-escaping-test_patch | 25 +++++ .../0003-disable-sandbox_chown_filename-test_patch | 36 +++++++ repo/tor/0004-disable-more-sandbox-tests_patch | 120 +++++++++++++++++++++ repo/tor/tor.confd | 13 +++ repo/tor/tor.initd | 92 ++++++++++++++++ repo/tor/tor.xibuild | 44 ++++++++ repo/tor/torrc.sample.patch | 27 +++++ 7 files changed, 357 insertions(+) create mode 100644 repo/tor/0002-disable-wildcard-escaping-test_patch create mode 100644 repo/tor/0003-disable-sandbox_chown_filename-test_patch create mode 100644 repo/tor/0004-disable-more-sandbox-tests_patch create mode 100644 repo/tor/tor.confd create mode 100644 repo/tor/tor.initd create mode 100644 repo/tor/tor.xibuild create mode 100644 repo/tor/torrc.sample.patch (limited to 'repo/tor') diff --git a/repo/tor/0002-disable-wildcard-escaping-test_patch b/repo/tor/0002-disable-wildcard-escaping-test_patch new file mode 100644 index 0000000..ee4f280 --- /dev/null +++ b/repo/tor/0002-disable-wildcard-escaping-test_patch @@ -0,0 +1,25 @@ +This will only fail on aarch64 and s390x, for some reason. +--- a/src/test/test_util.c ++++ b/src/test/test_util.c +@@ -4633,21 +4633,6 @@ test_util_glob(void *ptr) + TEST("file1"PATH_SEPARATOR"*"); + EXPECT_EMPTY(); + +-#ifndef _WIN32 +- // test wildcard escaping +- TEST("\\*"); +- EXPECT_EMPTY(); +- +- if (getuid() != 0) { +- // test forbidden directory, if we're not root. +- // (Root will be able to see this directory anyway.) +- tor_asprintf(&pattern, "%s"PATH_SEPARATOR"*"PATH_SEPARATOR"*", dirname); +- results = tor_glob(pattern); +- tor_free(pattern); +- tt_assert(!results); +- } +-#endif /* !defined(_WIN32) */ +- + #undef TEST + #undef EXPECT + #undef EXPECT_EMPTY diff --git a/repo/tor/0003-disable-sandbox_chown_filename-test_patch b/repo/tor/0003-disable-sandbox_chown_filename-test_patch new file mode 100644 index 0000000..3140139 --- /dev/null +++ b/repo/tor/0003-disable-sandbox_chown_filename-test_patch @@ -0,0 +1,36 @@ +This test fail on armhf, armv7 and aarch64 +--- a/src/test/test_sandbox.c ++++ b/src/test/test_sandbox.c +@@ -193,24 +193,6 @@ test_sandbox_chmod_filename(void *arg) + } + + static void +-test_sandbox_chown_filename(void *arg) +-{ +- sandbox_data_t *data = arg; +- int rc, errsv; +- +- if (chown(sandbox_intern_string(data->file_ops_allowed), -1, -1) != 0) +- tt_abort_perror("chown"); +- +- rc = chown(data->file_ops_blocked, -1, -1); +- errsv = errno; +- tt_int_op(rc, OP_EQ, -1); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- (void)0; +-} +- +-static void + test_sandbox_rename_filename(void *arg) + { + sandbox_data_t *data = arg; +@@ -327,7 +309,6 @@ struct testcase_t sandbox_tests[] = { + + SANDBOX_TEST_IN_SANDBOX(openat_filename), + SANDBOX_TEST_IN_SANDBOX(chmod_filename), +- SANDBOX_TEST_IN_SANDBOX(chown_filename), + SANDBOX_TEST_IN_SANDBOX(rename_filename), + + /* Currently the sandbox is unable to filter stat() calls on systems where diff --git a/repo/tor/0004-disable-more-sandbox-tests_patch b/repo/tor/0004-disable-more-sandbox-tests_patch new file mode 100644 index 0000000..7359b23 --- /dev/null +++ b/repo/tor/0004-disable-more-sandbox-tests_patch @@ -0,0 +1,120 @@ +These tests fail on aarch64 +--- a/src/test/test_sandbox.c ++++ b/src/test/test_sandbox.c +@@ -148,71 +148,6 @@ test_sandbox_is_active(void *ignored) + } + + static void +-test_sandbox_open_filename(void *arg) +-{ +- sandbox_data_t *data = arg; +- int fd, errsv; +- +- fd = open(sandbox_intern_string(data->file_ops_allowed), O_RDONLY); +- if (fd == -1) +- tt_abort_perror("open"); +- close(fd); +- +- /* It might be nice to use sandbox_intern_string() in the line below as well +- * (and likewise in the test cases that follow) but this would require +- * capturing the warning message it logs, and the mechanism for doing so +- * relies on system calls that are normally blocked by the sandbox and may +- * vary across architectures. */ +- fd = open(data->file_ops_blocked, O_RDONLY); +- errsv = errno; +- tt_int_op(fd, OP_EQ, -1); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- if (fd >= 0) +- close(fd); +-} +- +-static void +-test_sandbox_chmod_filename(void *arg) +-{ +- sandbox_data_t *data = arg; +- int rc, errsv; +- +- if (chmod(sandbox_intern_string(data->file_ops_allowed), +- S_IRUSR | S_IWUSR) != 0) +- tt_abort_perror("chmod"); +- +- rc = chmod(data->file_ops_blocked, S_IRUSR | S_IWUSR); +- errsv = errno; +- tt_int_op(rc, OP_EQ, -1); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- (void)0; +-} +- +-static void +-test_sandbox_rename_filename(void *arg) +-{ +- sandbox_data_t *data = arg; +- const char *fname_old = sandbox_intern_string(data->file_ops_allowed), +- *fname_new = sandbox_intern_string(data->file_rename_target_allowed); +- int rc, errsv; +- +- if (rename(fname_old, fname_new) != 0) +- tt_abort_perror("rename"); +- +- rc = rename(fname_new, fname_old); +- errsv = errno; +- tt_int_op(rc, OP_EQ, -1); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- (void)0; +-} +- +-static void + test_sandbox_openat_filename(void *arg) + { + sandbox_data_t *data = arg; +@@ -235,28 +170,6 @@ test_sandbox_openat_filename(void *arg) + } + + static void +-test_sandbox_opendir_dirname(void *arg) +-{ +- sandbox_data_t *data = arg; +- DIR *dir; +- int errsv; +- +- dir = opendir(sandbox_intern_string(data->dir_ops_allowed)); +- if (dir == NULL) +- tt_abort_perror("opendir"); +- closedir(dir); +- +- dir = opendir(data->dir_ops_blocked); +- errsv = errno; +- tt_ptr_op(dir, OP_EQ, NULL); +- tt_int_op(errsv, OP_EQ, EPERM); +- +- done: +- if (dir) +- closedir(dir); +-} +- +-static void + test_sandbox_stat_filename(void *arg) + { + sandbox_data_t *data = arg; +@@ -302,15 +215,8 @@ struct testcase_t sandbox_tests[] = { + #ifdef ENABLE_FRAGILE_HARDENING + SANDBOX_TEST_SKIPPED(open_filename), + SANDBOX_TEST_SKIPPED(opendir_dirname), +-#else +- SANDBOX_TEST_IN_SANDBOX(open_filename), +- SANDBOX_TEST_IN_SANDBOX(opendir_dirname), + #endif /* defined(ENABLE_FRAGILE_HARDENING) */ + +- SANDBOX_TEST_IN_SANDBOX(openat_filename), +- SANDBOX_TEST_IN_SANDBOX(chmod_filename), +- SANDBOX_TEST_IN_SANDBOX(rename_filename), +- + /* Currently the sandbox is unable to filter stat() calls on systems where + * glibc implements this function using either of the legacy "stat" or "stat64" + * system calls, or (in glibc version 2.33 and later) either of the newer diff --git a/repo/tor/tor.confd b/repo/tor/tor.confd new file mode 100644 index 0000000..38a482c --- /dev/null +++ b/repo/tor/tor.confd @@ -0,0 +1,13 @@ +# Location of the torrc configuration file. +#conffile="/etc/tor/torrc" + +# User to start the tor daemon. +# If "User" directive is set in $conffile, then this option is ignored (i.e. +# tor is started under root, but it setuids to the specified User after start). +#user="tor" + +# Timeout for gracefulstop +#graceful_timeout="60" + +# Set the file limit +rc_ulimit="-n 30000" diff --git a/repo/tor/tor.initd b/repo/tor/tor.initd new file mode 100644 index 0000000..db8b2cf --- /dev/null +++ b/repo/tor/tor.initd @@ -0,0 +1,92 @@ +#!/sbin/openrc-run + +: ${conffile:="/etc/tor/torrc"} +: ${user:="tor"} +: ${graceful_timeout:="${GRACEFUL_TIMEOUT:-60}"} + +command="/usr/bin/tor" +command_args="-f $conffile --runasdaemon 0" +command_background="yes" +start_stop_daemon_args="--chdir /var/lib/tor" +pidfile="/run/tor/tor.pid" + +extra_commands="checkconfig" +extra_started_commands="gracefulstop reload" + +description="Anonymizing overlay network for TCP" +description_checkconfig="Check if config file is valid." +description_reload="Reload the configuration." +# See bug #523552, and https://trac.torproject.org/projects/tor/ticket/5525 +description_gracefulstop="Gracefully stop (wait $gracefulstop until all connections are properly closed)." + + +depend() { + need net +} + +checkconfig() { + # First check that it exists. + if [ ! -f "$conffile" ] ; then + eerror "You need to setup $conffile first, see $conffile.sample for example" + return 1 + fi + + # Now verify whether the configuration is valid. + # If User directive is set in $conffile, then we must run tor as root, + # even --verify-config, otherwise it fails when verifying permissions + # of DataDirectory. + if conf_has User; then + local user="root" + fi + local out + out="$(su -s /bin/sh -c "$command $command_args --verify-config" $user 2>&1)" || { + eerror "Tor configuration $conffile is not valid" + printf '%s\n' "$out" + return 1 + } +} + +start_pre() { + checkconfig || return 1 + + # If User directive is set in $conffile, start tor as root and let it + # drop privileges itself (may be needed e.g. to bind to a privileged + # port). Otherwise run tor as $user (recommended). + if conf_has User; then + local user="$(conf_get User)" + else + start_stop_daemon_args="$start_stop_daemon_args --user $user" + fi + + if conf_has DataDirectory; then + checkpath -d -m 0700 -o "$user" "$(conf_get DataDirectory)" + fi + checkpath -d -m 0755 -o "$user" "$(dirname "$pidfile")" +} + +gracefulstop() { + ebegin "Gracefully stopping Tor, this can take up to $graceful_timeout seconds" + start-stop-daemon --stop \ + --progress \ + --signal INT \ + --retry $graceful_timeout \ + --pidfile "$pidfile" \ + --exec $command -- $command_args + eend $? +} + +reload() { + start_pre || return 1 + + ebegin "Reloading Tor configuration" + start-stop-daemon --signal HUP --pidfile "$pidfile" + eend $? +} + +conf_get() { + sed -n "s/^\s*$1 \([^#]*\)/\1/p" "$conffile" +} + +conf_has() { + grep -q "^\s*$1 " "$conffile" +} diff --git a/repo/tor/tor.xibuild b/repo/tor/tor.xibuild new file mode 100644 index 0000000..8441516 --- /dev/null +++ b/repo/tor/tor.xibuild @@ -0,0 +1,44 @@ +#!/bin/sh + +NAME="tor" +DESC="Anonymous network connectivity" + +MAKEDEPS="make " +DEPS="libcap libseccomp libevent openssl cacerts zlib xz zstd " + +PKG_VER=0.4.7.7 +SOURCE="https://www.torproject.org/dist/tor-$PKG_VER.tar.gz" +ADDITIONAL="torrc.sample.patch tor.initd tor.confd" + +prepare () { + apply_patches +} + +build () { + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/share/man \ + --disable-html-manual + make + +} + +package () { + make DESTDIR="$PKG_DEST" install + + install -dm0755 -o "tor" \ + "$PKG_DEST"/var/lib/"tor" \ + "$PKG_DEST"/var/log/"tor" + + install -Dm0755 "tor".initd \ + "$PKG_DEST"/etc/init.d/"tor" + install -Dm0644 "tor".confd \ + "$PKG_DEST"/etc/conf.d/"tor" +} + +postinstall () { + adduser -S -D -H -h /var/lib/tor -s /sbin/nologin -g tor tor 2>/dev/null + return 0 +} diff --git a/repo/tor/torrc.sample.patch b/repo/tor/torrc.sample.patch new file mode 100644 index 0000000..3360e98 --- /dev/null +++ b/repo/tor/torrc.sample.patch @@ -0,0 +1,27 @@ +--- a/src/config/torrc.sample.in ++++ b/src/config/torrc.sample.in +@@ -35,7 +35,7 @@ + ## may provide sensitive information to an attacker who obtains the logs. + ## + ## Send all messages of level 'notice' or higher to @LOCALSTATEDIR@/log/tor/notices.log +-#Log notice file @LOCALSTATEDIR@/log/tor/notices.log ++Log notice file @LOCALSTATEDIR@/log/tor/notices.log + ## Send every possible message to @LOCALSTATEDIR@/log/tor/debug.log + #Log debug file @LOCALSTATEDIR@/log/tor/debug.log + ## Use the system log instead of Tor's logfiles +@@ -43,14 +43,9 @@ + ## To send all messages to stderr: + #Log debug stderr + +-## Uncomment this to start the process in the background... or use +-## --runasdaemon 1 on the command line. This is ignored on Windows; +-## see the FAQ entry if you want Tor to run as an NT service. +-#RunAsDaemon 1 +- + ## The directory for keeping all the keys/etc. By default, we store + ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +-#DataDirectory @LOCALSTATEDIR@/lib/tor ++DataDirectory @LOCALSTATEDIR@/lib/tor + + ## The port on which Tor will listen for local connections from Tor + ## controller applications, as documented in control-spec.txt. -- cgit v1.2.1