Commit Graph

1186 Commits

Author SHA1 Message Date
Daniel Golle
56b14fdeb2
procd: update to git HEAD
bb95fe8 jail: make sure jailed process is terminated

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-12-11 03:16:57 +00:00
Christian Lamparter
25bc66eb40 ca-certificates: fix python3-cryptography woes in certdata2pem.py
This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")

The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.

|Traceback (most recent call last):
|  File "certdata2pem.py", line 125, in <module>
|    cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1

...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
|  File "/certdata2pem.py", line 31, in <module>
|    from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'

More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."

Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-01 17:52:35 +01:00
Christian Lamparter
7c99085bd6 ca-certicficates: Update to version 20211016
Update the ca-certificates and ca-bundle package from version 20210119 to
version 20211016.

Debian change-log entry [1]:
|[...]
|[ Julien Cristau ]
|* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
|    bundle to version 2.50
|    The following certificate authorities were added (+):
|    + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
|    + "GlobalSign Root R46"
|    + "GlobalSign Root E46"
|    + "GLOBALTRUST 2020"
|    + "ANF Secure Server Root CA"
|    + "Certum EC-384 CA"
|    + "Certum Trusted Root CA"
|    The following certificate authorities were removed (-):
|    - "QuoVadis Root CA"
|    - "Sonera Class 2 Root CA"
|    - "GeoTrust Primary Certification Authority - G2"
|    - "VeriSign Universal Root Certification Authority"
|    - "Chambers of Commerce Root - 2008"
|    - "Global Chambersign Root - 2008"
|    - "Trustis FPS Root CA"
|    - "Staat der Nederlanden Root CA - G3"
|  * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
|[...]

[1] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20211016_changelog>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-30 20:14:26 +01:00
Jo-Philipp Wich
50bc06e774 procd: setup /dev/stdin, /dev/stdout and /dev/stderr symlinks
Extend the hotplug.json ruleset to setup the common /dev/std{in,out,err}
symbolic links which are needed by some applications, e.g. nftables when
applying rulesets from stdin.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2021-11-23 14:03:39 +00:00
Daniel Golle
507f50df07
procd: update to git HEAD
8de12de system: add diskfree infos to ubus
 bf3fe0e service: move jail parsing to end of instance parser
 87b5836 procd: add full service shutdown prior to sysupgrade
 01ac2c4 procd: service_stop_all: also kill inittab actions

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-23 14:03:23 +00:00
Daniel Golle
c1ab687349
fstools: update to git HEAD
77c0288 fstools: fix a couple of minor code problems

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-20 21:09:59 +00:00
Daniel Golle
9224ddf72d
procd: update to git HEAD
9d1431e jail: allow passing environment variable to procd jailed process

Fixes dnsmasq in ujail which needs USER_SCRIPT env variable to be
passed to jailed process.

Reported-by: Bastian Bittorf <bb@npl.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-11 14:09:25 +00:00
Daniel Golle
32ba52e217
rpcd: reload rpcd on installation of rpcd-mod-*
When installing additional rpcd modules, a restart of rpcd is required.
This often confuses users as even after installing rpcd-mod-rpcsys the
relevant ubus objects are still missing until rpcd has been reloaded
(or the system has been rebooted, obviously).
Let rpcd-mod-* reload rpcd as post-install action.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-08 14:21:02 +00:00
Felix Fietkau
1cead21e8b procd: make rpcd dependency conditional
Avoids building rpcd when not needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-04 16:54:31 +01:00
Stijn Tintel
f5cdf9cb78 procd: bump to git HEAD
0ee8e73 trigger: use uloop_timeout_remaining64

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 15:01:53 +02:00
Stijn Tintel
6a7388f673 rpcd: bump to git HEAD
20bf958 session: use uloop_timeout_remaining64
 d11ffe9 session: use blobmsg_get_u64 for RPC_DUMP_EXPIRES

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 14:58:31 +02:00
Daniel Golle
fab84bf18c
procd: update to git HEAD
1056fc4 jail: elf: Use 64 bit variables for elf offsets
 c1976e5 jail: elf: Remove MIPS 64 warning

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-01 18:20:24 +00:00
Daniel Golle
d05eae9249
fstools: update to git HEAD
19fd7fc libfstools: make sure file is closed on error
 d390744 libfstools: use uevent instead of relying on custom kernel patch

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-01 18:01:08 +00:00
Felix Fietkau
d7843fd7ef ubus: update to the latest version
b743a331421d ubusd: log ACL init errors
2099bb3ad997 libubus: use list_empty/list_first_entry in ubus_process_pending_msg
ef038488edc3 libubus: process pending messages in data handler if stack depth is 0
a72457b61df0 libubus: increase stack depth for processing obj msgs

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-01 12:00:21 +01:00
Dominick Grift
04c5bcd074 selinux-policy: update to version 1.0
wifi: writes to terminal
hotplugcall and sqm read class sysfile symlinks
unbound and sqm related loose ends
support/example: policycoreutils host-compile is required
TODO: this was wrong and it is actually needed
linguist detectable does not work this way
linguist-detectable
updates README
adds workflows
adds a note about persistent /var option

project moved to https://github.com/DefenSec/selinux-policy

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Hauke Mehrtens
eeeb9b7496 uci: update to git HEAD
cmake: Allow override of install directories

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-22 23:51:51 +02:00
Hauke Mehrtens
0ca81ff047 procd: update to git HEAD
jail: Fix build with glibc

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-22 23:51:50 +02:00
Daniel Golle
333f93333e
procd: update to git HEAD
9b1e035 jail: netifd: code cosmetics
 d2a2ecc jail: netifd: fix error handling issue reported by coverity
 e1d7cee jail: netifd: check target netns fd before using it
 59f7699 uxc: add missing 'break' statement

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-17 21:58:47 +01:00
Florian Eckert
b118efa0d2
buildsystem: add CONFIG_SECCOMP
Until now, this feature was switched on via the kernel configuration
option KERNEL_SECCOMP.

The follwing change a7f794cd2a now requires that
the package procd-seccomp must also enabled for buildinmg.

However, this is not the case we have no dependency and the imagebuilder
cannot build the image, because of the implicit package selection.

This change adds a new configuration option CONFIG_SECCOMP.
The new option  has the same behaviour as the configuration
option CONFIG_SELINUX.

If the CONFIG_SECCOMP is selected then the package procd-seccomp and
KERNEL_SECCOMP is enabled for this build.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-16 02:00:47 +01:00
Daniel Golle
213ce1d837
procd: update to git HEAD
97bcdcf uxc: fix segfault caused by use-after-free
 6398e05 uxc: don't free the stack
 324ebd0 jail: fs: add support for asymmetric mount bind
 c44ab7f jail: netifd: generate netifd uci config and mount it
 82dd390 jail: make use of per-container netifd via ubus

The new per-jail netifd is now configured by filtering the host
network configuration. As libuci is used for that, procd-ujail now
depends on libuci.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-13 00:40:29 +01:00
Christian Lamparter
80b7a8a7f5 Revert "gpio-cdev: add nu801 userspace driver"
This reverts commit f536f5ebdd.

As Hauke commented, this causes builder failures on 5.4 kernels.
This revert includes changes to the mx100 kernel modules
dependency as well as the uci led definitions.

Tested-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-10-10 23:15:05 +02:00
Chris Blake
f536f5ebdd gpio-cdev: add nu801 userspace driver
This adds a userspace interpretation of the nu801 driver used by Meraki
hardware. Previously this was a driver that was added per target, but as
multiple targets now have this driver, we should move to something that
can be shared by all targets since no driver exists upstream.

Co-developed-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-10-10 16:47:41 +02:00
Timo Sigurdsson
f83e927b87 fstools: ensure filesystems are mounted before log service starts
Currently, the fstab service starts after the log service which breaks
the ability to write a persistent log file to a filesystem mounted by
the fstab service. Thus, change the start order of the fstab service so
it starts right before the log service.

Fixes: b131853 ("ubox: update to latest git revision")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[set to 11 to be explicitly before log, not only alphabetically, SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-09-22 16:49:10 -10:00
Daniel Golle
10df8ffcdf
procd: update to git HEAD
8a60e7e trace: don't leak file descriptor in error path
 68df9ac procd: fix container deletion
 f16abe0 uxc: add JSON output option for 'list' command
 a23c888 jail: prepare for adding process to existing namespace
 50da8a4 instance: allow jailed service to join namespace(s)
 482d1ab Revert "jail: do not hack /etc/resolv.conf on container rootfs"
 1eb4371 jail: start ubus and netifd instances for container with netns

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-09-15 21:47:32 +01:00
Daniel Golle
bf94c2da3e
procd: fix issue mounting overlay fs
The previous procd update broke mounting overlayfs in an attempt to
fix an off-by-one error. Revert that broken fix and apply fix from
Nick Hainke <vincent@systemli.org> instead to bring things back to
life.

 20adf53 Revert "initd: fix off-by-one error in mkdev.c"
 773e8da initd: fix off-by-one error in mkdev.c

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-31 12:31:15 +01:00
Daniel Golle
3e16866f39
procd: update to git HEAD
96d8bf2 trace: fix potential use-after-free occurence
 8eb1d78 initd: fix off-by-one error in mkdev.c
 86f82f3 utils: don't ignore open() return value
 f5fe04b jail: actually check calloc return value
 269c9e4 trace: preload: avoid NULL-dereference here as well

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-31 00:52:47 +01:00
Daniel Golle
25cb37bc00
procd: update to git HEAD
df251c2 uxc: move mountpoint of persistent config to /var/run/uxc
 e5b38fd trace: free memory allocated by blobmsg_format_json_indent()

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-30 20:36:11 +01:00
Daniel Golle
364bd887a1
fstools: update to git HEAD
50e6b20 libfstools: handle open() return value properly in F2FS check
 e1b6811 blockd: include missing libubox/utils.h

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-25 22:49:00 +01:00
Daniel Golle
76f46f4105
procd: update to git HEAD
8a8306d uxc.c: fix coverity resource leak warning
 7f2398e jail: devices: create parent folder when creating devices
 0603c8d jail: return to hook callback instead of just calling it
 3edb7eb jail: check return value when opening console
 af048a3 jail: use portable sizeof(void *)
 6010bd3 utils: make sure read() string is 0 terminated
 f6daca3 uxc: free string returned by blobmsg_format_json_indent()
 51f1cd2 trace: free string returned by blobmsg_format_json_indent()
 d716cb5 trace: handle open() return value and make sure string is terminated
 b824a89 jail: preload: avoid NULL-dereference in case things go wrong
 167dc24 jail: protect against strcat buffer overflows

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-24 18:49:46 +01:00
Daniel Golle
cc0112d9d7
selinux-policy: update to version 0.9
592ac0f add a note
 4bacd14 sslcertfile: list /etc/ssl
 7bdefa4 example: indicate that skip is an option
 d1e9a85 wifi: sys pipe usage
 eb903e1 README: add note about policycoreutils-setfiles weak dependency
 762e011 ttyd: signull all subjects
 fbfc079 acme: add basic support for acme_cleanup.sh and acme_setup.sh
 9ac7592 acme: transition to sys.subj on generic initscript execution
 f3dd1ba acme: missing rules related to sys.subj trans on file.initscriptfile
 ae273fa odhcp6c/netifd: support drop-in directories
 5fa9b41 subj: do not encourage misconfiguration
 44722b6 blockd, logd, odhcpc6, ubiutil, mtdstordev
 a775d93 21.02 related
 a473691 rcboot runs rcuhttpd which creates /tmp/etc for /tmp/etc/uhttpd
 290e9fb rcuhttpd: related to rcboot and uci-defaults
 3fc0d8b rcuhttpd: lists /etc/uci-defaults
 1f5ef48 removes ubvol.lock policy and adds move mtd/ubi partitions

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-20 01:48:13 +01:00
Daniel Golle
5c13177c55
procd: add missing dependency and fix empty mount triggers
procd.sh:
 Instead of triggering on every mount.add event, there should be no
 mount trigger at all in case none of the directories passed to
 procd_add_*_mount_trigger() are located on a mountpoint configured in
 /etc/config/fstab.

uxc:
 add missing dependency on rpcd.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-15 18:08:37 +01:00
Daniel Golle
09fccdb99e
procd: update to git HEAD
040fecc system: fix issues reported by Coverity
 48f481b service: make sure string read is null terminated
 16dbc2a uxc: fix a bunch of issues discovered by Coverity
 ff9002f uxc: fix help output
 104b49d uxc: support config in uvol

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-15 15:44:05 +01:00
Daniel Golle
1235e2ee3b
procd: update to git HEAD
48638ad hotplug-dispatch: yet another rare memory leak disovered by Coverity
 459b3e8 jail: fix several issues discovered by Coverity
 2562e2b ujail-console: add missing error handling discovered by coverity

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-14 19:20:05 +01:00
Daniel Golle
9126c0a59f
fstools: update to git HEAD
629726d blockd: fix resource leak discovered by coverity scan
 68ae639 libubi: fix several issues discovered by Coverity
 a77c4fa ubi: fix resource leak in legacy codepath
 2e3aca2 block: fix two resources leaks discovered by Coverity

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-14 19:19:58 +01:00
Daniel Golle
5181af5585
procd: update to git HEAD
9f233f5 system: make rootfs type accessible through board call

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-13 04:46:29 +01:00
Daniel Golle
80be893d2b
procd: change procd_add_start_mount_trigger to do restart
Change procd_add_start_mount_trigger to procd_add_restart_mount_trigger
and make it call 'restart' instead of 'start'.
This is more useful as it allows to handle both cases, intial start of
a services as well as restarting services. Calling 'restart' on a
service which has not yet been started has the same result as calling
'start'.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-08 15:26:28 +01:00
Daniel Golle
46a65f927c
procd: update to git HEAD and add new script helpers
e10de28 jail: cgroups-bpf: fix compile with musl 1.2
 f5d9b14 hotplug-dispatch: fix rare memory leaks in error paths

Add new init script helpers:
 procd_add_start_mount_trigger
 procd_add_reload_mount_trigger
 procd_get_mountpoints

Both trigger helpers expect a list of paths which are checked against
the mount targets configured in /etc/config/fstab and a trigger for all
mountpoints covered by the list of paths is setup.

procd_get_mountpoints is useful to find out if and which mountpoints
are covered by a list of paths.

Example:
  DATADIRS="/mnt/data/foo /mnt/data/bar /etc/foo/baz /var/lib/doe"

  start_service() {
    [ "$_BOOT" = "1" ] &&
      [ "$(procd_get_mountpoints $DATADIRS)" ] && return 0

    procd_open_instance
    # ...
    procd_close_instance
  }

  boot() {
    _BOOT=1 start
  }

  service_triggers() {
    procd_add_start_mount_trigger $DATADIRS
  }

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-05 03:46:21 +01:00
Daniel Golle
aa21110e44
fstools: update to git HEAD
d4f0129 blockd: also report target in notifications

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-05 03:46:11 +01:00
Daniel Golle
edb6bc1990
procd: update to git HEAD
Fix build on glibc targets and address a bunch of compiler warnings.

 93fc089 jail: cgroups-bpf: don't use sys/reg.h when building with glibc
 548d057 jail: don't ignore return value of seteuid()
 220b716 jail: ignore return value when creating default /dev symlinks
 78d5baa hotplug-dispatch: don't ignore asprintf() return value
 736aee5 uxc: always handle asprintf() return value
 2b20456 hotplug-dispatch: replace wrongly used assert()
 bfc86a2 jail: cgroups: replace wrongly used assert()
 516bdf2 jail: don't ignore return value of write()

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-04 19:12:44 +01:00
Daniel Golle
080a2d4bdf
fstools: update to git HEAD
141ac85 libblkid-tiny: fix invalid open syscall return check
 9e26563 libblkid-tiny: install header file to include dir

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-04 00:13:50 +01:00
Daniel Golle
0f5e8c8614
ubox: update to git HEAD
1f4f72b logd: fix privilege dropping order
 205defb logread: fix erroneous message "Logread connected to" with udp

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-04 00:13:45 +01:00
Daniel Golle
3404af774d
fstools: update to git HEAD
b7bf185 blockd: make most calls to 'block' asynchronous

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-30 02:12:40 +01:00
Daniel Golle
57ece63cd8
fstools: update to git HEAD
46d02c2 block: don't add non-ubifs ubi devices
 cc63933 blockd: send mount.ready when startup has completed

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-28 20:26:13 +01:00
Hauke Mehrtens
e11be055f1 procd: update to git HEAD
f26233e watchdog: Add an info message if the watchdog reset the system

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-07-25 14:51:43 +02:00
Daniel Golle
1ed9fc663e
procd: update to git HEAD
772292e uxc: don't restart containers when mount shows up
 3a9d910 uxc: resolve volume UUIDs by name of UCI fstab section

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-25 00:58:40 +01:00
Daniel Golle
ca31755af9 fstools: update to git HEAD (again)
a846c6b blockd: fix length of timeout int passed to ioctl
 1d681ca block: support umount device basename

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-24 01:14:09 +01:00
Daniel Golle
5bc898b43e fstools: update to git HEAD
59f7c11 blockd: create mountpoint parent folder if needed
9cc96af Revert "block: resolve /dev/mapper/* name for /dev/dm-0 when hotplugging"
06334ac Revert "blockd: detect mountpoint of /dev/mapper/*"
9ab3551 block: use /dev/dm-* instead of /dev/mapper/*
5114595 block: allow remove hotplug event to arrive at blockd

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-24 00:01:51 +01:00
Daniel Golle
cda668e046
procd: update to git HEAD
9bd1b7f jail: refactor directory handling for rootfs and overlaydir

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-18 19:12:08 +01:00
Daniel Golle
c1a3eff3ac
procd: update to git HEAD
0545905 jail: make use of realpath() for rootfs and overlaydir

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-17 22:11:50 +01:00
Daniel Golle
b1b16bddb0
procd: update to git HEAD
0ee73b2 uxc: implement support for rootfs overlay in containers
 b0a8ea1 jail: do not hack /etc/resolv.conf on container rootfs
 92aba53 jail: increase max additional env records to 64
 15997e6 jail: allow rootfs to be a symbolic link
 0114c6f jail: open() extroot folder before mounting
 ed96eda uxc: check for required blockd mounts

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-15 18:22:24 +01:00
Daniel Golle
6bcc8e9d97
fstools: update to git HEAD
3386b6b blockd: fix trigger name
 cdc9939 blockd: move to its own POSIX process group

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-15 18:22:17 +01:00
Daniel Golle
6721c20629
fstools: update to git HEAD
4d4dcfb blockd: detect mountpoint of /dev/mapper/*
 2f42515 block: resolve /dev/mapper/* name for /dev/dm-0 when hotplugging
 39558a1 blockd: also send ubus notification on mount hotplug

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-14 05:38:37 +01:00
Jo-Philipp Wich
324e3fb64f rpcd: update to latest Git HEAD
1fa3576 session: unload rpcd configuration before checking login

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2021-07-13 20:43:02 +02:00
Daniel Golle
f46a38a1ac
procd: update to git HEAD
2dcefbd jail: add support for cgroup devices as in OCI run-time spec

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-10 23:01:05 +01:00
Petr Štetiar
8307da3dbd treewide: unmark selected packages nonshared
This partially reverts changes done in commit 72cc44958e ("treewide:
mark selected packages nonshared") as it removes the nonshared flag, but
keeps the PKG_RELEASE as the PKG_RELEASE bump while adding nonshared
flag was incorrect.

Unmark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared
packages as this fix attempt didn't worked out. Currently the
imagebuilder is broken again:

 openwrt-imagebuilder-21.02.0-rc3-ipq40xx-generic.Linux-x86_64$ make image PROFILE=avm_fritzbox-7530 PACKAGES=luci-ssl-openssl
 ...
 Collected errors:
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for luci-mod-status
  * pkg_hash_fetch_best_installation_candidate: Packages for luci-mod-status found, but incompatible with the architectures configured
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for rpcd-mod-iwinfo
  * pkg_hash_fetch_best_installation_candidate: Packages for rpcd-mod-iwinfo found, but incompatible with the architectures configured
  * satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-ssl-openssl:
  * 	libiwinfo20210430
  * opkg_install_cmd: Cannot install package luci-ssl-openssl.

Everything because iwinfo's ABI was changed two times since rc3 release:

 +IWINFO_ABI_VERSION:=20210430
 +IWINFO_ABI_VERSION:=20210420

Since iwinfo is marked as nonshared, it wasn't built by phase2 builders, but
luci-mod-status was already updated 2 times since rc3 and was thus rebuilt by
phase2 builders:

 d1d452ed2fb3 luci-mod-status: don't set '-' hostname when creating static lease
 95b3633055c1 luci-mod-status: switch to html table for wlan channel analysis

So now luci-mod-status depends on libiwinfo20210430 but only
libiwinfo20210106 can be downloaded. This is first part of the fix, in
the upcoming commit Jo is going to remove nonshared flag from iwinfo
package as well.

References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035736.html
References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035741.html
Acked-by: Jo-Philipp Wich <jo@mein.io>
Reported-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-07-02 18:12:15 +02:00
Felix Fietkau
3c57475085 ubus: update to the latest version
4fc532c8a55b ubusd: fix tx_queue linked list usage

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-30 21:58:51 +02:00
Rui Salvaterra
d31783329b zram-swap: clean up the log messages
Remove redundant tags and name things more consistently.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[removed superflous dash]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-06-27 14:49:14 -10:00
Rui Salvaterra
7720de4194 zram-swap: set the zram swap priority to 100 by default
New swap devices are added in decreasing priority order, starting at -1. Make
sure the zram swap device has the highest priority, by default.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-06-27 14:44:28 -10:00
Rui Salvaterra
18c24a29f9 zram-swap: robustify mkswap/swapon/swapoff invocation
Instead of assuming /sbin contains the correct BusyBox symlinks, directly invoke
the busybox executable. The required utilities are guaranteed to be present,
since the zram-swap package selects them. Additionally, don't assume busybox
resides in /bin, rely on PATH to find it.

While at it, update the copyright year, use SPDX and switch to AUTORELEASE.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-06-24 15:24:52 -10:00
Florian Eckert
92ac2a20eb uci: add uci_revert function
Add missing uci_revert shell function wrapper.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2021-06-21 08:36:03 -10:00
Rosen Penev
3dabb62581 treewide: remove PKG_INSTALL from CMake packages
It's already default with cmake.mk

Found with:

git grep PKG_INSTALL\: | cut -d ':' -f 1 | sort -u > ins
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 ins cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Rosen Penev
2e745e9be6 treewide: remove BUILD_PARALLEL from CMake packages
It's already default. The only exception is mt76 which has Ninja
disabled.

Found with:

git grep BUILD_PARALLEL | cut -d ':' -f 1 | sort -u > par
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 par cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Hauke Mehrtens
da86064611 opkg: update to git HEAD
1bf042d libopkg: pkg_hash: print unresolved dependencies

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-06-13 23:58:15 +02:00
Hauke Mehrtens
65b0fe293a opkg: Fix download over git
Set the PKG_SOURCE_URL using a lazy set to allow evaluating
$(PROJECT_GIT) later. Without this change PKG_SOURCE_URL is evaluated
immediately, before PROJECT_GIT is defined and the download over git is
not working.

Fixes: 6687a2483a ("opkg: use $(PROJECT_GIT), $(AUTORELEASE) and SPDX")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-06-13 23:58:15 +02:00
Hannu Nyman
72cc44958e treewide: mark selected packages nonshared
Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c
as nonshared packages. This helps to keep coherent dependencies
if these ABI versioned packages are later updated.

Before this commit it is possible to get missing dependencies
in target-specific nonshared packages (like iwinfo) that depend
on these shared ABI versioned packages. If these are later updated
and rebuilt, only the new ABI version will be available for download,
while the target-specific packages in releases continue to depend on
the old ABI version.

After this commit the packages are built along the other nonshared
packages by the phase1 images buildbot and will be available at the
target/ download directories instead of packages/base dir. That will
help to keep a coherent set available.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2021-06-13 23:58:15 +02:00
Rosen Penev
09de28090c package: fix cmake packages build with ninja
+= is needed for CMAKE_OPTIONS.

mt76 needs Ninja disabled as the kernel stuff uses normal make.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-12 10:46:39 +02:00
Petr Štetiar
4f2243d40a ubus: update to version 2021-06-03
This update contains following changes:

 * ubusd: protect against too-short messages
 * ubusd: add per-client tx queue limit
 * ubusd: convert tx_queue to linked list

Fixes: FS#1525
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-06-03 10:16:49 +02:00
Jo-Philipp Wich
ec83fb9ced ubox: fix init script validation of log_ip option
The underlying logread process uses usock() to handle remote connections
which is able to handle both hostnames and IP addresses.

Ref: https://github.com/openwrt/luci/issues/5077
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2021-05-28 15:23:14 +02:00
Nick Hainke
6687a2483a opkg: use $(PROJECT_GIT), $(AUTORELEASE) and SPDX
1) Use SPDX license headers to be machine readable.
2) Update copyright to 2021.
3) Use $(PROJECT_GIT) instead of manually specifying the git url.
4) Use $(AUTORELEASE) to automatically set the correct PKG_RELEASE.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-05-25 23:48:00 +02:00
Hauke Mehrtens
1903233f2b treewide: Mark packages nonshared if they depend on @TARGET_
This marks all packages which depend on a target with @TARGET nonshared.
If they are not marked nonshared they would be build by the SDK build
and if this happens with a different SDK, then the SDK from the target
the package depends on, the package would not be added to the index.

This should fix the image builder for some of these packages.

This should fix the image builder at least for bcm27xx/bcm2710 and
bcm4908/generic.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-05-24 00:28:22 +02:00
David Bauer
e884389976 rpcd: fix PKG_MIRROR_HASH
Fixes commit 97e820c6d6 ("rpcd: update to latest HEAD")

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-18 19:31:44 +02:00
Hauke Mehrtens
097dc943f1 openwrt-keyring: Only copy sign key for snapshots
Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the master feeds.

If one of the other keys would be compromised this would not affect
users of master snapshot builds.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-05-17 19:02:02 +02:00
Daniel Golle
23f98b3eb7
fstools: add missing #define _GNU_SOURCE
asprintf requires _GNU_SOURCE to be defined. Set it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-05-16 09:55:55 +01:00
Daniel Golle
f8c98ee6c2
fstools: update to git HEAD
c44b40b overlay: fix syncronizing typo
 b5397a1 fstools: block: fix segfault on mount with no target
 bd7cc8d block: use dynamically allocated target string
 6d8450e blockd: use allocated strings instead of fixed buffers
 d47909e libblkid-tiny: fix buffer overflow
 67d2297 block: match device path instead of assuming /dev/%s
 2aeba88 block: allow autofs and umount commands also on MTD/UBI

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-05-16 00:37:01 +01:00
Leonardo Mörlein
b993b68b6c build: introduce $(MKHASH)
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. In most of the cases, I just saw warnings like this:

    make: Entering directory '/home/.../package/gluon-status-page'
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    [...]

While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.

After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
2021-05-13 15:13:15 +02:00
Daniel Golle
21b8550598
rpcd: set correct PKG_SOURCE_DATE
The previous commit bumped the source commit level without reflecting
that in PKG_SOURCE_DATA. Bump PKG_SOURCE_DATA as well.

Fixes: 97e820c6d6 ("rpcd: update to latest HEAD")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-05-10 10:57:09 +01:00
David Bauer
97e820c6d6 rpcd: update to latest HEAD
7a560a1 iwinfo: add 802.11ax HE support

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-10 01:20:00 +02:00
Daniel Golle
b607e7df34
procd: update to git HEAD
021ece8 procd: Use /dev/console for serial console if exists

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-05-05 13:18:50 +01:00
Rafał Miłecki
05a4273058 uci: update to the latest master
4b3db11 cli: add option for changing save path

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-14 08:33:12 +02:00
Rui Salvaterra
565dfeb128 zram-swap: bail out early if the kernel doesn't support swap
Since KERNEL_SWAP is only enabled by default for !SMALL_FLASH targets, we need
to check if the current kernel supports swap before trying to configure
zram-swap, as opkg can't check for kernel dependencies.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-04-03 18:57:13 +02:00
Rui Salvaterra
829fa33899 zram-swap: clean up the makefile
Break dependencies into separate lines, to improve the readability. Trim
trailing whitespace.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-04-03 18:57:13 +02:00
Daniel Golle
241ce95d63
procd: update to git HEAD
7ee4563 procd: Adding support to detect Pantavisor Container Platform

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-21 13:36:58 +00:00
Daniel Golle
6801ecd91b
procd: update to git HEAD
Enable seccomp features on Aarch64.

 3e88c6f jail/seccomp: add support for aarch64
 c23d8bf trace: fix build on aarch64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-19 22:33:27 +00:00
Daniel Golle
2b1aebc0b6
fstools: update to git HEAD
964d1e3 partname: allow skipping existing 'rootfs_data' partition

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-19 13:35:55 +00:00
Álvaro Fernández Rojas
b3f4197139 mtd: fix imagetag compilation
Commit b5b0796a13 added an uint32_t to mtd.h without including stdint, which
results in a compilation error for those files not including stdint.h.

In file included from imagetag.c:36:
mtd.h:15:8: error: unknown type name 'uint32_t'
 extern uint32_t opt_trxmagic;
        ^~~~~~~~
imagetag.c: In function 'trx_fixup':
imagetag.c:180:10: warning: unused variable 'res' [-Wunused-variable]
  ssize_t res;
          ^~~
imagetag.c:177:14: warning: unused variable 'scan' [-Wunused-variable]
  void *ptr, *scan;
              ^~~~
imagetag.c: In function 'trx_check':
imagetag.c:246:27: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
     struct bcm_tag *tag = (const struct bcm_tag *) buf;
                           ^
make[3]: *** [<builtin>: imagetag.o] Error 1

Fixes: b5b0796a13 ("mtd: add option for TRX magic to fixtrx")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2021-03-17 08:42:05 +01:00
INAGAKI Hiroshi
74f15628dd mediatek: add support for Buffalo WSR-2533DHP2
This adds support for the Buffalo WSR-2533DHP2.

The device uses the Broadcom TRX image format with a special magic. To
be able to boot the images or load them they have to be wrapped with
different headers depending how it is loaded.

There are multiple ways to install OpenWrt on this device.
Boot ramdisk from U-Boot
----------------------------
This will load the image and not write it into the flash.

1. Stop boot menu with "space" key
2. Select "System Load Linux to SDRAM via TFTP."
3. Load this image:
   openwrt-mediatek-mt7622-buffalo_wsr-2533dhp2-initramfs-kernel.bin
4. The system boots the image

Write to flash from U-Boot
-----------------------------
This will load the image over tftp and directly write it into the flash.

1. Stop boot menu with "space" key
2. Select "System Load Linux Kernel then write to Flash via TFTP."
3. Load this image:
   openwrt-mediatek-mt7622-buffalo_wsr-2533dhp2-squashfs-factory-uboot.bin
4. The system writes this image into the flash and boots into it.

Write to flash from Web UI
-----------------------------
This will load the image over over the Web UI and write it into the flash

1. Open the Web UI
2. Go to "管理" -> "ファームウェア更新"
3. Select "ローカルファイル指定" and click "更新実行"
4. Load this image:
   openwrt-mediatek-mt7622-buffalo_wsr-2533dhp2-squashfs-factory.bin
5. The system writes this image into the flash and boots into it.

Specifications
-------------------
* SoC:       MT7622 (4x4 2.4 GHz Wifi)
* Wifi:      MT7615 (4x4 5 GHz Wifi)
* Flash:     Winbond W29N01HZ 128MB SLC NAND
* RAM        256MB
* Ethernet:  Realtek RTL8367S (5 x 1GBit/s, SoC via 2.5GBit/s)

Co-Developed-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-15 17:02:17 +01:00
INAGAKI Hiroshi
b5b0796a13 mtd: add option for TRX magic to fixtrx
Buffalo uses the TRX header with a different magic and even changes this
magic with different devices. This change allows to specify the header
to use as a command line argument.

This is needed for the Buffalo WSR-2533DHP2 based on mt7622.

Co-Developed-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-15 16:57:34 +01:00
Daniel Golle
988ed00802
opkg: update to git HEAD
5936c4f libopkg: pkg_hash: prefer original packages to satisfy dependencies

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-15 00:48:42 +00:00
Daniel Golle
6a7a1f1c64
opkg: update to git HEAD
d3a63b3 libopkg: add option to strip ABI versions from listed names

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-14 22:55:17 +00:00
Dominick Grift
41a8f093fb selinux-policy: update to version v0.8
3d7da7a igmpproxy tidy some loose ends
c84ba0f rcigmpproxy: add entries to /etc when creating /etc/igmpproxy.conf
5a18967 adds igmpproxy skeleton
7e6a218 logread: support resolving dns names
e39ca8b netifd: add support for /etc/udhcpc.user
7952bd0 odhcp6c: support /etc/odhcp6c.user
ba0eb4e swconfig, fwenv, agent
4556b8a pppd cosmetic
9324d9d pppd: sends AT commands to model using /dev/ttyUSBN
417b14a ttydev: add some more ttyUSB
ed739dc example: dont depend on policycoreutils
97613f9 dropbear: using dropbear as scp: dns name resolving
12c193b dropbear tcp connect ssh ports for scp
c050077 rcdnsmasq: remove redundant rule and make rcsysntpd optional
8c5de35 this is a bug
8d5c463 uhttpd rcboot rcdnsmasq
094266e hostapd and wpa_supplicant
aef0bd7 mountroot: maintains /tmp/sysupgrade.tar
24f0406 dropbear: allow it to read tmp.fs files
2901433 firstboot mkfsf2fs rcboot
2c4afb7 blockmount mmc
465ca98 adds industrial i/o (iio) nodedev
82f686e mtd stordev: back that ubiblock0_4p1 up with a filecon
7df78bd ubus: "support" older ubusd versions that run as root
4458bce swconfig: allow using terminal (to print output)
e8d606d sslcert: openssl linked: this shaves off 200 bytes
93afffb jshn ntpdhotplug
0b847f0 wpad: reads /etc/ssl/openssl.cnf
f14ee34 indent fix
a0c7cad mtd, uhttpd, ubus and ntpdhotplug
d74f98f adds a not about checkreqprot requirement in some scenarios
affacce example: add policycoreutils-setfiles for make check
4f944dc kmodloader and fwenv:
efe36a3 netifd: adds a comment/reminder
581b087 more fw_printenv loose ends
30177a4 fw_setenv: needs mtd write access to set and delete env
da28f4c fw_printenv: some minor clean ups
a062053 fw_printenv missing rules
244ba5f blockmount: extroot and /rwm
0745a6a squid: allow squid to run sslcrtd with domain transition
b851df6 squid fix
8c55acd squid: adds certfile and allow connect http but...
b7c1f6d Makefile: exclude tinyproxy from mintesttgt (using squid)
5ff39bd squid: forgot about luci
5366c97 squid/rcsquid some basic fill in
8743da6 squid skeleton
687a43b adds squid 3128 port to httpproxy port

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-14 12:56:46 +00:00
Daniel Golle
da339a6d3f
rpcd: update to git HEAD
d3f2041 uci: manually clear uci_ptr flags after uci_delete() operations
 ccb7517 sys: packagelist: drop ABI version from package name

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-11 00:39:16 +00:00
Daniel Golle
b5f6d20560
opkg: update to git HEAD
d71856a pkg: pass-through ABIVersion to status file

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-11 00:39:09 +00:00
Daniel Golle
ffeb37047e
procd: update to git HEAD
945d0d7 utils: fix C style in header file
 2cfc26f inittab: detect active console from kernel if no console= specified

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-08 00:11:55 +00:00
Daniel Golle
cec580cba8
fstools: fix build with glibc
stropts.h is unavailable under glibc (and unneeded when building
against glibc). Include it only if not building against glibc.

Reported-by: @DazzyWalkman
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-05 02:07:01 +00:00
Daniel Golle
ec76cbc521
fstools: update to git HEAD
19d7d93 libfstools: partname: several fixes

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-02 19:16:15 +00:00
Daniel Golle
1cd4a02c8e
procd: update to git HEAD
64e9f3a procd: fix compilation with newer musl

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-02 19:16:10 +00:00
Daniel Golle
3ffc30f05a
selinux-policy: update to version 0.7
a857b45 resolv/locale: eventually this should be more efficient
 11ed281 some more optimization
 764a475 add redundant calls to file.search_conffile_dirs()
 7d4558e fs: treat devtmpfs that same as tmpfs
 81b677e adds irqbalance skeleton
 5506244 irqbalance rules
 cc96cd8 adds usbutil and gtpfdisk skels
 01e2a55 some fsck, gptfdisk, mkfs and usbutil rules
 d6d1e7d usbutil: output to terminal
 da576fa fsck, gptfdisk and usbutil rules
 09b39e9 unbound
 241a029 hotplugcall: allow dac_read_search (is a subset of dac_override)
 af0fe90 adds label for tcsh
 160f79e adds tcpdump
 6d02b96 adds coreutil execfile for busybox alternatives
 ac54884 coreutilexecfile: these are known to require privileges, so exclude
 8cb3b66 adds chrootexecfile
 6d329d3 this saves 9KiB and its a bit more robust
 88e2425 move addpart/delpart/partx to gptfdisk.cil
 261012d ntphotplug: reads ubox data files
 0473ace various
 740e820 work through to genfs_seclabel_symlinks loose ends (Linux 5.10)
 bef21f5 TODO adds a note about how I dont need to upgrade to polver 33 from 31
 cb2e5a3 ubus uses ntpdhotplug fd, and some genfs_seclabel_symlink changes
 07df9b9 luci, rpcd and wpad (mainly genfs_selabel related but not all)
 8d86cab genfs_seclabel loose ends for blockmount, hotplugcall, irqbalance, zram-swap
 b8156cd adds a note about how i forgot to target blockd
 6e82ab8 adds blockd and related
 254ff43 Makefile: exclude blockd from mintesttgt
 4dc6bc2 pppd update related and unbound-odhcp rules

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-28 18:02:02 +00:00
Daniel Golle
b7d125f455 fstools: update to git HEAD
bad1835 fstools: add partname volume driver

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-28 00:09:09 +00:00
David Bauer
9a9cf40dd9 download: add mirror alias for Debian
Add an alias for Debian packages and download them from the Debian
mirror redirector.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-26 20:41:00 +01:00
Daniel Golle
5f1bd95278
procd: update to git HEAD
2be57ed cosmetics: provide compatible system info on Aarch64
 37eed13 system: expose if system was booted from initramfs

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-23 13:16:23 +00:00
Álvaro Fernández Rojas
f107e1668c mtd: fixtrx: support CFE imagetag on bmips target
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2021-02-22 18:09:03 +01:00
Petr Štetiar
1bf6d70e60 openwrt-keyring: add OpenWrt 21.02 GPG/usign keys
49283916005d usign: add 21.02 release build pubkey
bc4d80f064f2 gpg: add OpenWrt 21.02 signing key

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-20 15:59:47 +01:00
Felix Fietkau
d02088762a build: reorder more BuildPackages lines to deal with ABI_VERSION
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 11:29:38 +01:00
Felix Fietkau
8edb1797d5 libubox: update to the latest version, set ABI_VERSION dynamically
2537be018587 cmake: add a possibility to set library version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 19:41:13 +01:00
Daniel Golle
3010f16f44 procd: add hotplug-call dispatcher ubus objects
Add per-subsystem ubus objects exposing hotplug-call.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-08 00:57:14 +00:00
Daniel Golle
381a458d58 selinux-policy: update to version 0.6
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-05 13:17:49 +00:00
Daniel Golle
740af59b9c procd: update to git HEAD
0aee1c3 hotplug.c: set nl_pid to zero
 d6dda31 procd: fix compiler warning
 92c8e8f jail: remove duplicate check for hook file permissions
 0a74c06 jail: only output BPF instr. table header if debugging
 fd18379 jail: cgroups: fix uninitialized variabl

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-02 13:29:36 +00:00
Daniel Golle
f4d974d7f8 selinux-policy: update to git tag v0.5
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-31 14:02:19 +00:00
Paul Menzel
ea1cdd1901 ca-certicficates: Update to version 20210119
Update the ca-certificates and ca-bundle package from version 20200601 to
version 2021019.

This version uses Python 3 for the build, fixing a build issue on systems,
where `/usr/bin/python3` is a wrapper script [1].

Debian change-log entry [2]:

>   [ Julien Cristau ]
>   * New maintainer (closes: #976406)
>   * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate
> authority
>     bundle to version 2.46.
>     The following certificate authorities were added (+):
>     + "certSIGN ROOT CA G2"
>     + "e-Szigno Root CA 2017"
>     + "Microsoft ECC Root Certificate Authority 2017"
>     + "Microsoft RSA Root Certificate Authority 2017"
>     + "NAVER Global Root Certification Authority"
>     + "Trustwave Global Certification Authority"
>     + "Trustwave Global ECC P256 Certification Authority"
>     + "Trustwave Global ECC P384 Certification Authority"
>     The following certificate authorities were removed (-):
>     - "EE Certification Centre Root CA"
>     - "GeoTrust Universal CA 2"
>     - "LuxTrust Global Root 2"
>     - "OISTE WISeKey Global Root GA CA"
>     - "Staat der Nederlanden Root CA - G2" (closes: #962079)
>     - "Taiwan GRCA"
>     - "Verisign Class 3 Public Primary Certification Authority - G3"
>
>   [ Michael Shuler ]
>   * mozilla/blacklist:
>     Revert Symantec CA blacklist (#911289). Closes: #962596
>     The following root certificates were added back (+):
>     + "GeoTrust Primary Certification Authority - G2"
>     + "VeriSign Universal Root Certification Authority"
>
>   [ Gianfranco Costamagna ]
>   * debian/{rules,control}:
>     Merge Ubuntu patch from Matthias Klose to use Python3 during build.
>     Closes: #942915

[1]: https://github.molgen.mpg.de/mariux64/mxtools/issues/148
[2]: https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20210119_changelog

Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
2021-01-29 21:20:40 +01:00
Adrian Schmutzler
331892f85f treewide: drop shebang from non-executable lib files
This drops the shebang from another bunch of files in various /lib
folders, as these are sourced and the shebang is useless.

Fix execute bit in one case, too.

This should cover almost all trivial cases now, i.e. where /lib is
actually used for library files.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-29 14:29:41 +01:00
Daniel Golle
e02a41f67d rpcd: update to git HEAD
fd017ba iwinfo: add ht and vht operation info to wifi scan
 4c66b31 iwinfo: export center channel for info ubus call
 e28d4a5 iwinfo: add support for 802.11ad and GCMP
 5c15f57 iwinfo: return hwmode 'ad' on 802.11ad-only hardware
 ea7f471 iwinfo: include ht_operation data only if available

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-07 00:21:23 +00:00
Jo-Philipp Wich
79fe06a7dc Revert "rpcd: update to git HEAD"
This reverts commit 190e793963.

This update introduces a potential null-pointer deref with subsequent rpcd
crash when querying wireless info for non-nl80211 wdevs.

Additionally it wrongly includes ht frequency information for non-ht BSSes.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2021-01-06 13:45:30 +01:00
Daniel Golle
190e793963 rpcd: update to git HEAD
fd017ba iwinfo: add ht and vht operation info to wifi scan
 4c66b31 iwinfo: export center channel for info ubus call
 e28d4a5 iwinfo: add support for 802.11ad and GCMP
 5c15f57 iwinfo: return hwmode 'ad' on 802.11ad-only hardware

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-05 22:57:20 +00:00
Daniel Golle
498fb1b8aa fstools: fix 'firstboot' on unmounted UBIFS overlay
The usual OpenWrt-way of writing the JFFS2-marker in order to have
a filesystem erased at the next boot fails on UBIFS volumes due to
UBI being a different beast when it comes to writing.
As truncating a UBIFS volume only takes a few milliseconds and has the
desired effect of wiping-out all content of that volume, just do that
instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-04 21:07:35 +00:00
Daniel Golle
8348896357 opkg: update to git HEAD
9bbc7ea pkg_hash: pkg_hash_check_unresolved: fix segfault

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-24 11:12:57 +00:00
Rui Salvaterra
116191eddf zram-swap: remove the compression streams settings
Zram switched to per-cpu compression streams since Linux 4.7 [1]. Drop the
irrelevant configuration (no-op).

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/block/zram?h=v4.7&id=43209ea2d17aae1540d4e28274e36404f72702f2

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-12-13 13:55:03 -10:00
Daniel Golle
54239ccfe7 procd: update to git HEAD
111416d jail: remove unreachable code
 7f12c89 treewide: replace local mkdir_p implementations

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-12 23:34:10 +00:00
Daniel Golle
278b1e95a7 fstools: update to git HEAD
0c6fb90 jffs2-reset: allow doing a factory reset and passing a sysupgrade.tgz
 4862530 mount: restorecon: guard against execl() errors
 f415323 block: replace local mkdir_p implementation

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-12 23:34:10 +00:00
Daniel Golle
be6aa93e4d selinux-policy: update to version 0.4
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-12 14:45:32 +00:00
Paul Spooren
6ea03ec94c opkg: remove legacy dist and extra_data
efb26a3 libopkg: remove "extra_data" option
1d67ab7 libopkg: remove support for "dist" config

Reduces opkg size by about 400 Bytes.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-12-09 23:24:38 -10:00
Sven Roederer
13961da6ce procd: also depend on jshn
fixes "file no found" error on stripped down images, caused by prod.sh:43.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2020-12-05 22:18:07 -10:00
Daniel Golle
4dc5b64760 procd: output warning if user 'ubus' doesn't exist
6acc48c early: fall-back to run ubus as root if user can't be found

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-04 14:41:26 +00:00
Daniel Golle
533895e05e ubus: make sure ubusd starts in case user 'ubus' doesn't exist
d1d9ddf ubusd: attempt to create socket folder

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-04 14:41:26 +00:00
Daniel Golle
c71500fd45 procd: update to git HEAD
f3c3563 jail: improve seccomp BPF generator
 f67a66f jail: always call cgroups_free()
 4625350 jail: seccomp: improve code readability

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-30 10:39:15 +00:00
Daniel Golle
8cf0ac3f1f procd: update to git HEAD
3019f50 jail: leak less memory
 7e01453 jail: fix segfault on missing name and refactor
 5abee8f jail: fix and simplify userns uid/gid maps from OCI
 4ba72ec jail: relax /etc/resolv.conf creation
 db5ef86 jail: don't use NULL arguments for mount syscall
 19ac9df jail: don't fail if can't mount-bind /etc/resolv.conf
 acf36f2 jail: seteuid before clone(CLONE_NEWUSER)
 e40828f jail: fix typo in usage output
 b87984b jail: don't attempt to mount /sys with noatime
 b275b11 jail: enter existing cgroups namespace if given
 31e0a46 jail: properly initialize timens_fd

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-27 01:23:43 +00:00
Paul Spooren
66732c5cd9 opkg: cleanup man pages and md5 fixup
66f458d fix md5sum calculation
02eaf9c man: remove obsolete manual pages

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-25 14:46:46 -10:00
Paul Spooren
7c114f33dd opkg: purge package from cache on hash mismatch
61b3c62 opkg_verify_integrity: better logging and error conditions
f73d42f download: purge cached packages that have incorrect checksum
1c1480e download: factor out the logic for building cache filenames
293b1ce libopkg: factor out checksum and size verification
a786e25 download: remove compatibility with old cache naming scheme

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-24 22:06:37 -10:00
Daniel Golle
2eb0d711a4 procd: update to git HEAD
d4d78db uxc: also delete procd runtime state on 'delete'
 e935c0c jail: add 'debug' extern variable to preload_seccomp

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-23 00:32:48 +00:00
Daniel Golle
6e9b707ee2 Revert "refpolicy: add variant that builds modular policy"
This reverts commit 9eb9943f82.
Building the 'modular' variant requires 'semodule_package' from
'selinux-python' to be installed on the buildhost.
Apart from that, this change also broke the monolithic refpolicy
'targeted' build.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-22 15:20:35 +00:00
Daniel Golle
8262c99fc3 procd: update to git HEAD
04a2edd uxc: make force-delete kill container process
 be6da62 seccomp: silence 'unknown syscall' warnings
 b22e625 jail: cgroup hack: rewrite cgroup -> cgroup2
 df7fa7b uxc: fix incomplete commit

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-22 03:24:33 +00:00
Daniel Golle
62a3430f9b procd: drop legacy seccomp support, switch to OCI parsers
d8f36f5 seccomp: specifying architectures is optional
 d352e6e seccomp: switch to new OCI compliant parser
 c110405 trace: switch to OCI seccomp JSON output

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-17 13:12:37 +00:00
Huangbin Zhan
86917e4979 rpcd: remove file when applied
Make sure exit value of this script is zero. Or the file won't be deleted.

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
2020-11-12 18:19:44 +01:00
Jianhui Zhao
8d7a6d48eb ca-certificates: canonical the build dir
The previous build directory "build_dir/target-xx/work/"
contaminated the entire build directory.

Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
2020-11-12 18:19:44 +01:00
W. Michael Petullo
9eb9943f82 refpolicy: add variant that builds modular policy
This adds a variant of refpolicy that builds the modular form of the
policy. While this requires more memory on the target device, along with
some tricks to deal with OpenWrt's volatile /var directory, it is useful
for experiementing with SELinux policy.

Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-11-09 13:06:19 +00:00
Daniel Golle
9867d08e07 procd: bump to git HEAD
b0de894 jail: fix capabilities

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-07 06:03:49 +00:00
Daniel Golle
c8a81ada58 procd: bump to git HEAD
2f381fe jail: guard boolean blobmsg attributes
 602b8fa jail: add option for pidfile
 bba6de7 jail: handle mount propagation flags
 6963d50 jail: relax seccomp unknown syscall handling
 e1fcfdc jail: add support for absolute root path in OCI spec
 257f29b jail: don't fail if maskedPath cannot be found
 75f2374 uxc: mimic runc cmdline by using getopt_long

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-05 02:17:25 +00:00
Daniel Golle
08d90a75f9 opkg: clean up and fix performance regression
da9746a libopkg: clean up handling of unresolved dependencies

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-03 04:43:19 +00:00
Daniel Golle
f5c5a8abd2 opkg: fix yet another dependency resolution bug
The previous fix of a fix caused yet another problem leading to
`opkg show-upgradable` ending up in an infinite loop.
Fix that.

Fixes: 4a2b1ff7fb ("opkg: fix dependency resolution")
Reported-by: Huangbin Zhan <zhanhb88@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-02 23:31:50 +00:00
Daniel Golle
4a2b1ff7fb opkg: fix dependency resolution
The previous commit broke opkg in a way that it would no longer
include dependencies when installing a package, effectively leading
to broken images and unusable systems.
Fix that by making sure dependencies are still going to be checked.
Also reduce size of struct abstract_pkg as suggested by @jow- while at
it.

Fixes: 1445d333aa ("opkg: bump to git HEAD")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-02 20:51:30 +00:00
Florian Eckert
0232bf601d zram-swap: use new extra_command wrapper
Use new `extra_command` wrapper to fix the alignement.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-11-02 21:32:38 +01:00
Daniel Golle
1445d333aa opkg: bump to git HEAD
8769c75 pkg_hash: don't suggest incompatible packages

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-30 00:39:09 +00:00
Petr Štetiar
43fe0bd18d uci: fix package mirror hash
I've forget to update PKG_MIRROR_HASH in my previous package version
bump.

Fixes: 095cc2b745 ("uci: update to version 2020-10-06")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-10-27 22:58:27 +01:00
Petr Štetiar
095cc2b745 uci: update to version 2020-10-06
52bbc99f69ea Replace malloc() + memset() with calloc()
3fbd6c923434 ucimap: Check return of malloc()
eae126f66663 file: Check buffer size after strtok()
7f574273180a file: use size_t for position and pointer
19770b6949b9 file: use dynamic memory allocation for tempfile name
aa46546794ac file: uci_file_commit: fix memory leak
671c7554bfde uci: silence UBSAN error by using offsetof macro from compiler
ea5bbd57d0e1 tests: cram: add uci import testing on fuzzer corpus
31f78bfbf75f cmake: add uci-san cli built with clang sanitizers
a3e650911f5e file: uci_parse_package: fix heap use after free
9bd361ca3236 tests: add libFuzzer based fuzzing

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-10-27 22:51:59 +01:00
Daniel Golle
2a0d08d827 ubus: bump to git HEAD
ad0cd11 ubusd_acl: add support for wildcard in methods

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-25 18:23:45 +00:00
Daniel Golle
ccb283c71c procd: ujail fixes
ec461ff jail: mount more stuff read-only
33b799b ujail: elf: work around GCC bug on MIPS64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-25 12:41:44 +00:00
Daniel Golle
bd8c3314fb ubox: run logd non-root as user logd
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-25 12:36:22 +00:00
Daniel Golle
0b31713c85 rpcd: adapt defaults for changed ubus.sock path
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-22 15:13:38 +01:00
Daniel Golle
a2def3663a procd: jail: clean up capability handling and non-root ubusd
Unify capability handling to only use OCI spec parsers even for ujail
slim containers which previously supposedly used their own format.

 80c9516 cgroups: restrict allowed keys in 'unified' section
 5ade567 cgroups: memory controller fixes
 3121467 early: run ubusd non-root as user ubus, group ubus
 12a5b97 jail: adapt to new ubus socket path
 788d144 instance: actually wire up capabilities filename
 ebc5a7f jail: nuke old capabilities code in favour of reusing OCI code
 6c5233a jail: capabilities: apply in two phases

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-21 15:22:30 +01:00
Daniel Golle
2dffadece9 ubus: prepare to run ubusd as non-root user
Move /var/run/ubus.sock to /var/run/ubus/ubus.sock in preparation for
having ubusd run as non-root user.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-21 15:20:10 +01:00
Daniel Golle
00c28c51fb
selinux-policy: update to git tag v0.3
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-16 13:49:38 +01:00