Commit Graph

1116 Commits

Author SHA1 Message Date
Petr Štetiar
8a9733ee0d rpcd: bump version to 2022-08-24
gcc 10 with -O2 reports following:

 In function ‘strncpy’,
     inlined from ‘rpc_sys_packagelist’ at /opt/devel/openwrt/c-projects/rpcd/sys.c:244:4:
 /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 128 equals destination size [-Werror=stringop-truncation]
   106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 In function ‘strncpy’,
     inlined from ‘rpc_sys_packagelist’ at /opt/devel/openwrt/c-projects/rpcd/sys.c:227:4:
 /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 128 equals destination size [-Werror=stringop-truncation]
   106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Since it is not possible to avoid truncation by strncpy, it is necessary
to make sure the result of strncpy is properly NUL-terminated and the
NUL must be inserted explicitly, after strncpy has returned.

References: #10442
Reported-by: Alexey Smirnov <s.alexey@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 34ddd2e545)
2022-08-25 11:05:20 +02:00
Jo-Philipp Wich
8f4a2e4234 rpcd: update to latest Git HEAD
ae5afea ucode: parse ucode plugin scripts in raw mode, init search path

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 66a360206e)
2022-08-25 10:33:14 +02:00
Florian Eckert
5c69416246 fstools: add uci fstab section to conffiles for package block-mount
The command 'opkg search /etc/config/fstab' does not return a package
name for this config file. In order to know to which package this config
file belongs to, a 'conffiles' entry was made for this file to package
'block-mount'.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 885f04b305)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-08-12 22:46:51 +02:00
Josef Schlehofer
a8001815a6 opkg: update to 2022-02-24
Changes:
9c44557 opkg_remove: avoid remove pkg repeatly with option --force-removal-of-dependent-packages
2edcfad libopkg: set 'const' attribute for argv

This should fix the CI error in the packages repository, which happens with perl.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit e21fea9289)
2022-07-17 15:15:11 +02:00
Daniel Golle
4afa65af8e
fstools: update to git HEAD
93369be Revert "fstools: remove SELinux restorecon hack"

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit b641dadc13)
2022-06-05 11:38:20 +01:00
Daniel Golle
0a47d52287 ubus: update to git HEAD
2f793a4 lua: add optional path filter to objects() method
 2bebf93 ubusd: handle invoke on event object without data

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 1521d5f453)
2022-06-05 11:38:12 +01:00
Daniel Golle
19f287a7ca
procd: update to git HEAD
557c98e init: selinux: don't relabel virtual filesystems
 7a00968 init: only relabel rootfs if started from initramfs

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4cbc26b212)
2022-06-05 11:37:52 +01:00
Daniel Golle
2ac5ee7f8a fstools: update to git HEAD
9e11b37 fstools: remove SELinux restorecon hack

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4509b790f0)
2022-05-03 20:32:48 +01:00
Daniel Golle
ffe12f8b48 procd: update to git HEAD
652e6df init: restore SELinux labels after policy is loaded

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit fb01111866)
2022-05-03 20:32:48 +01:00
Dominick Grift
efc38b315e selinux-policy: update to version 1.1
try to clean up some labeling inconsistencies
iwinfo loose ends
ucode loose ends
Makefile: adjust mintesttgt (adds blockmount/blockd)
nftables: reads inherited netifd pipe
ucode: reads inherited netifd pipes
mountroot: fowner
sandbox: writes inherited dropbear pipes
unbound related to /tmp/etc/ssl
unbound loose ends
adds a sslconftmpfile for /tmp/etc/ssl
README: maintain a wish list in the README
iwinfo: netifd forgot write
gptfdisk loose ends
iwinfo: netifd wpad reads/writes inherited netifd fifo files
netifd (mac80211.sh) executes iwinfo
luci: executes wireguard
luci-cgi: audits xtables execute access
rcuhttpd: lists ssl certfile dirs
iwinfo, wifi,nftables usage of ttyd pty if available
urandomseed: seedrng needs cap_sys_admin
iwinfo iwinfo, nftables and some chronyd rules related to ntp nts server
nftables, wifi and adds iwinfo skel
nftables, rpcd, ucode
nftables, ucode and seedrng ucode, fw3/nftables, luci
adds ucode skel and some fw3/nftables related
urandomseed: some seedrng rules
fw3 adds some support for fw4
urandomseed: /etc/seedrng is for seed.credit
hotplugcal: runs ucode which is interpreter like
adds a nftables skeleton and makes xtables optional
agent: allow all agents to write inherited dropbear pipes
urandomseed: this seems to be replaced by seedrng
kmodloader: label /etc/modules.conf kmodloader.conffile
Revert "shelexecfile: remove auditallow rule"
Makefile: sort the modules to process by secilc
Moves back to git.defensec.nl
unbound odhcpd (ip) reads net proc
tcp dump
shelexecfile: remove auditallow rule
rrd.cil: fixes indent
Target rddtool from cgi-io instead of runnit it without transition
rrd.cil related
rrd, rpcd, cgiio clean ups related to luci-app-statistics
Rules for rrd files and luci-statistics
unboundcontrol ordering
Several missing permissions
blockmount, dnsmasq, hotplugcall, rpcd, unbound
adds mctp_socket (linux 5.15)
ip: forgot tc-tiny type transition to go along with the fc spec
ip: adds a fc spec for tc-tiny (called by sqm)
adds ttyACM fc spec and various assorted loose ends
.gitattributes: do not export the github workflows
workflow use selinux 3.3

project moved back to https://git.defensec.nl/selinux-policy.git

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
(cherry picked from commit 4379457098)
2022-05-03 20:32:48 +01:00
Daniel Golle
dc71658a80 fstools: update to git HEAD
f0fc66a libfstools: check for overlay mounting errors
 128ecaf Update / fix extroot comments
 8a0ba3b libfstools: get rid of "extroot_prefix" global variable
 649cd3f libfstools: use variable for overlay mount-point
 922f1b3 libfstools: avoid segfault in find_mount_point
 ce5eacb libfstools: mtd: improve error handling
 898b328 blockd: restore device_move semantics
 0917d22 block: don't probe mtdblock on NAND (with legacy exceptions)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4e8d095013)
2022-05-03 20:31:37 +01:00
Daniel Golle
7cd482662f
procd: update to git HEAD
6343c3a procd: completely remove tmp-on-zram support
 5c5e63f uxc: fix potential NULL-pointer dereference
 eb03f03 jail: include necessary files for per-netns netifd instance

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 2c8873033e)
2022-04-15 14:12:04 +01:00
Petr Štetiar
b8f076c9a4 openwrt-keyring: fix broken install step
In commit 2d03f27f0f ("openwrt-keyring: make opkg use 22.03 usign
key") I've accidentally removed the `endef` keyword, so fix it by adding
it back.

Fixes: 2d03f27f0f ("openwrt-keyring: make opkg use 22.03 usign key")
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-27 11:48:31 +02:00
Petr Štetiar
2d03f27f0f openwrt-keyring: make opkg use 22.03 usign key
In order to make opkg usable with artifacts produced by project's
buildbot:

 Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/x86_64/luci/Packages.sig
 Signature check failed.
 Remove wrong Signature file.

References: https://gitlab.com/openwrt/docker/-/jobs/2255191689
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-27 11:06:40 +02:00
Petr Štetiar
161ff660fc openwrt-keyring: add OpenWrt 22.03 GPG/usign keys
62471e693b4f usign: add 22.03 release build public key
 70817cffc905 gpg: add OpenWrt 22.03 signing key

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 759886345d)
2022-03-25 14:28:50 +01:00
Florian Eckert
b9017384ca procd: move service command to procd
The service command belongs to the procd and does not belong in the
shinit. In the course of the move, the script was also checked with
shellcheck and cleaned up.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-19 16:13:58 +01:00
Rui Salvaterra
247eaa4416 procd: remove support for mounting /tmp in zram
The /tmp directory is mounted as tmpfs. The tmpfs filesystem is backed by
anonymous memory, which means it can be swapped out at any time, if there is
memory pressure [1]. For this reason, a zram swap device is a much better
choice than mounting /tmp on zram, since it's able to compress all anonymous
memory, and not just the memory assigned to /tmp. We already have the zram-swap
package for this specific purpose, which means procd's tmp-on-zram is both
redundant and more limited.

A follow-up patch will remove support for mounting /tmp in zram from procd
itself.

[1] https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2022-03-03 20:22:25 +00:00
Stijn Tintel
58212a6194 ubus: bump to git HEAD
66baa44 libubus: introduce new status messages
  b3cd5ab cli: use UBUS_STATUS_PARSE_ERROR
  584f56a cli: improve error logging for call command

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-28 16:18:37 +02:00
Sergey V. Lobanov
e6a4f30ed7 iucode-tool: fix host-compile on macos and non-x86 linux
iucode-tool/host is used by intel-microcode to manipulate with
microcode.bin file. iucode-tool requires cpuid.h at compile time
for autodection feature, but non-x86 build hosts does not have
this header file (e.g. ubuntu 20.04 aarch64) or this header
generates compile time error (#error macro) (e.g. macos arm64).

This patch provides compat cpuid.h to build iucode-tool/host on
non-x86 linux hosts and macos. CPU autodectection is not required
for intel-microcode package build so compat cpuid.h is ok for
OpenWrt purposes.

glibc and argp lib are not present in macos so iucode-tool/host
build fails. This patch adds argp-standalone/host as build
dependency if host os is macos.

Generated ucode (intel-microcode package) is exactly the same on
Linux x86_64 (Ubuntu 20.04), Linux aarch64 (Ubuntu 20.04) and
Darwin arm64 (MacOS 11.6) build hosts.

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-26 19:52:41 +01:00
Daniel Golle
48ace62114
procd: update to git HEAD
a87d010 uxc: remove unused printf parameter
 ad65249 instance: exit in case asprintf() fails

Build with glibc should again work after this commit.

Fixes: e9e61d76fd ("procd: update to git HEAD")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-19 00:11:55 +00:00
Daniel Golle
e9e61d76fd
procd: update to git HEAD
df1123e uxc: add support for user-defined settings
 0272c7c uxc: allow editing settings using 'create'
 a839518 uxc: clean up error handling

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-18 03:03:34 +00:00
Daniel Golle
5205010a54
procd: simplify uxc init script
'uxc boot' is inteded to be called multiple times, so there is not need
to guard the first call on boot -- the actual code anyway didn't do
that, so just remove it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-13 23:31:27 +00:00
Jo-Philipp Wich
07eccc29ab rpcd: update to latest Git HEAD
909f2a0 ucode: adjust to latest ucode api
4c532bf ucode: add ucode interpreter plugin
9c6ba38 treewide: adjust ubus object type names
75a96dc build: honour CMake install prefix in hardcoded paths

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:37 +01:00
Daniel Golle
b6a2cee4b7
ubox: fix broken deferred start of logfile writer
Just use 'start' action which will have the desired effect instead of
trying to introduce a 'start_file' action which didn't work that way
because procd jshn magic would have to wrap around it.

Fixes: 88baf6ce2c ("ubox: only start log to file when filesystem has been mounted")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-31 15:03:25 +00:00
Daniel Golle
5d110c0161
procd: seccomp/jail: Fix build error on arm with glibc
From: Peter Lundkvist <peter.lundkvist@gmail.com>

This fixes the make_syscall_h.sh script to recognize both
__NR_Linux, used by mips, and __NR_SYSCALL_BASE and
__ARM_NR_BASE used by arm.

Run-tested on arm (ipq806x) and mips (ath79), both with glibc.
Compile-tested and checked resulting syscall_names.h file wuth
glibc: aarch64, powerpc, x86_64, i486
musl: arm, mips

Fixes: FS#4194, FS#4195

Signed-off-by: Peter Lundkvist <peter.lundkvist@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-31 00:10:42 +00:00
Daniel Golle
88baf6ce2c
ubox: only start log to file when filesystem has been mounted
If log_file is on an filesystem mounted using /etc/config/fstab we have
to wait for that to happen before starting the logread process.
Inhibit the start of the file-writer process and use a mount trigger to
fire it up once the filesystem actually becomes available.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-30 20:19:37 +00:00
Daniel Golle
6d76ec3872
procd: support generic mount triggers and clean up
Allow init scripts to trigger free-form actions by exposing
procd_add_action_mount_trigger.
Clean up mount trigger wrappers while at it to reduce code duplication.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-30 20:16:25 +00:00
Daniel Golle
8c31f6bcab
procd: update to git HEAD
ca6c35c uxc: usage message cosmetics
 e083dd4 uxc: fix two minor issues reported by Coverity
 35dfbff procd: jail/cgroups: correctly enable "rdma" when requested
 3b3ac64 procd: mount /dev with noexec
 ac2b8b3 procd: clean up /dev/pts mounts

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-12 19:17:21 +00:00
Daniel Golle
000825d792
opkg: update to git HEAD of 2022-01-09
db7fb64 libopkg: pkg_hash: prefer to-be-installed packages
 2edcfad libopkg: set 'const' attribute for argv

This should fix the ImageBuilder problems people are having since we
introduced the 'uci-firewall' providers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-09 20:10:32 +00:00
Daniel Golle
15d0c4d5cd
procd: update to git HEAD
eb522fc uxc: consider uvol and etc location for configurations
 16a6ee9 uxc: integrate console into uxc
 129d050 remove ujail-console

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-12-20 02:23:47 +00:00
Daniel Golle
56b14fdeb2
procd: update to git HEAD
bb95fe8 jail: make sure jailed process is terminated

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-12-11 03:16:57 +00:00
Christian Lamparter
25bc66eb40 ca-certificates: fix python3-cryptography woes in certdata2pem.py
This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")

The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.

|Traceback (most recent call last):
|  File "certdata2pem.py", line 125, in <module>
|    cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1

...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
|  File "/certdata2pem.py", line 31, in <module>
|    from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'

More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."

Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-01 17:52:35 +01:00
Christian Lamparter
7c99085bd6 ca-certicficates: Update to version 20211016
Update the ca-certificates and ca-bundle package from version 20210119 to
version 20211016.

Debian change-log entry [1]:
|[...]
|[ Julien Cristau ]
|* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
|    bundle to version 2.50
|    The following certificate authorities were added (+):
|    + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
|    + "GlobalSign Root R46"
|    + "GlobalSign Root E46"
|    + "GLOBALTRUST 2020"
|    + "ANF Secure Server Root CA"
|    + "Certum EC-384 CA"
|    + "Certum Trusted Root CA"
|    The following certificate authorities were removed (-):
|    - "QuoVadis Root CA"
|    - "Sonera Class 2 Root CA"
|    - "GeoTrust Primary Certification Authority - G2"
|    - "VeriSign Universal Root Certification Authority"
|    - "Chambers of Commerce Root - 2008"
|    - "Global Chambersign Root - 2008"
|    - "Trustis FPS Root CA"
|    - "Staat der Nederlanden Root CA - G3"
|  * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
|[...]

[1] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20211016_changelog>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-30 20:14:26 +01:00
Jo-Philipp Wich
50bc06e774 procd: setup /dev/stdin, /dev/stdout and /dev/stderr symlinks
Extend the hotplug.json ruleset to setup the common /dev/std{in,out,err}
symbolic links which are needed by some applications, e.g. nftables when
applying rulesets from stdin.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2021-11-23 14:03:39 +00:00
Daniel Golle
507f50df07
procd: update to git HEAD
8de12de system: add diskfree infos to ubus
 bf3fe0e service: move jail parsing to end of instance parser
 87b5836 procd: add full service shutdown prior to sysupgrade
 01ac2c4 procd: service_stop_all: also kill inittab actions

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-23 14:03:23 +00:00
Daniel Golle
c1ab687349
fstools: update to git HEAD
77c0288 fstools: fix a couple of minor code problems

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-20 21:09:59 +00:00
Daniel Golle
9224ddf72d
procd: update to git HEAD
9d1431e jail: allow passing environment variable to procd jailed process

Fixes dnsmasq in ujail which needs USER_SCRIPT env variable to be
passed to jailed process.

Reported-by: Bastian Bittorf <bb@npl.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-11 14:09:25 +00:00
Daniel Golle
32ba52e217
rpcd: reload rpcd on installation of rpcd-mod-*
When installing additional rpcd modules, a restart of rpcd is required.
This often confuses users as even after installing rpcd-mod-rpcsys the
relevant ubus objects are still missing until rpcd has been reloaded
(or the system has been rebooted, obviously).
Let rpcd-mod-* reload rpcd as post-install action.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-08 14:21:02 +00:00
Felix Fietkau
1cead21e8b procd: make rpcd dependency conditional
Avoids building rpcd when not needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-04 16:54:31 +01:00
Stijn Tintel
f5cdf9cb78 procd: bump to git HEAD
0ee8e73 trigger: use uloop_timeout_remaining64

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 15:01:53 +02:00
Stijn Tintel
6a7388f673 rpcd: bump to git HEAD
20bf958 session: use uloop_timeout_remaining64
 d11ffe9 session: use blobmsg_get_u64 for RPC_DUMP_EXPIRES

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 14:58:31 +02:00
Daniel Golle
fab84bf18c
procd: update to git HEAD
1056fc4 jail: elf: Use 64 bit variables for elf offsets
 c1976e5 jail: elf: Remove MIPS 64 warning

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-01 18:20:24 +00:00
Daniel Golle
d05eae9249
fstools: update to git HEAD
19fd7fc libfstools: make sure file is closed on error
 d390744 libfstools: use uevent instead of relying on custom kernel patch

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-01 18:01:08 +00:00
Felix Fietkau
d7843fd7ef ubus: update to the latest version
b743a331421d ubusd: log ACL init errors
2099bb3ad997 libubus: use list_empty/list_first_entry in ubus_process_pending_msg
ef038488edc3 libubus: process pending messages in data handler if stack depth is 0
a72457b61df0 libubus: increase stack depth for processing obj msgs

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-01 12:00:21 +01:00
Dominick Grift
04c5bcd074 selinux-policy: update to version 1.0
wifi: writes to terminal
hotplugcall and sqm read class sysfile symlinks
unbound and sqm related loose ends
support/example: policycoreutils host-compile is required
TODO: this was wrong and it is actually needed
linguist detectable does not work this way
linguist-detectable
updates README
adds workflows
adds a note about persistent /var option

project moved to https://github.com/DefenSec/selinux-policy

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Hauke Mehrtens
eeeb9b7496 uci: update to git HEAD
cmake: Allow override of install directories

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-22 23:51:51 +02:00
Hauke Mehrtens
0ca81ff047 procd: update to git HEAD
jail: Fix build with glibc

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-22 23:51:50 +02:00
Daniel Golle
333f93333e
procd: update to git HEAD
9b1e035 jail: netifd: code cosmetics
 d2a2ecc jail: netifd: fix error handling issue reported by coverity
 e1d7cee jail: netifd: check target netns fd before using it
 59f7699 uxc: add missing 'break' statement

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-17 21:58:47 +01:00
Florian Eckert
b118efa0d2
buildsystem: add CONFIG_SECCOMP
Until now, this feature was switched on via the kernel configuration
option KERNEL_SECCOMP.

The follwing change a7f794cd2a now requires that
the package procd-seccomp must also enabled for buildinmg.

However, this is not the case we have no dependency and the imagebuilder
cannot build the image, because of the implicit package selection.

This change adds a new configuration option CONFIG_SECCOMP.
The new option  has the same behaviour as the configuration
option CONFIG_SELINUX.

If the CONFIG_SECCOMP is selected then the package procd-seccomp and
KERNEL_SECCOMP is enabled for this build.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-16 02:00:47 +01:00
Daniel Golle
213ce1d837
procd: update to git HEAD
97bcdcf uxc: fix segfault caused by use-after-free
 6398e05 uxc: don't free the stack
 324ebd0 jail: fs: add support for asymmetric mount bind
 c44ab7f jail: netifd: generate netifd uci config and mount it
 82dd390 jail: make use of per-container netifd via ubus

The new per-jail netifd is now configured by filtering the host
network configuration. As libuci is used for that, procd-ujail now
depends on libuci.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-13 00:40:29 +01:00