b743a331421d ubusd: log ACL init errors
2099bb3ad997 libubus: use list_empty/list_first_entry in ubus_process_pending_msg
ef038488edc3 libubus: process pending messages in data handler if stack depth is 0
a72457b61df0 libubus: increase stack depth for processing obj msgs
Signed-off-by: Felix Fietkau <nbd@nbd.name>
wifi: writes to terminal
hotplugcall and sqm read class sysfile symlinks
unbound and sqm related loose ends
support/example: policycoreutils host-compile is required
TODO: this was wrong and it is actually needed
linguist detectable does not work this way
linguist-detectable
updates README
adds workflows
adds a note about persistent /var option
project moved to https://github.com/DefenSec/selinux-policy
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Until now, this feature was switched on via the kernel configuration
option KERNEL_SECCOMP.
The follwing change a7f794cd2a now requires that
the package procd-seccomp must also enabled for buildinmg.
However, this is not the case we have no dependency and the imagebuilder
cannot build the image, because of the implicit package selection.
This change adds a new configuration option CONFIG_SECCOMP.
The new option has the same behaviour as the configuration
option CONFIG_SELINUX.
If the CONFIG_SECCOMP is selected then the package procd-seccomp and
KERNEL_SECCOMP is enabled for this build.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
97bcdcf uxc: fix segfault caused by use-after-free
6398e05 uxc: don't free the stack
324ebd0 jail: fs: add support for asymmetric mount bind
c44ab7f jail: netifd: generate netifd uci config and mount it
82dd390 jail: make use of per-container netifd via ubus
The new per-jail netifd is now configured by filtering the host
network configuration. As libuci is used for that, procd-ujail now
depends on libuci.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This reverts commit f536f5ebdd.
As Hauke commented, this causes builder failures on 5.4 kernels.
This revert includes changes to the mx100 kernel modules
dependency as well as the uci led definitions.
Tested-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This adds a userspace interpretation of the nu801 driver used by Meraki
hardware. Previously this was a driver that was added per target, but as
multiple targets now have this driver, we should move to something that
can be shared by all targets since no driver exists upstream.
Co-developed-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Currently, the fstab service starts after the log service which breaks
the ability to write a persistent log file to a filesystem mounted by
the fstab service. Thus, change the start order of the fstab service so
it starts right before the log service.
Fixes: b131853 ("ubox: update to latest git revision")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[set to 11 to be explicitly before log, not only alphabetically, SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
8a60e7e trace: don't leak file descriptor in error path
68df9ac procd: fix container deletion
f16abe0 uxc: add JSON output option for 'list' command
a23c888 jail: prepare for adding process to existing namespace
50da8a4 instance: allow jailed service to join namespace(s)
482d1ab Revert "jail: do not hack /etc/resolv.conf on container rootfs"
1eb4371 jail: start ubus and netifd instances for container with netns
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The previous procd update broke mounting overlayfs in an attempt to
fix an off-by-one error. Revert that broken fix and apply fix from
Nick Hainke <vincent@systemli.org> instead to bring things back to
life.
20adf53 Revert "initd: fix off-by-one error in mkdev.c"
773e8da initd: fix off-by-one error in mkdev.c
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
df251c2 uxc: move mountpoint of persistent config to /var/run/uxc
e5b38fd trace: free memory allocated by blobmsg_format_json_indent()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
50e6b20 libfstools: handle open() return value properly in F2FS check
e1b6811 blockd: include missing libubox/utils.h
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
8a8306d uxc.c: fix coverity resource leak warning
7f2398e jail: devices: create parent folder when creating devices
0603c8d jail: return to hook callback instead of just calling it
3edb7eb jail: check return value when opening console
af048a3 jail: use portable sizeof(void *)
6010bd3 utils: make sure read() string is 0 terminated
f6daca3 uxc: free string returned by blobmsg_format_json_indent()
51f1cd2 trace: free string returned by blobmsg_format_json_indent()
d716cb5 trace: handle open() return value and make sure string is terminated
b824a89 jail: preload: avoid NULL-dereference in case things go wrong
167dc24 jail: protect against strcat buffer overflows
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
592ac0f add a note
4bacd14 sslcertfile: list /etc/ssl
7bdefa4 example: indicate that skip is an option
d1e9a85 wifi: sys pipe usage
eb903e1 README: add note about policycoreutils-setfiles weak dependency
762e011 ttyd: signull all subjects
fbfc079 acme: add basic support for acme_cleanup.sh and acme_setup.sh
9ac7592 acme: transition to sys.subj on generic initscript execution
f3dd1ba acme: missing rules related to sys.subj trans on file.initscriptfile
ae273fa odhcp6c/netifd: support drop-in directories
5fa9b41 subj: do not encourage misconfiguration
44722b6 blockd, logd, odhcpc6, ubiutil, mtdstordev
a775d93 21.02 related
a473691 rcboot runs rcuhttpd which creates /tmp/etc for /tmp/etc/uhttpd
290e9fb rcuhttpd: related to rcboot and uci-defaults
3fc0d8b rcuhttpd: lists /etc/uci-defaults
1f5ef48 removes ubvol.lock policy and adds move mtd/ubi partitions
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
procd.sh:
Instead of triggering on every mount.add event, there should be no
mount trigger at all in case none of the directories passed to
procd_add_*_mount_trigger() are located on a mountpoint configured in
/etc/config/fstab.
uxc:
add missing dependency on rpcd.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
040fecc system: fix issues reported by Coverity
48f481b service: make sure string read is null terminated
16dbc2a uxc: fix a bunch of issues discovered by Coverity
ff9002f uxc: fix help output
104b49d uxc: support config in uvol
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Change procd_add_start_mount_trigger to procd_add_restart_mount_trigger
and make it call 'restart' instead of 'start'.
This is more useful as it allows to handle both cases, intial start of
a services as well as restarting services. Calling 'restart' on a
service which has not yet been started has the same result as calling
'start'.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
e10de28 jail: cgroups-bpf: fix compile with musl 1.2
f5d9b14 hotplug-dispatch: fix rare memory leaks in error paths
Add new init script helpers:
procd_add_start_mount_trigger
procd_add_reload_mount_trigger
procd_get_mountpoints
Both trigger helpers expect a list of paths which are checked against
the mount targets configured in /etc/config/fstab and a trigger for all
mountpoints covered by the list of paths is setup.
procd_get_mountpoints is useful to find out if and which mountpoints
are covered by a list of paths.
Example:
DATADIRS="/mnt/data/foo /mnt/data/bar /etc/foo/baz /var/lib/doe"
start_service() {
[ "$_BOOT" = "1" ] &&
[ "$(procd_get_mountpoints $DATADIRS)" ] && return 0
procd_open_instance
# ...
procd_close_instance
}
boot() {
_BOOT=1 start
}
service_triggers() {
procd_add_start_mount_trigger $DATADIRS
}
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fix build on glibc targets and address a bunch of compiler warnings.
93fc089 jail: cgroups-bpf: don't use sys/reg.h when building with glibc
548d057 jail: don't ignore return value of seteuid()
220b716 jail: ignore return value when creating default /dev symlinks
78d5baa hotplug-dispatch: don't ignore asprintf() return value
736aee5 uxc: always handle asprintf() return value
2b20456 hotplug-dispatch: replace wrongly used assert()
bfc86a2 jail: cgroups: replace wrongly used assert()
516bdf2 jail: don't ignore return value of write()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
141ac85 libblkid-tiny: fix invalid open syscall return check
9e26563 libblkid-tiny: install header file to include dir
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
46d02c2 block: don't add non-ubifs ubi devices
cc63933 blockd: send mount.ready when startup has completed
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
772292e uxc: don't restart containers when mount shows up
3a9d910 uxc: resolve volume UUIDs by name of UCI fstab section
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
a846c6b blockd: fix length of timeout int passed to ioctl
1d681ca block: support umount device basename
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
59f7c11 blockd: create mountpoint parent folder if needed
9cc96af Revert "block: resolve /dev/mapper/* name for /dev/dm-0 when hotplugging"
06334ac Revert "blockd: detect mountpoint of /dev/mapper/*"
9ab3551 block: use /dev/dm-* instead of /dev/mapper/*
5114595 block: allow remove hotplug event to arrive at blockd
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
0ee73b2 uxc: implement support for rootfs overlay in containers
b0a8ea1 jail: do not hack /etc/resolv.conf on container rootfs
92aba53 jail: increase max additional env records to 64
15997e6 jail: allow rootfs to be a symbolic link
0114c6f jail: open() extroot folder before mounting
ed96eda uxc: check for required blockd mounts
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4d4dcfb blockd: detect mountpoint of /dev/mapper/*
2f42515 block: resolve /dev/mapper/* name for /dev/dm-0 when hotplugging
39558a1 blockd: also send ubus notification on mount hotplug
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This partially reverts changes done in commit 72cc44958e ("treewide:
mark selected packages nonshared") as it removes the nonshared flag, but
keeps the PKG_RELEASE as the PKG_RELEASE bump while adding nonshared
flag was incorrect.
Unmark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared
packages as this fix attempt didn't worked out. Currently the
imagebuilder is broken again:
openwrt-imagebuilder-21.02.0-rc3-ipq40xx-generic.Linux-x86_64$ make image PROFILE=avm_fritzbox-7530 PACKAGES=luci-ssl-openssl
...
Collected errors:
* pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for luci-mod-status
* pkg_hash_fetch_best_installation_candidate: Packages for luci-mod-status found, but incompatible with the architectures configured
* pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for rpcd-mod-iwinfo
* pkg_hash_fetch_best_installation_candidate: Packages for rpcd-mod-iwinfo found, but incompatible with the architectures configured
* satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-ssl-openssl:
* libiwinfo20210430
* opkg_install_cmd: Cannot install package luci-ssl-openssl.
Everything because iwinfo's ABI was changed two times since rc3 release:
+IWINFO_ABI_VERSION:=20210430
+IWINFO_ABI_VERSION:=20210420
Since iwinfo is marked as nonshared, it wasn't built by phase2 builders, but
luci-mod-status was already updated 2 times since rc3 and was thus rebuilt by
phase2 builders:
d1d452ed2fb3 luci-mod-status: don't set '-' hostname when creating static lease
95b3633055c1 luci-mod-status: switch to html table for wlan channel analysis
So now luci-mod-status depends on libiwinfo20210430 but only
libiwinfo20210106 can be downloaded. This is first part of the fix, in
the upcoming commit Jo is going to remove nonshared flag from iwinfo
package as well.
References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035736.html
References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035741.html
Acked-by: Jo-Philipp Wich <jo@mein.io>
Reported-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Remove redundant tags and name things more consistently.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[removed superflous dash]
Signed-off-by: Paul Spooren <mail@aparcar.org>
New swap devices are added in decreasing priority order, starting at -1. Make
sure the zram swap device has the highest priority, by default.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Instead of assuming /sbin contains the correct BusyBox symlinks, directly invoke
the busybox executable. The required utilities are guaranteed to be present,
since the zram-swap package selects them. Additionally, don't assume busybox
resides in /bin, rely on PATH to find it.
While at it, update the copyright year, use SPDX and switch to AUTORELEASE.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>