This commit adds a patch to procd to support loading the SELinux
policy early at boot time, and adjusts the procd package to use this
SELinux support when libselinux is enabled.
The procd patch has been submitted separately [1]: obviously the
intent is to have it merged in the procd Git repository rather than
have it in OpenWrt itself.
[1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025791.html
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[split commit into openwrt.git and procd.git]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: maurerr <mariusd84@gmail.com>
Remove `if !SMALL_FLASH` in places which are anyway already augmented
by `if !SMALL_FLASH`.
Always enable CONFIG_BLK_DEV_THROTTLING on !SMALL_FLASH devices rather
than just enabling it on bcm27xx.
Enabled CPU bandwidth provisioning for FAIR_GROUP_SCHED on !SMALL_FLASH
devices as CONFIG_FAIR_GROUP_SCHED is already enabled and becomes more
useful for cgroups with that option enbled as well.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: maurerr <mariusd84@gmail.com>
SELinux support requires setting the appropriate SELinux security context
to files and directories, which needs to happen at build time in order
to support read-only root filesystem scenarios. In order to create these
security contexts, we will have to run some SELinux-specific tools on
the host machine, but that requires root access. This adds support for
fakeroot, which the build process will use to run the SELinux security
context creation and the image creation.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Apply to current master, and adjust commit message
Thomas' original work is available at
http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025976.html.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[add rules.mk FAKEROOT variable]
Signed-off-by: Paul Spooren <mail@aparcar.org>
[update, fix macos build]
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: maurerr <mariusd84@gmail.com>
The variable in the case argument was mistyped, so the case always
checked against an empty string and never matched.
Fix the variable name. Add a PKG_RELEASE to Makefile so we can bump it.
Fixes: d6de31310c ("cmake: restore parallel build support for bootstrap")
Signed-off-by: Piotr Stefaniak <pstef@freebsd.org>
[add commit message, add PKG_RELEASE, fix commit title, add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
This reverts commit 685570858d.
The commit had several formal flaws, revert it and hopefully apply
it properly next time.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
This adds support for ZyXEL NBG6616 uboot-env access
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[add "ar71xx" to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
As the ath79 port of this device uses a combined kernel + root
partition the uboot bootcmd variable needs to be changed. As using
cli/luci is more convenient than opening up the case and using a uart
connection, lets unlock the uboot-env partition for write access.
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
Signed-off-by: maurerr <mariusd84@gmail.com>
The variable in the case argument was mistyped, so the case always
checked against an empty string and never matched.
Fix the variable name.
Signed-off-by: Piotr Stefaniak <pstef@freebsd.org>
[add commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
mac80211 reports a packet loss event to user space when 50 consecutive packets
were not acked. On a high throughput link with long aggregates and sudden
link changes, this can trigger way too easily.
Mitigate false positives by only triggering the event on a packet loss if
no ACK was received for at least a second
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: maurerr <mariusd84@gmail.com>
Add a specific comment for early DSA-adopters that they can keep
their config when prompted due to compat-version increase.
This is a temporary solution, the patch should be simply reverted
before any release.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
This ports support for the TL-WA901ND v3 from ar71xx to ath79.
Most of the hardware is shared with the TL-WA850/860RE v1 range
extenders. It completes the TL-WA901ND series in ath79.
Specifications:
Board: AP123 / AR9341
Flash/RAM: 4/32 MiB
CPU: 535 MHz
WiFi: 2.4 GHz b/g/n
Ethernet: 1 port (100M)
Flashing instructions:
Upload the factory image via the vendor firmware upgrade option.
This has not been tested on device, but port from ar71xx is
straightforward and the device will be disabled by default anyway.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
Replace all the custom patches with the backported upstream version
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[refresh patches]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
The ath79 target has CONFIG_LEDS_GPIO=y set in kernel config, so
no need to pull the kmod-leds-gpio module for specific devices.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
This implements the newly introduced compat-version to prevent
broken upgrade between swconfig and DSA for ramips' mt7621 subtarget.
In order to make the situation more transparent for the user, and
to prevent large switch-cases for devices, it is more convenient to
have the entire subtarget 1.1-by-default. This means that new devices
will be added with 1.1 from the start, but in contrast we don't need
to switch them in board.d files. Apart from that, users that manually
backport devices to 19.07 with swconfig will have an equivalent
upgrade experience to officially supported devices.
Since DSA support on mt7621 is out for a while already, this applies
the same uci-defaults workaround for early adopters as already
done for kirkwood and mvebu in previous commits.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
It has been reported that the current message displayed during
upgrade with compat_version change is misleading for "legacy"
devices, i.e. those without the "new" fwtool. This is partially
caused by the fact that we need to exploit the supported_devices
string to get some message text displayed for these devices.
This patch modifies the message to make it more helpful and
include additional information, e.g.
Device linksys,wrt3200acm not supported by this image
Supported devices: linksys,wrt3200acm linksys-whateverelse - Image
version mismatch: image 1.1, device 1.0. Please wipe config during
upgrade (force required) or reinstall. Reason: Config cannot be
migrated from swconfig to DSA
Note that the line breaks (except the one before Supported devices)
are added manually here, I hesitate to hack \n into the
supported_devices as well. The "Reason:" will only be displayed if
DEVICE_COMPAT_MESSAGE is set for the device, otherwise
"Please check documentation ..." will be shown instead.
While at it, also rearrange the code in image-commands.mk to
make lines shorter and remove the double filter-out command.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
Conceptually, the compat-version during sysupgrade is meant to
describe the config. Therefore, if somebody starts with a device on
19.07 and swconfig, and that person does a forceful upgrade into a
DSA-based firmware without wiping his/her config, then the local
compat-version should stay at 1.0 according to the config present
(and not get updated).
However, this poses a problem for those people that early-adopted
DSA in master, as they already have adjusted their config for DSA,
but it still is "1.0" as far as sysupgrade is concerned. This can
be healed by a simple
uci set system.@system[0].compat_version="1.1"
uci commit system
But this needs to be applied _after_ the upgrade (as the "old" fwtool
on the old installation does not know about compat_version) and it
requires access via SSH (i.e. no pure GUI solution is available for
this group of people, apart from wiping their config _again_ for
no technical reason). Despite, the situation will not become
obvious to those just upgrading via GUI, they will just have the
experience of a "broken upgrade".
This is a conflict which cannot be resolved by achieving both goals,
we have to decide to either keep the strict concept or improve the
situation for early adopters.
In this patch, we address the issue by providing a uci-defaults
script that will raise the compat_version for _all_ people upgrading
into a 1.1 image, no matter whether they have reset config or not.
The idea is to implement this as a _temporary_ solution, so early
adopters can upgrade into the new mechanism without issues, and
after a few weeks/months we could remove the uci-defaults script
again.
If we e.g. remove the script just before 20.xx.0-rc1, early adopters
should have moved on by then, and existing stable users would still
get the intended experience.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
Conceptually, the compat-version during sysupgrade is meant to
describe the config. Therefore, if somebody starts with a device on
19.07 and swconfig, and that person does a forceful upgrade into a
DSA-based firmware without wiping his/her config, then the local
compat-version should stay at 1.0 according to the config present
(and not get updated).
However, this poses a problem for those people that early-adopted
DSA in master, as they already have adjusted their config for DSA,
but it still is "1.0" as far as sysupgrade is concerned. This can
be healed by a simple
uci set system.@system[0].compat_version="1.1"
uci commit system
But this needs to be applied _after_ the upgrade (as the "old" fwtool
on the old installation does not know about compat_version) and it
requires access via SSH (i.e. no pure GUI solution is available for
this group of people, apart from wiping their config _again_ for
no technical reason). Despite, the situation will not become
obvious to those just upgrading via GUI, they will just have the
experience of a "broken upgrade".
This is a conflict which cannot be resolved by achieving both goals,
we have to decide to either keep the strict concept or improve the
situation for early adopters.
In this patch, we address the issue by providing a uci-defaults
script that will raise the compat_version for _all_ people upgrading
into a 1.1 image, no matter whether they have reset config or not.
The idea is to implement this as a _temporary_ solution, so early
adopters can upgrade into the new mechanism without issues, and
after a few weeks/months we could remove the uci-defaults script
again.
If we e.g. remove the script just before 20.xx.0-rc1, early adopters
should have moved on by then, and existing stable users would still
get the intended experience.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
The bootloader fails to extract a big kernel, e.g. v5.4 kernel image
with ALL_KMODS enabled. This can be fixed by using lzma-loader.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Signed-off-by: maurerr <mariusd84@gmail.com>
Currently the lzma-loader is placed in RAM at 32MB offset, which does not
make sense for devices with only 32MB RAM. If we adjust LZMA_TEXT_START to
24MB offset, then the lzma-loader can be used on those devices and still
about 24MB memory will be available for uncompressed image, which should be
enough for most use cases.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Signed-off-by: maurerr <mariusd84@gmail.com>
Exchange the patch fixing the kernel ringbuffer WARNING flood for the
one accepted upstream.
Fixes commit a956c14d6a ("mac80211: util: don't warn on missing sband
iftype data")
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: maurerr <mariusd84@gmail.com>
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.
Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.
Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: maurerr <mariusd84@gmail.com>
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.
While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.
Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: maurerr <mariusd84@gmail.com>
Add a dependency on kmod-nls-base for the new exfat driver. Otherwise
the build fails on ramips and ath79 on kernel 5.4:
Package kmod-fs-exfat is missing dependencies for the following libraries:
nls_base.ko
Fixes commit cd41234d2f ("exfat: add out of tree module")
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: maurerr <mariusd84@gmail.com>
The board name is equivalent to the compatible, not the device
definition. Fix it.
Fixes: b4588c8538 ("kernel/om-watchdog: Apply device renames from ramips")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
The sbutarget has testing support for kernel 5.4 for quite a while
and builds fine, however, only one devices there is > 4 MiB.
Since it's unlikely to get a Tested-by for that device, and the other
ralink subtargets appear to be working with 5.4 so far, let's set
this target to 5.4 by default as well.
That way, even if the device happens to break, we'll still have at
least usable SDK and IB for people to use.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
When comparing to the port assignment in board.d/02_network, many
devices seem to use the wrong setup of mediatek,portmap.
The corrects the values for mt7620 subtarget based on the location
of the wan port.
A previous cleanup of obviously wrong values has already been done in
d3c0a94405 ("ramips: mt7620/mt7621: remove invalid mediatek,portmap")
Cc: Sungbo Eo <mans0n@gorani.run>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
For ramips/mt7621, the wpad-basic package is not selected by default,
but added for every device individually as needed.
While this might be technically correct if the SoC does not come with
a Wifi module, only 18 of 97 devices for that platform are set up
_without_ wpad-basic currently.
Therefore, it seems more convenient to add wpad-basic by default for
the subtarget and then just remove it for the 18 mentioned devices,
instead of having to add it for about 60 times instead.
This would also match the behavior of the 5 other subtargets, where
wpad-basic/wpad-mini is added by default as well, and thus be more
obvious to developers without detailed SoC knowledge.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: maurerr <mariusd84@gmail.com>
When passing a section or option value to config_get() which contains
characters that happen to be valid variable interpolation expressions,
the function returns a nonsensical expression result instead of the
expected empty string.
When the passed section or option name contains other characters which
are not valid within a shell variable name, a substitution error is
occuring instead.
The issue can be easily reproduced by one of the following examples:
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable invalid-section option
root@OpenWrt:~# echo "$variable"
section_option:-
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable section invalid-option
root@OpenWrt:~# echo "$variable"
option:-
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable section invalid@option
-ash: eval: syntax error: bad substitution
Fix this issue by only performing interpolations when the given section
and option arguments are free of illegal characters.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: maurerr <mariusd84@gmail.com>
The only difference between both boards is the DSL annex.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: maurerr <mariusd84@gmail.com>
All boards with EHCI enabled should also have OHCI enabled.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: maurerr <mariusd84@gmail.com>
Current board patches format is crazy.
Let's try to put some order.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: maurerr <mariusd84@gmail.com>
Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis
# dnsmasq --dnssec; echo $?
dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
1
DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature. Better be explicit. With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)
So this is just being proactive. on/off choices with uci option
"dnssec" are still available like before
Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: maurerr <mariusd84@gmail.com>
By using localtime() to determine the timestamp that goes into factory
images, the resulting image depends on the timezone of the build system.
Use gmtime() instead, which results in more reproducible images.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Signed-off-by: maurerr <mariusd84@gmail.com>
The target has testing support for kernel 5.4 for quite a while,
compiles fine for all devices, and has been run-tested on Asus
RT-N56U successfully.
Let's set it to kernel 5.4 by default to increase the audience
before an 20.xx stable branch.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Eneas U de Queiroz <cotequeiroz@gmail.com> [Asus RT-N56U]
This allows better context for board patches and we no longer need a
downstream patch for that.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
The patch adding support for the second LED HW blinking interval has been
merged (linux 5.9).
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
47a9f0d service: add method to query available container features
afbaba9 initd: attempt to mount cgroup2
ead60fe jail: use pidns semantics also for timens
759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
83053b6 instance: add instances into unified cgroup hierarchy
16159bb jail: parse OCI cgroups resources
282ff0c jail: only free cgroups if they were allocated
ab55357 jail: fix freeing cgroups avl
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This patch adds support for the WNDR4300TN, marketed by Belgian ISP
Telenet. The hardware is the same as the WNDR4300 v1, without the
fifth ethernet port (WAN) and the USB port. The circuit board has
the traces, but the components are missing.
Specifications:
* SoC: Atheros AR9344
* RAM: 128 MB
* Flash: 128 MB NAND flash
* WiFi: Atheros AR9580 (5 GHz) and AR9344 (2.4 GHz)
* Ethernet: 4x 1000Base-T
* LED: Power, LAN, WiFi 2.4GHz, WiFi 5GHz, WPS
* UART: on board, to the right of the RF shield at the top of the board
Installation:
* Flashing through the OEM web interface:
+ Connect your computer to the router with an ethernet cable and browse
to http://192.168.0.51/
+ Log in with the default credentials are admin:password
+ Browse to Advanced > Administration > Firmware Upgrade in the Telenet
interface
+ Upload the Openwrt firmware: openwrt-ath79-nand-netgear_wndr4300tn-squashfs-factory.img
+ Proceed with the firmware installation and give the device a few
minutes to finish and reboot.
* Flashing through TFTP:
+ Configure your wired client with a static IP in the 192.168.1.x range,
e.g. 192.168.1.10 and netmask 255.255.255.0.
+ Power off the router.
+ Press and hold the RESET button (the factory reset button on the bottom
of the device, with the gray circle around it, next to the Telenet logo)
and turn the router on while keeping the button pressed.
+ The power LED will start flashing orange. You can release the button
once it switches to flashing green.
+ Transfer the image over TFTP:
$ tftp 192.168.1.1 -m binary -c put openwrt-ath79-nand-netgear_wndr4300tn-squashfs-factory.img
Signed-off-by: Davy Hollevoet <github@natox.be>
[use DT label reference for adding LEDs in DTSI files]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specification:
- CPU: MediaTek MT7620N (580 MHz)
- Flash size: 4 MB NOR SPI
- RAM size: 32 MB DDR1
- Bootloader: U-Boot
- Wireless: MT7620N 2x2 MIMO 802.11b/g/n (2.4 GHz)
- Switch: MT7620 built-in 10/100 switch with vlan support
- Ports: 4x LAN, 1x WAN
- Others: 7x LED, Reset button, UART header on PCB (57600 8N1)
Flash instructions:
1. Use ethernet cable to connect router with PC/Laptop, any router
LAN port will work.
2. To flash openwrt we are using nmrpflash[1].
3. Flash commands:
First we need to identify the correct Ethernet id.
nmrpflash -L
nmrpflash -i net* -f openwrt-ramips-mt7620-netgear_jwnr2010-v5-squashfs-factory.img
This will show something like "Advertising NMRP server on net*..." (net*, *=1,2,3... etc.)
4. Now remove the power cable from router back side and immediately connect it again.
You will see flash notification in CMD window, once it says reboot the device just
plug off the router and plug in again.
Revert to stock:
1. Download the stock firmware from official netgear support[2].
2. Follow the same nmrpflash procedure like above, this time just use the stock firmware.
nmrpflash -i net* -f N300-V1.1.0.54_1.0.1.img
MAC addresses on stock firmware:
LAN = *:28 (label)
WAN = *:29
WLAN = *:28
On flash, the only valid MAC address is found in factory 0x4.
Special Note:
This openwrt firmware will also support other netgear N300 routers like below as they
share same stock firmware[3].
JNR1010v2 / WNR614 / WNR618 / JWNR2000v5 / WNR2020 / WNR1000v4 / WNR2020v2 / WNR2050
[1] https://github.com/jclehner/nmrpflash
[2] https://www.netgear.com/support/product/JWNR2010v5.aspx
[3] http://kb.netgear.com/000059663
Signed-off-by: Shibajee Roy <ador250@protonmail.com>
[create DTSI, use netgear_sercomm_nor, disable by default, add MAC
addresses to commit message, add label MAC address]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>