| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
8a60e7e trace: don't leak file descriptor in error path
68df9ac procd: fix container deletion
f16abe0 uxc: add JSON output option for 'list' command
a23c888 jail: prepare for adding process to existing namespace
50da8a4 instance: allow jailed service to join namespace(s)
482d1ab Revert "jail: do not hack /etc/resolv.conf on container rootfs"
1eb4371 jail: start ubus and netifd instances for container with netns
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The previous procd update broke mounting overlayfs in an attempt to
fix an off-by-one error. Revert that broken fix and apply fix from
Nick Hainke <vincent@systemli.org> instead to bring things back to
life.
20adf53 Revert "initd: fix off-by-one error in mkdev.c"
773e8da initd: fix off-by-one error in mkdev.c
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
96d8bf2 trace: fix potential use-after-free occurence
8eb1d78 initd: fix off-by-one error in mkdev.c
86f82f3 utils: don't ignore open() return value
f5fe04b jail: actually check calloc return value
269c9e4 trace: preload: avoid NULL-dereference here as well
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
df251c2 uxc: move mountpoint of persistent config to /var/run/uxc
e5b38fd trace: free memory allocated by blobmsg_format_json_indent()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
8a8306d uxc.c: fix coverity resource leak warning
7f2398e jail: devices: create parent folder when creating devices
0603c8d jail: return to hook callback instead of just calling it
3edb7eb jail: check return value when opening console
af048a3 jail: use portable sizeof(void *)
6010bd3 utils: make sure read() string is 0 terminated
f6daca3 uxc: free string returned by blobmsg_format_json_indent()
51f1cd2 trace: free string returned by blobmsg_format_json_indent()
d716cb5 trace: handle open() return value and make sure string is terminated
b824a89 jail: preload: avoid NULL-dereference in case things go wrong
167dc24 jail: protect against strcat buffer overflows
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
procd.sh:
Instead of triggering on every mount.add event, there should be no
mount trigger at all in case none of the directories passed to
procd_add_*_mount_trigger() are located on a mountpoint configured in
/etc/config/fstab.
uxc:
add missing dependency on rpcd.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
040fecc system: fix issues reported by Coverity
48f481b service: make sure string read is null terminated
16dbc2a uxc: fix a bunch of issues discovered by Coverity
ff9002f uxc: fix help output
104b49d uxc: support config in uvol
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
48638ad hotplug-dispatch: yet another rare memory leak disovered by Coverity
459b3e8 jail: fix several issues discovered by Coverity
2562e2b ujail-console: add missing error handling discovered by coverity
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
9f233f5 system: make rootfs type accessible through board call
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Change procd_add_start_mount_trigger to procd_add_restart_mount_trigger
and make it call 'restart' instead of 'start'.
This is more useful as it allows to handle both cases, intial start of
a services as well as restarting services. Calling 'restart' on a
service which has not yet been started has the same result as calling
'start'.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
e10de28 jail: cgroups-bpf: fix compile with musl 1.2
f5d9b14 hotplug-dispatch: fix rare memory leaks in error paths
Add new init script helpers:
procd_add_start_mount_trigger
procd_add_reload_mount_trigger
procd_get_mountpoints
Both trigger helpers expect a list of paths which are checked against
the mount targets configured in /etc/config/fstab and a trigger for all
mountpoints covered by the list of paths is setup.
procd_get_mountpoints is useful to find out if and which mountpoints
are covered by a list of paths.
Example:
DATADIRS="/mnt/data/foo /mnt/data/bar /etc/foo/baz /var/lib/doe"
start_service() {
[ "$_BOOT" = "1" ] &&
[ "$(procd_get_mountpoints $DATADIRS)" ] && return 0
procd_open_instance
# ...
procd_close_instance
}
boot() {
_BOOT=1 start
}
service_triggers() {
procd_add_start_mount_trigger $DATADIRS
}
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix build on glibc targets and address a bunch of compiler warnings.
93fc089 jail: cgroups-bpf: don't use sys/reg.h when building with glibc
548d057 jail: don't ignore return value of seteuid()
220b716 jail: ignore return value when creating default /dev symlinks
78d5baa hotplug-dispatch: don't ignore asprintf() return value
736aee5 uxc: always handle asprintf() return value
2b20456 hotplug-dispatch: replace wrongly used assert()
bfc86a2 jail: cgroups: replace wrongly used assert()
516bdf2 jail: don't ignore return value of write()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
f26233e watchdog: Add an info message if the watchdog reset the system
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
| |
772292e uxc: don't restart containers when mount shows up
3a9d910 uxc: resolve volume UUIDs by name of UCI fstab section
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
9bd1b7f jail: refactor directory handling for rootfs and overlaydir
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
0545905 jail: make use of realpath() for rootfs and overlaydir
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
0ee73b2 uxc: implement support for rootfs overlay in containers
b0a8ea1 jail: do not hack /etc/resolv.conf on container rootfs
92aba53 jail: increase max additional env records to 64
15997e6 jail: allow rootfs to be a symbolic link
0114c6f jail: open() extroot folder before mounting
ed96eda uxc: check for required blockd mounts
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
2dcefbd jail: add support for cgroup devices as in OCI run-time spec
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if
make TOPDIR="$(pwd)" -C "$pkgdir" compile
was called manually. In most of the cases, I just saw warnings like this:
make: Entering directory '/home/.../package/gluon-status-page'
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
[...]
While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.
After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
|
| |
|
|
|
|
| |
021ece8 procd: Use /dev/console for serial console if exists
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
7ee4563 procd: Adding support to detect Pantavisor Container Platform
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
| |
Enable seccomp features on Aarch64.
3e88c6f jail/seccomp: add support for aarch64
c23d8bf trace: fix build on aarch64
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
945d0d7 utils: fix C style in header file
2cfc26f inittab: detect active console from kernel if no console= specified
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
64e9f3a procd: fix compilation with newer musl
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
2be57ed cosmetics: provide compatible system info on Aarch64
37eed13 system: expose if system was booted from initramfs
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
Add per-subsystem ubus objects exposing hotplug-call.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
0aee1c3 hotplug.c: set nl_pid to zero
d6dda31 procd: fix compiler warning
92c8e8f jail: remove duplicate check for hook file permissions
0a74c06 jail: only output BPF instr. table header if debugging
fd18379 jail: cgroups: fix uninitialized variabl
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
111416d jail: remove unreachable code
7f12c89 treewide: replace local mkdir_p implementations
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
fixes "file no found" error on stripped down images, caused by prod.sh:43.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
|
| |
|
|
|
|
| |
6acc48c early: fall-back to run ubus as root if user can't be found
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
f3c3563 jail: improve seccomp BPF generator
f67a66f jail: always call cgroups_free()
4625350 jail: seccomp: improve code readability
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
3019f50 jail: leak less memory
7e01453 jail: fix segfault on missing name and refactor
5abee8f jail: fix and simplify userns uid/gid maps from OCI
4ba72ec jail: relax /etc/resolv.conf creation
db5ef86 jail: don't use NULL arguments for mount syscall
19ac9df jail: don't fail if can't mount-bind /etc/resolv.conf
acf36f2 jail: seteuid before clone(CLONE_NEWUSER)
e40828f jail: fix typo in usage output
b87984b jail: don't attempt to mount /sys with noatime
b275b11 jail: enter existing cgroups namespace if given
31e0a46 jail: properly initialize timens_fd
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
d4d78db uxc: also delete procd runtime state on 'delete'
e935c0c jail: add 'debug' extern variable to preload_seccomp
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
| |
04a2edd uxc: make force-delete kill container process
be6da62 seccomp: silence 'unknown syscall' warnings
b22e625 jail: cgroup hack: rewrite cgroup -> cgroup2
df7fa7b uxc: fix incomplete commit
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
d8f36f5 seccomp: specifying architectures is optional
d352e6e seccomp: switch to new OCI compliant parser
c110405 trace: switch to OCI seccomp JSON output
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
b0de894 jail: fix capabilities
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
2f381fe jail: guard boolean blobmsg attributes
602b8fa jail: add option for pidfile
bba6de7 jail: handle mount propagation flags
6963d50 jail: relax seccomp unknown syscall handling
e1fcfdc jail: add support for absolute root path in OCI spec
257f29b jail: don't fail if maskedPath cannot be found
75f2374 uxc: mimic runc cmdline by using getopt_long
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
ec461ff jail: mount more stuff read-only
33b799b ujail: elf: work around GCC bug on MIPS64
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unify capability handling to only use OCI spec parsers even for ujail
slim containers which previously supposedly used their own format.
80c9516 cgroups: restrict allowed keys in 'unified' section
5ade567 cgroups: memory controller fixes
3121467 early: run ubusd non-root as user ubus, group ubus
12a5b97 jail: adapt to new ubus socket path
788d144 instance: actually wire up capabilities filename
ebc5a7f jail: nuke old capabilities code in favour of reusing OCI code
6c5233a jail: capabilities: apply in two phases
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
| |
Fixes: 962e73c1a4 ("procd: add selinux variant")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
This commit adds a `selinux` variant to `procd` allowing to load an
SELinux policy at boot.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a patch to procd to support loading the SELinux
policy early at boot time, and adjusts the procd package to use this
SELinux support when libselinux is enabled.
The procd patch has been submitted separately [1]: obviously the
intent is to have it merged in the procd Git repository rather than
have it in OpenWrt itself.
[1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025791.html
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[split commit into openwrt.git and procd.git]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
47a9f0d service: add method to query available container features
afbaba9 initd: attempt to mount cgroup2
ead60fe jail: use pidns semantics also for timens
759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
83053b6 instance: add instances into unified cgroup hierarchy
16159bb jail: parse OCI cgroups resources
282ff0c jail: only free cgroups if they were allocated
ab55357 jail: fix freeing cgroups avl
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
This reverts commit e0e607f0d000e62c6af8d822d7c3f57c2a582136.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
47a9f0d service: add method to query available container features
afbaba9 initd: attempt to mount cgroup2
ead60fe jail: use pidns semantics also for timens
759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
83053b6 instance: add instances into unified cgroup hierarchy
16159bb jail: parse OCI cgroups resources
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
28be011 instance: make sure values are not inherited from previous runs
2ae5cbc uxc: remove debugging left-over
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
c3ca99f jail: serialize hook execution
8ff8970 jail: add some remaining OCI features
9d5fa0a uxc: behave more like a compliant OCI run-time
1274033 uxc: fix create operation
2d811a4 jail: add 'kill' method to container.%s object
08133b8 uxc: use new container.%s kill ubus API
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
| |
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
48777de rcS: cast format string to int64_t
a4df90f jail: fix wrong format for 32-bit
c482c5d jail: add support for referencing existing namespaces
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Further complete OCI container support in ujail:
f5f305e jail: move /tmp/resolv.conf.d to /dev/resolv.conf.d
6f078ae jail: add support for defining devices
686cf7a jail: actually apply filesystem-specific mount options
f91009a jail: refactor default mounts into new structure
66ae2d9 jail: re-implement /proc/sys/net read-write in netns hack
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
