aboutsummaryrefslogtreecommitdiffstats
path: root/package/system
Commit message (Collapse)AuthorAgeFilesLines
* procd: allow optional watchdog instance parameterDaniel Bailey2020-07-141-2/+2
| | | | | | | | | | | | | | Optional instance watchdog timeout and watchdog mode can be set by adding: procd_set_param $mode $timeout $mode is an integer [0-1] representing instance watchdog mode of operation: 0 = disabled 1 = passive mode, client must periodically poke watchdog via ubus $timeout is an integer representing how often, in seconds, the watchdog must be poked. Signed-off-by: Daniel Bailey <danielb@meshplusplus.com>
* procd: update to git HEADDaniel Golle2020-07-141-3/+3
| | | | | | | 639df57 uxc: fix build with uClibc-ng b2230e4 procd: add service instance watchdog Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-131-3/+3
| | | | | | | | | | | | | | aed7fb3 procd: fix compilation with uClibc-ng 9d0f831 jail: fix segfault with len(uidmap/gidmap) > 1 42a6217 jail: consider PATH for argv in OCI container 83f4b72 jail: actually chdir into OCI defined CWD fc9f614 jail: parse and run OCI hooks 02eec92 jail: memory allocation fixes 71e75f4 jail: refactor mount support to cover OCI spec b586e7d jail: don't make mount source read-only dacab12 uxc: fix 'stop' command Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* zram-swap: correctly express the required dependenciesRui Salvaterra2020-07-111-1/+1
| | | | | | | | The block-mount swapon implementation doesn't support discard, so make zram-swap depend only on the default BusyBox implementation or, when unavailable, on the one present in the swap-utils package. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
* zram-swap: enable swap discardRui Salvaterra2020-07-111-1/+1
| | | | | | | | | | | Zram block devices have supported trim/discard for over six years, let's enable it. This allows the zram device to actually free up allocated memory when it's marked as unused in the filesystem metadata, as explained in more detail in the original commit message [1]. [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/drivers/block/zram/zram_drv.c?h=linux-4.14.y&id=f4659d8e620d08bd1a84a8aec5d2f5294a242764 Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
* procd: fix yet another build issue, this time with capabilitiesDaniel Golle2020-07-111-3/+3
| | | | | | | 3034eaf jail: use linux/capability.h instead of sys/capability.h Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: fix another seccomp-related build issueDaniel Golle2020-07-111-3/+3
| | | | | | | 3473671 ujail: add dependency on syscall-names-h Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: fix build on platforms without seccomp supportDaniel Golle2020-07-111-3/+3
| | | | | Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-102-3/+41
| | | | | | | ea7a790 jail: add support for running OCI bundle bb4a446 uxc: add container management CLI tool Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* fstools: update to the latest versionDavid Woodhouse2020-07-081-3/+3
| | | | | | d34ea8e Use autoclear for overlay loopback device Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* zram-swap: init: replace backticks with $()Rui Salvaterra2020-06-301-4/+4
| | | | | | | | This replaces deprecated backticks by more versatile $(...) syntax. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> [add commit description] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ubox: add ALTERNATIVESHuangbin Zhan2020-06-261-7/+7
| | | | | | This avoids a conflict with the kmod util from the package feed. Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
* urandom-seed: update MakefileSungbo Eo2020-06-241-5/+3
| | | | | | | | | | - update SPDX license identifier - use https in URL - use default PKG_BUILD_DIR Suggested-by: Josef Schlehofer <josef.schlehofer@nic.cz> Tested-by: Josef Schlehofer <josef.schlehofer@nic.cz> Signed-off-by: Sungbo Eo <mans0n@gorani.run>
* mtd: enable wrgg support for ath79Stijn Tintel2020-06-111-1/+1
| | | | | | This is required for the D-Link DAP-2695-A1. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* ca-certificates: update to version 20200601Christian Lamparter2020-06-091-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch updates the ca-certificates and ca-bundle package. This version changed the files directory again, to work/, so PKG_BUILD_DIR was brought back. A list of changes from Debian's change-log entry for 20200601 [0]: * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.40. Closes: #956411, #955038 * mozilla/blacklist.txt Add distrusted Symantec CA list to blacklist for explicit removal. Closes: #911289 Blacklist expired root certificate, "AddTrust External Root" Closes: #961907 The following certificate authorities were added (+): + "Certigna Root CA" + "emSign ECC Root CA - C3" + "emSign ECC Root CA - G3" + "emSign Root CA - C1" + "emSign Root CA - G1" + "Entrust Root Certification Authority - G4" + "GTS Root R1" + "GTS Root R2" + "GTS Root R3" + "GTS Root R4" + "Hongkong Post Root CA 3" + "UCA Extended Validation Root" + "UCA Global G2 Root" The following certificate authorities were removed (-): - "AddTrust External Root" - "Certinomis - Root CA" - "Certplus Class 2 Primary CA" - "Deutsche Telekom Root CA 2" - "GeoTrust Global CA" - "GeoTrust Primary Certification Authority" - "GeoTrust Primary Certification Authority - G2" - "GeoTrust Primary Certification Authority - G3" - "GeoTrust Universal CA" - "thawte Primary Root CA" - "thawte Primary Root CA - G2" - "thawte Primary Root CA - G3" - "VeriSign Class 3 Public Primary Certification Authority - G4" - "VeriSign Class 3 Public Primary Certification Authority - G5" - "VeriSign Universal Root Certification Authority" [0] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20200601_changelog> Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* procd: update to git HEADDaniel Golle2020-05-281-3/+3
| | | | | | | b84a329 jail: use sane termios settings for console pts b9b39e2 jail: handle containers seperately Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* rpcd: update to latest Git HEADJo-Philipp Wich2020-05-261-4/+4
| | | | | | | 078bb57 uci: reset uci_ptr flags when merging options during section add 3df62bc session: deny access if password login is disabled Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* ucert: update to latest git HEADMatthias Schiffer2020-05-241-3/+3
| | | | | | | | | | | | | | | | | | | | 00b921d80ac0 Do not print line number in debug messages 96c42c5ed320 Fix length checks in cert_load() fe06b4b836b3 usign-exec: improve usign -F output handling 19f9e1917e1b usign-exec: return code fixes 077feb5b5824 usign-exec: close writing end of pipe early in parent process 7ec4bb764e1e usign-exec: remove redundant return statements 5a738e549d31 usign-exec: change usign_f_* fingerprint argument to char[17] 112488bbbccc usign-exec: do not close stdin and stderr before exec 38dcb1a6f121 usign-exec: fix exec error handling a9be4fb17df2 usign-exec: simplify usign execv calls 854d93e2326a Introduce read_file() helper, improve error reporting afc86f352bf7 Fix return code of write_file() fdff10852326 stdout/stderr improvements dddb2aa8124d ci: fix unit test failures by enabling full ucert build 5f206bcfe5c2 ci: enable unit testing Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* usign: update to latest git HEADMatthias Schiffer2020-05-231-3/+3
| | | | | | f1f65026a941 Always pad fingerprints to 16 characters Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* mtd: add linksys_bootcount for ramipsDavide Fioravanti2020-05-171-1/+1
| | | | | | | | | | | | | Reset bc is needed for Linksys EA7500 v2's dual boot. Size impact (tested with Linksys EA7500 v2 @ mt7621): mtd_25_mipsel_24kc.ipk: 13174 -> 13628 (454 bytes) initramfs: 3660350 -> 3660688 (338 bytes) Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com> [add size impact information] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* procd: jail: fix segfault and add console featureDaniel Golle2020-05-152-3/+17
| | | | | | | | 2e73848 jail: SIGSEGV must not be forwarded to the child process 7e150f6 jail: unnamed jails can not have netns (fix segfault) 1ab539b jail: add option to provide /dev/console to containers Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: replace backticks by $(...)Adrian Schmutzler2020-05-132-3/+3
| | | | | | This replaces deprecated backticks by more versatile $(...) syntax. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* fstools: blockd: fix segfault triggered by non-autofs mountsDaniel Golle2020-05-121-3/+3
| | | | | | | | | | Program received signal SIGSEGV, Segmentation fault. main_autofs (argv=<optimized out>, argc=<optimized out>) at fstools-2020-05-06-eec16e2f/block.c:1193 1193: if (!m->autofs && (mp = find_mount_point(pr->dev))) { Fixes: c3a43753b9 ("fstools: update to the latest version") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* opkg: update to latest Git HEADJo-Philipp Wich2020-05-071-3/+3
| | | | | | | | | | | f2166a8 libopkg: implement lightweight package listing logic cf4554d libopkg: support passing callbacks to feed parsing functions 2a0210f opkg-cl: don't read feeds on opkg update b6f1967 libopkg: use xsystem() to spawn opkg-key 60b9af2 file_util.c: refactor and fix checksum_hex2bin() 206ebae file_util.c: fix possible bad memory access in file_read_line_alloc() Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* fstools: update to the latest versionRafał Miłecki2020-05-061-3/+3
| | | | | | | | | eec16e2 blockd: add optional "device" parameter to "info" ubus method 9ab936d block(d): always call hotplug.d "mount" scripts from blockd 4963db4 blockd: use uloop_process for calling /sbin/hotplug-call mount cddd902 Truncate FAT filesystem label until 1st occurance of a blank (0x20) Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* fstools: update to the latest versionRafał Miłecki2020-05-051-3/+3
| | | | | | | | | | 8b9e601 block: always use st_dev (device ID) of / when looking for root 37c9148 block: simplify check_extroot() a bit d70774d block: add some basic extroot documentation 32db27d Revert "block: support hierarchical mount/umount" 0b93429 Revert "block: mount_action: handle mount/umount deps" Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* uci: update to latest git HEADHans Dedecker2020-04-301-3/+3
| | | | | | ec8d323 file: preserve original file mode after commit Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: extend requirejail attribute handlingDaniel Golle2020-04-251-3/+3
| | | | | | | | e2ed964 jail: don't fail unless requirejail is set 17e7ae7 jail: don't load libpreload-seccomp.so if it doesn't exist Fixes openwrt/packages#11913 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* fstools: update to the latest versionFelix Fietkau2020-04-221-3/+3
| | | | | | | | | | 84965b92f635 blockd: print symlink error code and string message 62c578c22f9d blockd: report "target" path as "mount" for autofs available mounts d1f1f2b38fa1 block: remove mount target file if it's a link 830441d790d6 blockd: remove symlink linkpath file if it's a dir or link c80f7002114f libfstools/mtd: attempt to read from OOB data if empty space is found Signed-off-by: Felix Fietkau <nbd@nbd.name>
* ubus: update to latest git HEADHans Dedecker2020-04-201-3/+3
| | | | | | 171469e lua: avoid truncation of large numeric values Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: fix jail when running on glibcDaniel Golle2020-04-191-3/+3
| | | | | | d200b70 jail: include /etc/nsswitch.conf in jail for glibc. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail fixes and improvementsDaniel Golle2020-04-141-3/+3
| | | | | | | | | | | 32c717e jail: only mess with rootfs if CLONE_NEWNS was set b275a62 instance: harmonize instance API 511fd97 jail: make /proc more secure 4953b7c jail: mount /sys read-only a4d6442 jail: replace /etc/resolv.conf with symlink in extroot+overlay a4cc165 jail: always mount /dev as additional tmpfs Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to latest HEADDaniel Golle2020-04-092-4/+7
| | | | | | | | | | | | 2188d81 jail: add support for launching extroot containers 6f3dbd2 jail: add support for userns and cgroupsns 28a06e5 jail: add support for (ram-)overlayfs Add handling for extroot, overlaydir and tmpoverlaysize as well as jail flags for userns and cgroupsns to OpenWrt's shell script to allow their use in init scripts. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* rpcd: fix respawn settingsPetr Štetiar2020-03-161-1/+1
| | | | | | | | | | | | | | | | | | | Commit 432ec292ccc8 ("rpcd: add respawn param") has introduced infinite restarting of the service which could be reached over network. This is not recommended security practice as it might give potential adversary infinite number of tries in case there might be some issue in the rpcd or its surrounding stack. So lets remove the currently bogus `respawn_retry` variable (it wasn't possible to override it anyway), reverting to the previous default max. of 5 service restarts which could be now overriden via system's UCI settings if desired. Cc: Jo-Philip Wich <jow@mein.io> Cc: Florian Eckert <fe@dev.tdt.de> Cc: Hauke Mehrtens <hauke@hauke-m.de> Fixes: 432ec292ccc8 ("rpcd: add respawn param") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to latest git HEADDaniel Golle2020-03-131-4/+4
| | | | | | 77a6782 jail: mount-bind /etc/resolv.conf for non-netns jails Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: actually wire-up netns supportDaniel Golle2020-03-122-1/+2
| | | | | | | | When support for network namespaces was added to procd, adding the corresponding jail flag in procd.sh was ommitted. Add it now. Fixes: 97a03a4760 ("procd: update to latest git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* urngd: avoid PKG_NAME in define linesSungbo Eo2020-02-231-4/+4
| | | | | | | | | > Avoid reuse of PKG_NAME in call, define and eval lines for consistency and > readability. Write the full name instead. Ref: https://openwrt.org/docs/guide-developer/packages Signed-off-by: Sungbo Eo <mans0n@gorani.run>
* urandom-seed: avoid PKG_NAME in define linesSungbo Eo2020-02-231-2/+2
| | | | | | | | | > Avoid reuse of PKG_NAME in call, define and eval lines for consistency and > readability. Write the full name instead. Ref: https://openwrt.org/docs/guide-developer/packages Signed-off-by: Sungbo Eo <mans0n@gorani.run>
* brcm63xx: rename target to bcm63xxAdrian Schmutzler2020-02-141-1/+1
| | | | | | | | | | This change makes the names of Broadcom targets consistent by using the common notation based on SoC/CPU ID (which is used internally anyway), bcmXXXX instead of brcmXXXX. This is even used for target TITLE in make menuconfig already, only the short target name used brcm so far. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* brcm47xx: rename target to bcm47xxAdrian Schmutzler2020-02-142-2/+2
| | | | | | | | | | This change makes the names of Broadcom targets consistent by using the common notation based on SoC/CPU ID (which is used internally anyway), bcmXXXX instead of brcmXXXX. This is even used for target TITLE in make menuconfig already, only the short target name used brcm so far. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* procd: seccomp: fix resource leakKevin Darbyshire-Bryant2020-02-111-3/+3
| | | | | | | | Bump to latest commit: c30b23e seccomp: fix resource leak Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* uci: fix PKG_SOURCE_VERSION valueHans Dedecker2020-02-091-1/+1
| | | | | | Fixes PKG_SOURCE_VERSION value which was wrongly set in commit f6e07c8284 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: update to latest git HEADHans Dedecker2020-02-091-2/+2
| | | | | | | | Fixes c0c988e179a75d33c82ed0621d954fc0ac2c0c14 bcb8655 instance: add 'requirejail' attribute Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: support 'requirejail' attributeKevin Darbyshire-Bryant2020-02-042-2/+3
| | | | | | | | | | | | | | | | Bump procd package to reduce log spam related to missing jail binaries in a non-jail capable system. bcb8655 instance: add 'requirejail' attribute An additional jail attribute 'requirejail' can now be used to indicate mandatory use of a jailed environment and hence prevent process startup in the event that the jail subsystem is unavailable. Procd will now only log errors if jail is unavailable and 1) is a mandatory requirement or 2) a procd debug level of at least 2 is in use. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* uci: update to version 2020-01-27Hans Dedecker2020-02-021-5/+4
| | | | | | | e8d8373 file: fix segfault in uci_parse_option aa5e77a file: fix segfault in uci_parse_config Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* opkg: update to latest Git HEADJo-Philipp Wich2020-01-291-3/+3
| | | | | | | | 80d161e opkg: Fix -Wformat-overflow warning c09fe20 libopkg: fix skipping of leading whitespace when parsing checksums Fixes: CVE-2020-7982 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* procd: update to version 2020-01-24Petr Štetiar2020-01-241-3/+3
| | | | | | | | 00aafc4f439e procd: show process's exit code 856b5f8be046 state: fix reboot causing shutdown inside LXC container b44417c20c7f instance: provide error feedback if ujail binary is missing Signed-off-by: Petr Štetiar <ynezz@true.cz>
* fstools: update to version 2020-01-21Petr Štetiar2020-01-211-3/+3
| | | | | | deb745f82b93 Revert "fstools: Add support to read-only MTD partitions (eg. recovery images)" Signed-off-by: Petr Štetiar <ynezz@true.cz>
* urngd: update to version 2020-01-21Petr Štetiar2020-01-211-3/+3
| | | | | | | c7f7b6b65b82 Tag version 1.0.2 236b7a0aef21 Fix blocked entropy generation Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to latest git HEADDaniel Golle2020-01-211-4/+4
| | | | | | | | | | | | | 58c12f7 jail: add basic support for network namespaces ba69639 jail: create resolv.conf symlink for netns jails 81b88b1 jail: more strict mount options for /tmp/resolv.conf.d/ Add new 'netns' flag for procd_add_jail to make ujail setup a new network namespace for the jailed service. See previous netifd commit for example configuration for netns jailed service. Signed-off-by: Daniel Golle <daniel@makrotopia.org>