| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
93369be Revert "fstools: remove SELinux restorecon hack"
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit b641dadc1386146c4213ff6c5c443bad053a85d6)
|
| |
|
|
|
|
|
|
| |
2f793a4 lua: add optional path filter to objects() method
2bebf93 ubusd: handle invoke on event object without data
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 1521d5f453683ca1aae87d025d2892901369ce0c)
|
| |
|
|
|
|
|
|
| |
557c98e init: selinux: don't relabel virtual filesystems
7a00968 init: only relabel rootfs if started from initramfs
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4cbc26b212836973b22ae2a426de43325f893ee3)
|
| |
|
|
|
|
|
| |
9e11b37 fstools: remove SELinux restorecon hack
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4509b790f09183b2ac757371f6d79052f232e4cd)
|
| |
|
|
|
|
|
| |
652e6df init: restore SELinux labels after policy is loaded
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit fb011118664756ee33bf16a39bf6e73d02cc2d3f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
try to clean up some labeling inconsistencies
iwinfo loose ends
ucode loose ends
Makefile: adjust mintesttgt (adds blockmount/blockd)
nftables: reads inherited netifd pipe
ucode: reads inherited netifd pipes
mountroot: fowner
sandbox: writes inherited dropbear pipes
unbound related to /tmp/etc/ssl
unbound loose ends
adds a sslconftmpfile for /tmp/etc/ssl
README: maintain a wish list in the README
iwinfo: netifd forgot write
gptfdisk loose ends
iwinfo: netifd wpad reads/writes inherited netifd fifo files
netifd (mac80211.sh) executes iwinfo
luci: executes wireguard
luci-cgi: audits xtables execute access
rcuhttpd: lists ssl certfile dirs
iwinfo, wifi,nftables usage of ttyd pty if available
urandomseed: seedrng needs cap_sys_admin
iwinfo iwinfo, nftables and some chronyd rules related to ntp nts server
nftables, wifi and adds iwinfo skel
nftables, rpcd, ucode
nftables, ucode and seedrng ucode, fw3/nftables, luci
adds ucode skel and some fw3/nftables related
urandomseed: some seedrng rules
fw3 adds some support for fw4
urandomseed: /etc/seedrng is for seed.credit
hotplugcal: runs ucode which is interpreter like
adds a nftables skeleton and makes xtables optional
agent: allow all agents to write inherited dropbear pipes
urandomseed: this seems to be replaced by seedrng
kmodloader: label /etc/modules.conf kmodloader.conffile
Revert "shelexecfile: remove auditallow rule"
Makefile: sort the modules to process by secilc
Moves back to git.defensec.nl
unbound odhcpd (ip) reads net proc
tcp dump
shelexecfile: remove auditallow rule
rrd.cil: fixes indent
Target rddtool from cgi-io instead of runnit it without transition
rrd.cil related
rrd, rpcd, cgiio clean ups related to luci-app-statistics
Rules for rrd files and luci-statistics
unboundcontrol ordering
Several missing permissions
blockmount, dnsmasq, hotplugcall, rpcd, unbound
adds mctp_socket (linux 5.15)
ip: forgot tc-tiny type transition to go along with the fc spec
ip: adds a fc spec for tc-tiny (called by sqm)
adds ttyACM fc spec and various assorted loose ends
.gitattributes: do not export the github workflows
workflow use selinux 3.3
project moved back to https://git.defensec.nl/selinux-policy.git
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
(cherry picked from commit 43794570986e33770d9039399d16a665f6c7c495)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
f0fc66a libfstools: check for overlay mounting errors
128ecaf Update / fix extroot comments
8a0ba3b libfstools: get rid of "extroot_prefix" global variable
649cd3f libfstools: use variable for overlay mount-point
922f1b3 libfstools: avoid segfault in find_mount_point
ce5eacb libfstools: mtd: improve error handling
898b328 blockd: restore device_move semantics
0917d22 block: don't probe mtdblock on NAND (with legacy exceptions)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4e8d095013fb822eaa4fd6b4512a434fc17ac901)
|
| |
|
|
|
|
|
|
|
| |
6343c3a procd: completely remove tmp-on-zram support
5c5e63f uxc: fix potential NULL-pointer dereference
eb03f03 jail: include necessary files for per-netns netifd instance
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 2c8873033e3c0b5a5e8f6080ea3a73fde6a55f39)
|
| |
|
|
|
|
|
|
|
|
| |
In commit 2d03f27f0f07 ("openwrt-keyring: make opkg use 22.03 usign
key") I've accidentally removed the `endef` keyword, so fix it by adding
it back.
Fixes: 2d03f27f0f07 ("openwrt-keyring: make opkg use 22.03 usign key")
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to make opkg usable with artifacts produced by project's
buildbot:
Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/x86_64/luci/Packages.sig
Signature check failed.
Remove wrong Signature file.
References: https://gitlab.com/openwrt/docker/-/jobs/2255191689
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
| |
62471e693b4f usign: add 22.03 release build public key
70817cffc905 gpg: add OpenWrt 22.03 signing key
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 759886345d900139f38bd9200a32ce12868d3343)
|
| |
|
|
|
|
|
|
| |
The service command belongs to the procd and does not belong in the
shinit. In the course of the move, the script was also checked with
shellcheck and cleaned up.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The /tmp directory is mounted as tmpfs. The tmpfs filesystem is backed by
anonymous memory, which means it can be swapped out at any time, if there is
memory pressure [1]. For this reason, a zram swap device is a much better
choice than mounting /tmp on zram, since it's able to compress all anonymous
memory, and not just the memory assigned to /tmp. We already have the zram-swap
package for this specific purpose, which means procd's tmp-on-zram is both
redundant and more limited.
A follow-up patch will remove support for mounting /tmp in zram from procd
itself.
[1] https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
|
| |
66baa44 libubus: introduce new status messages
b3cd5ab cli: use UBUS_STATUS_PARSE_ERROR
584f56a cli: improve error logging for call command
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iucode-tool/host is used by intel-microcode to manipulate with
microcode.bin file. iucode-tool requires cpuid.h at compile time
for autodection feature, but non-x86 build hosts does not have
this header file (e.g. ubuntu 20.04 aarch64) or this header
generates compile time error (#error macro) (e.g. macos arm64).
This patch provides compat cpuid.h to build iucode-tool/host on
non-x86 linux hosts and macos. CPU autodectection is not required
for intel-microcode package build so compat cpuid.h is ok for
OpenWrt purposes.
glibc and argp lib are not present in macos so iucode-tool/host
build fails. This patch adds argp-standalone/host as build
dependency if host os is macos.
Generated ucode (intel-microcode package) is exactly the same on
Linux x86_64 (Ubuntu 20.04), Linux aarch64 (Ubuntu 20.04) and
Darwin arm64 (MacOS 11.6) build hosts.
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
|
| |
|
|
|
|
|
|
|
|
| |
a87d010 uxc: remove unused printf parameter
ad65249 instance: exit in case asprintf() fails
Build with glibc should again work after this commit.
Fixes: e9e61d76fd ("procd: update to git HEAD")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
df1123e uxc: add support for user-defined settings
0272c7c uxc: allow editing settings using 'create'
a839518 uxc: clean up error handling
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
'uxc boot' is inteded to be called multiple times, so there is not need
to guard the first call on boot -- the actual code anyway didn't do
that, so just remove it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
| |
909f2a0 ucode: adjust to latest ucode api
4c532bf ucode: add ucode interpreter plugin
9c6ba38 treewide: adjust ubus object type names
75a96dc build: honour CMake install prefix in hardcoded paths
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
| |
Just use 'start' action which will have the desired effect instead of
trying to introduce a 'start_file' action which didn't work that way
because procd jshn magic would have to wrap around it.
Fixes: 88baf6ce2c ("ubox: only start log to file when filesystem has been mounted")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: Peter Lundkvist <peter.lundkvist@gmail.com>
This fixes the make_syscall_h.sh script to recognize both
__NR_Linux, used by mips, and __NR_SYSCALL_BASE and
__ARM_NR_BASE used by arm.
Run-tested on arm (ipq806x) and mips (ath79), both with glibc.
Compile-tested and checked resulting syscall_names.h file wuth
glibc: aarch64, powerpc, x86_64, i486
musl: arm, mips
Fixes: FS#4194, FS#4195
Signed-off-by: Peter Lundkvist <peter.lundkvist@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
| |
If log_file is on an filesystem mounted using /etc/config/fstab we have
to wait for that to happen before starting the logread process.
Inhibit the start of the file-writer process and use a mount trigger to
fire it up once the filesystem actually becomes available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
Allow init scripts to trigger free-form actions by exposing
procd_add_action_mount_trigger.
Clean up mount trigger wrappers while at it to reduce code duplication.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
ca6c35c uxc: usage message cosmetics
e083dd4 uxc: fix two minor issues reported by Coverity
35dfbff procd: jail/cgroups: correctly enable "rdma" when requested
3b3ac64 procd: mount /dev with noexec
ac2b8b3 procd: clean up /dev/pts mounts
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
db7fb64 libopkg: pkg_hash: prefer to-be-installed packages
2edcfad libopkg: set 'const' attribute for argv
This should fix the ImageBuilder problems people are having since we
introduced the 'uci-firewall' providers.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
eb522fc uxc: consider uvol and etc location for configurations
16a6ee9 uxc: integrate console into uxc
129d050 remove ujail-console
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
bb95fe8 jail: make sure jailed process is terminated
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.
|Traceback (most recent call last):
| File "certdata2pem.py", line 125, in <module>
| cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1
...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
| File "/certdata2pem.py", line 31, in <module>
| from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'
More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."
Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the ca-certificates and ca-bundle package from version 20210119 to
version 20211016.
Debian change-log entry [1]:
|[...]
|[ Julien Cristau ]
|* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
| bundle to version 2.50
| The following certificate authorities were added (+):
| + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
| + "GlobalSign Root R46"
| + "GlobalSign Root E46"
| + "GLOBALTRUST 2020"
| + "ANF Secure Server Root CA"
| + "Certum EC-384 CA"
| + "Certum Trusted Root CA"
| The following certificate authorities were removed (-):
| - "QuoVadis Root CA"
| - "Sonera Class 2 Root CA"
| - "GeoTrust Primary Certification Authority - G2"
| - "VeriSign Universal Root Certification Authority"
| - "Chambers of Commerce Root - 2008"
| - "Global Chambersign Root - 2008"
| - "Trustis FPS Root CA"
| - "Staat der Nederlanden Root CA - G3"
| * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
|[...]
[1] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20211016_changelog>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
| |
|
|
|
|
|
|
| |
Extend the hotplug.json ruleset to setup the common /dev/std{in,out,err}
symbolic links which are needed by some applications, e.g. nftables when
applying rulesets from stdin.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
| |
8de12de system: add diskfree infos to ubus
bf3fe0e service: move jail parsing to end of instance parser
87b5836 procd: add full service shutdown prior to sysupgrade
01ac2c4 procd: service_stop_all: also kill inittab actions
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
77c0288 fstools: fix a couple of minor code problems
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
9d1431e jail: allow passing environment variable to procd jailed process
Fixes dnsmasq in ujail which needs USER_SCRIPT env variable to be
passed to jailed process.
Reported-by: Bastian Bittorf <bb@npl.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
When installing additional rpcd modules, a restart of rpcd is required.
This often confuses users as even after installing rpcd-mod-rpcsys the
relevant ubus objects are still missing until rpcd has been reloaded
(or the system has been rebooted, obviously).
Let rpcd-mod-* reload rpcd as post-install action.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
| |
Avoids building rpcd when not needed
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
| |
0ee8e73 trigger: use uloop_timeout_remaining64
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
| |
20bf958 session: use uloop_timeout_remaining64
d11ffe9 session: use blobmsg_get_u64 for RPC_DUMP_EXPIRES
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
| |
1056fc4 jail: elf: Use 64 bit variables for elf offsets
c1976e5 jail: elf: Remove MIPS 64 warning
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
19fd7fc libfstools: make sure file is closed on error
d390744 libfstools: use uevent instead of relying on custom kernel patch
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
| |
b743a331421d ubusd: log ACL init errors
2099bb3ad997 libubus: use list_empty/list_first_entry in ubus_process_pending_msg
ef038488edc3 libubus: process pending messages in data handler if stack depth is 0
a72457b61df0 libubus: increase stack depth for processing obj msgs
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
wifi: writes to terminal
hotplugcall and sqm read class sysfile symlinks
unbound and sqm related loose ends
support/example: policycoreutils host-compile is required
TODO: this was wrong and it is actually needed
linguist detectable does not work this way
linguist-detectable
updates README
adds workflows
adds a note about persistent /var option
project moved to https://github.com/DefenSec/selinux-policy
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
|
| |
|
|
|
|
| |
cmake: Allow override of install directories
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
| |
jail: Fix build with glibc
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
9b1e035 jail: netifd: code cosmetics
d2a2ecc jail: netifd: fix error handling issue reported by coverity
e1d7cee jail: netifd: check target netns fd before using it
59f7699 uxc: add missing 'break' statement
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, this feature was switched on via the kernel configuration
option KERNEL_SECCOMP.
The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that
the package procd-seccomp must also enabled for buildinmg.
However, this is not the case we have no dependency and the imagebuilder
cannot build the image, because of the implicit package selection.
This change adds a new configuration option CONFIG_SECCOMP.
The new option has the same behaviour as the configuration
option CONFIG_SELINUX.
If the CONFIG_SECCOMP is selected then the package procd-seccomp and
KERNEL_SECCOMP is enabled for this build.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
97bcdcf uxc: fix segfault caused by use-after-free
6398e05 uxc: don't free the stack
324ebd0 jail: fs: add support for asymmetric mount bind
c44ab7f jail: netifd: generate netifd uci config and mount it
82dd390 jail: make use of per-container netifd via ubus
The new per-jail netifd is now configured by filtering the host
network configuration. As libuci is used for that, procd-ujail now
depends on libuci.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit f536f5ebddd9c532a08ac4a9be3ef0c02f7bfeb8.
As Hauke commented, this causes builder failures on 5.4 kernels.
This revert includes changes to the mx100 kernel modules
dependency as well as the uci led definitions.
Tested-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a userspace interpretation of the nu801 driver used by Meraki
hardware. Previously this was a driver that was added per target, but as
multiple targets now have this driver, we should move to something that
can be shared by all targets since no driver exists upstream.
Co-developed-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, the fstab service starts after the log service which breaks
the ability to write a persistent log file to a filesystem mounted by
the fstab service. Thus, change the start order of the fstab service so
it starts right before the log service.
Fixes: b131853 ("ubox: update to latest git revision")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[set to 11 to be explicitly before log, not only alphabetically, SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
8a60e7e trace: don't leak file descriptor in error path
68df9ac procd: fix container deletion
f16abe0 uxc: add JSON output option for 'list' command
a23c888 jail: prepare for adding process to existing namespace
50da8a4 instance: allow jailed service to join namespace(s)
482d1ab Revert "jail: do not hack /etc/resolv.conf on container rootfs"
1eb4371 jail: start ubus and netifd instances for container with netns
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
