| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RNG can't actually be seeded from a shell script, due to the
reliance on ioctls. For this reason, the seedrng project provides a
basic script meant to be copy and pasted into projects like OpenWRT
and tweaked as needed: <https://git.zx2c4.com/seedrng/about/>.
This commit imports it into the urandom-seed package and wires up the
init scripts to call it. This also is a significant improvement over the
current init script, which does not robustly handle cleaning up of seeds
and syncing to prevent reuse. Additionally, the existing script creates
a new seed immediately after writing an old one, which means that the
amount of entropy might actually regress, due to failing to credit the
old seed.
Closes: https://github.com/openwrt/openwrt/issues/9570
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixed missing INSTALL_DIR]
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The inclusion of the kmod-leds-uleds into the userspace
nu801 package causes a circular dependency inside the
buildsystem... which causes it to be picked regardless
of other DEPENDS values.
In case of the mx100, this could be solved by moving the
kmod-leds-uled dependency to the kmod-meraki-mx100.
Bonus: drop @!LINUX_5_4 from kmod-meraki-mx100
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Chen Minqiang reported that he has troubles downloading nu801.
His logs showed the followin TLS Handshake failure.
|Checking out files from the git repository...
|Cloning into 'nu801-d9942c0c'...
|fatal: unable to access 'https://github.com/chunkeey/nu801.git/':
| gnutls_handshake() failed: The TLS connection was non-properly terminated.
|Makefile:39: recipe for target '[...]/dl/nu801-d9942c0c.tar.xz' failed
This can be fixed by providing a PKG_MIRROR_HASH. The download
scripts will now be able to pull the source from OpenWrt's source
archive, which should be available through HTTP.
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 80b7a8a7f5a0a88fde6dd19f097df4d7cac9ff04.
Now that 5.10 is the default kernel for all platforms, we can
bring back the NU801 userspace driver for platforms that rely
on it. Currently it's used on the MX100 x86_64 target, but
other Meraki platforms use this controller.
Note that we also now change how we load nu801. The way we did
this previously with procd worked, but it meant it didn't load
until everything was up and working.
To fix this, let's call nu801 from boot and re-trigger the
preinit blink sequence. Since nu801 runs as a daemon this is
now something we can do.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
(removed empty line, currently only MX100 uses it so: @TARGET_x86)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
|
|
|
|
|
| |
62471e693b4f usign: add 22.03 release build public key
70817cffc905 gpg: add OpenWrt 22.03 signing key
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
|
|
|
|
|
|
|
| |
The service command belongs to the procd and does not belong in the
shinit. In the course of the move, the script was also checked with
shellcheck and cleaned up.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The /tmp directory is mounted as tmpfs. The tmpfs filesystem is backed by
anonymous memory, which means it can be swapped out at any time, if there is
memory pressure [1]. For this reason, a zram swap device is a much better
choice than mounting /tmp on zram, since it's able to compress all anonymous
memory, and not just the memory assigned to /tmp. We already have the zram-swap
package for this specific purpose, which means procd's tmp-on-zram is both
redundant and more limited.
A follow-up patch will remove support for mounting /tmp in zram from procd
itself.
[1] https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
|
|
|
|
|
|
|
| |
66baa44 libubus: introduce new status messages
b3cd5ab cli: use UBUS_STATUS_PARSE_ERROR
584f56a cli: improve error logging for call command
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iucode-tool/host is used by intel-microcode to manipulate with
microcode.bin file. iucode-tool requires cpuid.h at compile time
for autodection feature, but non-x86 build hosts does not have
this header file (e.g. ubuntu 20.04 aarch64) or this header
generates compile time error (#error macro) (e.g. macos arm64).
This patch provides compat cpuid.h to build iucode-tool/host on
non-x86 linux hosts and macos. CPU autodectection is not required
for intel-microcode package build so compat cpuid.h is ok for
OpenWrt purposes.
glibc and argp lib are not present in macos so iucode-tool/host
build fails. This patch adds argp-standalone/host as build
dependency if host os is macos.
Generated ucode (intel-microcode package) is exactly the same on
Linux x86_64 (Ubuntu 20.04), Linux aarch64 (Ubuntu 20.04) and
Darwin arm64 (MacOS 11.6) build hosts.
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
|
|
|
|
|
|
|
|
|
|
| |
a87d010 uxc: remove unused printf parameter
ad65249 instance: exit in case asprintf() fails
Build with glibc should again work after this commit.
Fixes: e9e61d76fd ("procd: update to git HEAD")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
| |
df1123e uxc: add support for user-defined settings
0272c7c uxc: allow editing settings using 'create'
a839518 uxc: clean up error handling
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
| |
'uxc boot' is inteded to be called multiple times, so there is not need
to guard the first call on boot -- the actual code anyway didn't do
that, so just remove it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
| |
909f2a0 ucode: adjust to latest ucode api
4c532bf ucode: add ucode interpreter plugin
9c6ba38 treewide: adjust ubus object type names
75a96dc build: honour CMake install prefix in hardcoded paths
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
Just use 'start' action which will have the desired effect instead of
trying to introduce a 'start_file' action which didn't work that way
because procd jshn magic would have to wrap around it.
Fixes: 88baf6ce2c ("ubox: only start log to file when filesystem has been mounted")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From: Peter Lundkvist <peter.lundkvist@gmail.com>
This fixes the make_syscall_h.sh script to recognize both
__NR_Linux, used by mips, and __NR_SYSCALL_BASE and
__ARM_NR_BASE used by arm.
Run-tested on arm (ipq806x) and mips (ath79), both with glibc.
Compile-tested and checked resulting syscall_names.h file wuth
glibc: aarch64, powerpc, x86_64, i486
musl: arm, mips
Fixes: FS#4194, FS#4195
Signed-off-by: Peter Lundkvist <peter.lundkvist@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
| |
If log_file is on an filesystem mounted using /etc/config/fstab we have
to wait for that to happen before starting the logread process.
Inhibit the start of the file-writer process and use a mount trigger to
fire it up once the filesystem actually becomes available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
| |
Allow init scripts to trigger free-form actions by exposing
procd_add_action_mount_trigger.
Clean up mount trigger wrappers while at it to reduce code duplication.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
| |
ca6c35c uxc: usage message cosmetics
e083dd4 uxc: fix two minor issues reported by Coverity
35dfbff procd: jail/cgroups: correctly enable "rdma" when requested
3b3ac64 procd: mount /dev with noexec
ac2b8b3 procd: clean up /dev/pts mounts
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
| |
db7fb64 libopkg: pkg_hash: prefer to-be-installed packages
2edcfad libopkg: set 'const' attribute for argv
This should fix the ImageBuilder problems people are having since we
introduced the 'uci-firewall' providers.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
| |
eb522fc uxc: consider uvol and etc location for configurations
16a6ee9 uxc: integrate console into uxc
129d050 remove ujail-console
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
| |
bb95fe8 jail: make sure jailed process is terminated
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.
|Traceback (most recent call last):
| File "certdata2pem.py", line 125, in <module>
| cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1
...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
| File "/certdata2pem.py", line 31, in <module>
| from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'
More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."
Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the ca-certificates and ca-bundle package from version 20210119 to
version 20211016.
Debian change-log entry [1]:
|[...]
|[ Julien Cristau ]
|* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
| bundle to version 2.50
| The following certificate authorities were added (+):
| + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
| + "GlobalSign Root R46"
| + "GlobalSign Root E46"
| + "GLOBALTRUST 2020"
| + "ANF Secure Server Root CA"
| + "Certum EC-384 CA"
| + "Certum Trusted Root CA"
| The following certificate authorities were removed (-):
| - "QuoVadis Root CA"
| - "Sonera Class 2 Root CA"
| - "GeoTrust Primary Certification Authority - G2"
| - "VeriSign Universal Root Certification Authority"
| - "Chambers of Commerce Root - 2008"
| - "Global Chambersign Root - 2008"
| - "Trustis FPS Root CA"
| - "Staat der Nederlanden Root CA - G3"
| * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
|[...]
[1] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20211016_changelog>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
|
|
|
|
|
|
| |
Extend the hotplug.json ruleset to setup the common /dev/std{in,out,err}
symbolic links which are needed by some applications, e.g. nftables when
applying rulesets from stdin.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
8de12de system: add diskfree infos to ubus
bf3fe0e service: move jail parsing to end of instance parser
87b5836 procd: add full service shutdown prior to sysupgrade
01ac2c4 procd: service_stop_all: also kill inittab actions
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
| |
77c0288 fstools: fix a couple of minor code problems
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
| |
9d1431e jail: allow passing environment variable to procd jailed process
Fixes dnsmasq in ujail which needs USER_SCRIPT env variable to be
passed to jailed process.
Reported-by: Bastian Bittorf <bb@npl.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
| |
When installing additional rpcd modules, a restart of rpcd is required.
This often confuses users as even after installing rpcd-mod-rpcsys the
relevant ubus objects are still missing until rpcd has been reloaded
(or the system has been rebooted, obviously).
Let rpcd-mod-* reload rpcd as post-install action.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
| |
Avoids building rpcd when not needed
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
| |
0ee8e73 trigger: use uloop_timeout_remaining64
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
|
|
|
|
|
|
| |
20bf958 session: use uloop_timeout_remaining64
d11ffe9 session: use blobmsg_get_u64 for RPC_DUMP_EXPIRES
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
|
|
|
|
|
|
| |
1056fc4 jail: elf: Use 64 bit variables for elf offsets
c1976e5 jail: elf: Remove MIPS 64 warning
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
| |
19fd7fc libfstools: make sure file is closed on error
d390744 libfstools: use uevent instead of relying on custom kernel patch
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
| |
b743a331421d ubusd: log ACL init errors
2099bb3ad997 libubus: use list_empty/list_first_entry in ubus_process_pending_msg
ef038488edc3 libubus: process pending messages in data handler if stack depth is 0
a72457b61df0 libubus: increase stack depth for processing obj msgs
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
wifi: writes to terminal
hotplugcall and sqm read class sysfile symlinks
unbound and sqm related loose ends
support/example: policycoreutils host-compile is required
TODO: this was wrong and it is actually needed
linguist detectable does not work this way
linguist-detectable
updates README
adds workflows
adds a note about persistent /var option
project moved to https://github.com/DefenSec/selinux-policy
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
|
|
|
|
|
|
| |
cmake: Allow override of install directories
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
| |
jail: Fix build with glibc
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
|
|
| |
9b1e035 jail: netifd: code cosmetics
d2a2ecc jail: netifd: fix error handling issue reported by coverity
e1d7cee jail: netifd: check target netns fd before using it
59f7699 uxc: add missing 'break' statement
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, this feature was switched on via the kernel configuration
option KERNEL_SECCOMP.
The follwing change a7f794cd2aa104fdbd4c6e38f9b76373bf9b96e1 now requires that
the package procd-seccomp must also enabled for buildinmg.
However, this is not the case we have no dependency and the imagebuilder
cannot build the image, because of the implicit package selection.
This change adds a new configuration option CONFIG_SECCOMP.
The new option has the same behaviour as the configuration
option CONFIG_SELINUX.
If the CONFIG_SECCOMP is selected then the package procd-seccomp and
KERNEL_SECCOMP is enabled for this build.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
97bcdcf uxc: fix segfault caused by use-after-free
6398e05 uxc: don't free the stack
324ebd0 jail: fs: add support for asymmetric mount bind
c44ab7f jail: netifd: generate netifd uci config and mount it
82dd390 jail: make use of per-container netifd via ubus
The new per-jail netifd is now configured by filtering the host
network configuration. As libuci is used for that, procd-ujail now
depends on libuci.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit f536f5ebddd9c532a08ac4a9be3ef0c02f7bfeb8.
As Hauke commented, this causes builder failures on 5.4 kernels.
This revert includes changes to the mx100 kernel modules
dependency as well as the uci led definitions.
Tested-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a userspace interpretation of the nu801 driver used by Meraki
hardware. Previously this was a driver that was added per target, but as
multiple targets now have this driver, we should move to something that
can be shared by all targets since no driver exists upstream.
Co-developed-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the fstab service starts after the log service which breaks
the ability to write a persistent log file to a filesystem mounted by
the fstab service. Thus, change the start order of the fstab service so
it starts right before the log service.
Fixes: b131853 ("ubox: update to latest git revision")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[set to 11 to be explicitly before log, not only alphabetically, SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
8a60e7e trace: don't leak file descriptor in error path
68df9ac procd: fix container deletion
f16abe0 uxc: add JSON output option for 'list' command
a23c888 jail: prepare for adding process to existing namespace
50da8a4 instance: allow jailed service to join namespace(s)
482d1ab Revert "jail: do not hack /etc/resolv.conf on container rootfs"
1eb4371 jail: start ubus and netifd instances for container with netns
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous procd update broke mounting overlayfs in an attempt to
fix an off-by-one error. Revert that broken fix and apply fix from
Nick Hainke <vincent@systemli.org> instead to bring things back to
life.
20adf53 Revert "initd: fix off-by-one error in mkdev.c"
773e8da initd: fix off-by-one error in mkdev.c
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
| |
96d8bf2 trace: fix potential use-after-free occurence
8eb1d78 initd: fix off-by-one error in mkdev.c
86f82f3 utils: don't ignore open() return value
f5fe04b jail: actually check calloc return value
269c9e4 trace: preload: avoid NULL-dereference here as well
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
| |
df251c2 uxc: move mountpoint of persistent config to /var/run/uxc
e5b38fd trace: free memory allocated by blobmsg_format_json_indent()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
| |
50e6b20 libfstools: handle open() return value properly in F2FS check
e1b6811 blockd: include missing libubox/utils.h
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
8a8306d uxc.c: fix coverity resource leak warning
7f2398e jail: devices: create parent folder when creating devices
0603c8d jail: return to hook callback instead of just calling it
3edb7eb jail: check return value when opening console
af048a3 jail: use portable sizeof(void *)
6010bd3 utils: make sure read() string is 0 terminated
f6daca3 uxc: free string returned by blobmsg_format_json_indent()
51f1cd2 trace: free string returned by blobmsg_format_json_indent()
d716cb5 trace: handle open() return value and make sure string is terminated
b824a89 jail: preload: avoid NULL-dereference in case things go wrong
167dc24 jail: protect against strcat buffer overflows
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
592ac0f add a note
4bacd14 sslcertfile: list /etc/ssl
7bdefa4 example: indicate that skip is an option
d1e9a85 wifi: sys pipe usage
eb903e1 README: add note about policycoreutils-setfiles weak dependency
762e011 ttyd: signull all subjects
fbfc079 acme: add basic support for acme_cleanup.sh and acme_setup.sh
9ac7592 acme: transition to sys.subj on generic initscript execution
f3dd1ba acme: missing rules related to sys.subj trans on file.initscriptfile
ae273fa odhcp6c/netifd: support drop-in directories
5fa9b41 subj: do not encourage misconfiguration
44722b6 blockd, logd, odhcpc6, ubiutil, mtdstordev
a775d93 21.02 related
a473691 rcboot runs rcuhttpd which creates /tmp/etc for /tmp/etc/uhttpd
290e9fb rcuhttpd: related to rcboot and uci-defaults
3fc0d8b rcuhttpd: lists /etc/uci-defaults
1f5ef48 removes ubvol.lock policy and adds move mtd/ubi partitions
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|