aboutsummaryrefslogtreecommitdiffstats
path: root/package/system
Commit message (Collapse)AuthorAgeFilesLines
* refpolicy: add variant that builds modular policyW. Michael Petullo2020-11-091-2/+33
| | | | | | | | | This adds a variant of refpolicy that builds the modular form of the policy. While this requires more memory on the target device, along with some tricks to deal with OpenWrt's volatile /var directory, it is useful for experiementing with SELinux policy. Signed-off-by: W. Michael Petullo <mike@flyn.org>
* procd: bump to git HEADDaniel Golle2020-11-071-3/+3
| | | | | | b0de894 jail: fix capabilities Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEADDaniel Golle2020-11-051-3/+3
| | | | | | | | | | | | 2f381fe jail: guard boolean blobmsg attributes 602b8fa jail: add option for pidfile bba6de7 jail: handle mount propagation flags 6963d50 jail: relax seccomp unknown syscall handling e1fcfdc jail: add support for absolute root path in OCI spec 257f29b jail: don't fail if maskedPath cannot be found 75f2374 uxc: mimic runc cmdline by using getopt_long Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* opkg: clean up and fix performance regressionDaniel Golle2020-11-031-3/+3
| | | | | | | da9746a libopkg: clean up handling of unresolved dependencies Signed-off-by: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Paul Spooren <mail@aparcar.org>
* opkg: fix yet another dependency resolution bugDaniel Golle2020-11-021-3/+3
| | | | | | | | | | The previous fix of a fix caused yet another problem leading to `opkg show-upgradable` ending up in an infinite loop. Fix that. Fixes: 4a2b1ff7fb ("opkg: fix dependency resolution") Reported-by: Huangbin Zhan <zhanhb88@gmail.com> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* opkg: fix dependency resolutionDaniel Golle2020-11-021-3/+3
| | | | | | | | | | | | The previous commit broke opkg in a way that it would no longer include dependencies when installing a package, effectively leading to broken images and unusable systems. Fix that by making sure dependencies are still going to be checked. Also reduce size of struct abstract_pkg as suggested by @jow- while at it. Fixes: 1445d333aa ("opkg: bump to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* zram-swap: use new extra_command wrapperFlorian Eckert2020-11-022-4/+3
| | | | | | Use new `extra_command` wrapper to fix the alignement. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* opkg: bump to git HEADDaniel Golle2020-10-301-3/+3
| | | | | | 8769c75 pkg_hash: don't suggest incompatible packages Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* uci: fix package mirror hashPetr Štetiar2020-10-271-1/+1
| | | | | | | | I've forget to update PKG_MIRROR_HASH in my previous package version bump. Fixes: 095cc2b7454a ("uci: update to version 2020-10-06") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* uci: update to version 2020-10-06Petr Štetiar2020-10-271-2/+2
| | | | | | | | | | | | | | | | 52bbc99f69ea Replace malloc() + memset() with calloc() 3fbd6c923434 ucimap: Check return of malloc() eae126f66663 file: Check buffer size after strtok() 7f574273180a file: use size_t for position and pointer 19770b6949b9 file: use dynamic memory allocation for tempfile name aa46546794ac file: uci_file_commit: fix memory leak 671c7554bfde uci: silence UBSAN error by using offsetof macro from compiler ea5bbd57d0e1 tests: cram: add uci import testing on fuzzer corpus 31f78bfbf75f cmake: add uci-san cli built with clang sanitizers a3e650911f5e file: uci_parse_package: fix heap use after free 9bd361ca3236 tests: add libFuzzer based fuzzing Signed-off-by: Petr Štetiar <ynezz@true.cz>
* ubus: bump to git HEADDaniel Golle2020-10-251-3/+3
| | | | | | ad0cd11 ubusd_acl: add support for wildcard in methods Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: ujail fixesDaniel Golle2020-10-251-3/+3
| | | | | | | ec461ff jail: mount more stuff read-only 33b799b ujail: elf: work around GCC bug on MIPS64 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* ubox: run logd non-root as user logdDaniel Golle2020-10-251-4/+5
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* rpcd: adapt defaults for changed ubus.sock pathDaniel Golle2020-10-223-2/+10
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: clean up capability handling and non-root ubusdDaniel Golle2020-10-211-3/+3
| | | | | | | | | | | | | | | Unify capability handling to only use OCI spec parsers even for ujail slim containers which previously supposedly used their own format. 80c9516 cgroups: restrict allowed keys in 'unified' section 5ade567 cgroups: memory controller fixes 3121467 early: run ubusd non-root as user ubus, group ubus 12a5b97 jail: adapt to new ubus socket path 788d144 instance: actually wire up capabilities filename ebc5a7f jail: nuke old capabilities code in favour of reusing OCI code 6c5233a jail: capabilities: apply in two phases Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* ubus: prepare to run ubusd as non-root userDaniel Golle2020-10-211-3/+4
| | | | | | | Move /var/run/ubus.sock to /var/run/ubus/ubus.sock in preparation for having ubusd run as non-root user. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* selinux-policy: update to git tag v0.3Daniel Golle2020-10-161-3/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* fstools: update to git HEADDaniel Golle2020-10-161-3/+3
| | | | | | | | | | | 8e0f29a mount: remove support for legacy overlayfs before v2.3 0f8a443 mount: fix log format string and indentation 46a56d3 overlay: use precompiler macros for reoccuring path names f25ab8a mount: apply SELinux labels before overlayfs mount Total ipk size change (ipq40xx): +120b Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* selinux-policy: adds new packageDominick Grift2020-10-092-0/+55
| | | | Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
* refpolicy: fix path to setfiles and checkpolicyPaul Spooren2020-09-301-3/+2
| | | | | | | | Directly set path via MAKE vars instead of defning TESTTOOLS. This way setfiles, which is required by the ImageBuilder, ends up in /host/bin while checkpolicy can stay in hostpkg/bin. Signed-off-by: Paul Spooren <mail@aparcar.org>
* refpolicy: mark as architecture independentDaniel Golle2020-09-291-1/+2
| | | | | | | Use PKGARCH:=all to declare this package to be free of any architecture dependent code. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* zram-swap: explicitly use mkswap/swapon/swapoff from /sbinRui Salvaterra2020-09-202-11/+11
| | | | | | | | | | | | | The required BusyBox applets are enabled by default, so we can rely on them being present in the system. This way, we make sure there are no conflicts with less featured variants of these same applets which might also be present in the system. Fixes: 0bd7dfa3ed60 ("zram-swap: enable swap discard") Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> [wrap commit description] Signed-off-by: David Bauer <mail@david-bauer.net>
* rpcd: update to the latest masterRafał Miłecki2020-09-181-3/+3
| | | | | | 3fea655 rc: support init.d scripts with START=0 Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* zram-swap: default to lzo instead of lzo-rle compressionRui Salvaterra2020-09-171-2/+3
| | | | | | | | | | | | | | | | | | | On devices with small amounts of RAM, zram-swap fails to initialise due to the default compression algorithm (lzo-rle). Startup example on an AirGrid M2, with 32 MiB of RAM: root@airgrid:/etc/config# /etc/init.d/zram start zram_start: activating '/dev/zram0' for swapping (13 MegaBytes) zram_reset: enforcing defaults via /sys/block/zram0/reset sh: write error: Out of memory mkswap: image is too small swapon: /dev/zram0: Invalid argument root@airgrid:/etc/config# Fix this by defaulting to traditional lzo, which works fine and is always available. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
* rpcd: update to the latest masterRafał Miłecki2020-09-101-3/+3
| | | | | | rc: new ubus object for handling /etc/init.d/ scripts Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* refpolicy: skip building docsDaniel Golle2020-09-012-1/+13
| | | | | | | Building docs requires xmllint and other bulky things being present on the host. Skip that. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* fstools: update to the latest versionHauke Mehrtens2020-09-011-3/+3
| | | | | | 5345343 fstoools: add define for GLOB_ONLYDIR Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* build: opkg-key variable key folderPaul Spooren2020-08-311-4/+6
| | | | | | | | | | | | | | The key folder is used by `opkg` and `usign` to store and retrieve trusted public keys. Using `opkg-key` outside a running device is unfeasible as the key folder is hard coded to `/etc/opkg/keys`. This commit adds a variable OPKG_KEYS which defaults to `/etc/opkg/keys` if unset, however allows set arbitrary key folder locations. Arbitrary key folder locations are useful to add signature verification to the ImageBuilders. Signed-off-by: Paul Spooren <mail@aparcar.org>
* opkg: update to git HEADDaniel Golle2020-08-311-3/+3
| | | | | | | 4318ab1 opkg: allow to configure the path to the signature verification script cf44c2f libopkg: fix compiler warning Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* refpolicy: new packageThomas Petazzoni2020-08-312-0/+87
| | | | | | Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [update to 2.20200229, adjust Makefile, and move to openwrt.git] Signed-off-by: W. Michael Petullo <mike@flyn.org>
* ar71xx: drop targetAdrian Schmutzler2020-08-303-4/+1
| | | | | | | | | | This target has been mostly replaced by ath79 and won't be included in the upcoming release anymore. Finally put it to rest. This also removes all references in packages, tools, etc. as well as the uboot-ar71xx and vsc73x5-ucode packages. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* procd: remove duplicate confguration menuDaniel Golle2020-08-131-2/+0
| | | | | Fixes: 962e73c1a4 ("procd: add selinux variant") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: add selinux variantPaul Spooren2020-08-131-7/+31
| | | | | | | | This commit adds a `selinux` variant to `procd` allowing to load an SELinux policy at boot. Signed-off-by: Paul Spooren <mail@aparcar.org> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* treewide: bump PKG_RELEASE after replacing `which`Adrian Schmutzler2020-08-121-1/+1
| | | | | | | | | Bump PKG_RELEASE for the affected packages as replacing "which" by "command -v" represents a content change. Fixes: 1fdf6b745cc3 ("treewide: replace `which` with `command -v`") Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* treewide: replace `which` with `command -v`Paul Spooren2020-08-121-3/+3
| | | | | | | | | | | | | | | | | Fix shellcheck SC2230 > which is non-standard. Use builtin 'command -v' instead. Using `command -v` is POSIX compliant while `which` is not. Also to mention, `command -v` is a shell builtin whereas `which` is a separate busybox applet. Once applied to everything concerning OpenWrt we can disable the busybox feature `which` and save 3.8kB. Acked-by: Stijn Tintel <stijn@linux-ipv6.be> Signed-off-by: Paul Spooren <mail@aparcar.org> [also replace cases in zram-swap] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* procd: add SELinux supportThomas Petazzoni2020-08-101-5/+6
| | | | | | | | | | | | | | | | | | This commit adds a patch to procd to support loading the SELinux policy early at boot time, and adjusts the procd package to use this SELinux support when libselinux is enabled. The procd patch has been submitted separately [1]: obviously the intent is to have it merged in the procd Git repository rather than have it in OpenWrt itself. [1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025791.html Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [rebase, add commit message] Signed-off-by: W. Michael Petullo <mike@flyn.org> [split commit into openwrt.git and procd.git] Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-08-061-3/+3
| | | | | | | | | | | | | 47a9f0d service: add method to query available container features afbaba9 initd: attempt to mount cgroup2 ead60fe jail: use pidns semantics also for timens 759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits 83053b6 instance: add instances into unified cgroup hierarchy 16159bb jail: parse OCI cgroups resources 282ff0c jail: only free cgroups if they were allocated ab55357 jail: fix freeing cgroups avl Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "procd: update to git HEAD"Daniel Golle2020-08-061-3/+3
| | | | | | This reverts commit e0e607f0d000e62c6af8d822d7c3f57c2a582136. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-08-061-3/+3
| | | | | | | | | | | 47a9f0d service: add method to query available container features afbaba9 initd: attempt to mount cgroup2 ead60fe jail: use pidns semantics also for timens 759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits 83053b6 instance: add instances into unified cgroup hierarchy 16159bb jail: parse OCI cgroups resources Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-301-3/+3
| | | | | | | 28be011 instance: make sure values are not inherited from previous runs 2ae5cbc uxc: remove debugging left-over Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-291-3/+3
| | | | | | | | | | | c3ca99f jail: serialize hook execution 8ff8970 jail: add some remaining OCI features 9d5fa0a uxc: behave more like a compliant OCI run-time 1274033 uxc: fix create operation 2d811a4 jail: add 'kill' method to container.%s object 08133b8 uxc: use new container.%s kill ubus API Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: fix build on glibc and uclibcDaniel Golle2020-07-251-3/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-251-3/+3
| | | | | | | | 48777de rcS: cast format string to int64_t a4df90f jail: fix wrong format for 32-bit c482c5d jail: add support for referencing existing namespaces Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEAD once againDaniel Golle2020-07-201-3/+3
| | | | | | | | | | | Further complete OCI container support in ujail: f5f305e jail: move /tmp/resolv.conf.d to /dev/resolv.conf.d 6f078ae jail: add support for defining devices 686cf7a jail: actually apply filesystem-specific mount options f91009a jail: refactor default mounts into new structure 66ae2d9 jail: re-implement /proc/sys/net read-write in netns hack Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-191-3/+3
| | | | | | | | | | | 9eddf0f jail: fix hooks 1b1286b jail: parse and apply OCI sysctl values c049047 jail: implement OCI user additionalGIDs 0e1920c jail: read and apply umask from OCI if defined 1c46cc3 jail: parse and apply POSIX rlimits 76adac5 jail: /proc/$pid/oom_score_adj to OCI defined oomScoreAdj Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEADDaniel Golle2020-07-171-4/+4
| | | | | | | | | | 8d5208f jail: fix false return in case of nofail mount b41f76b procd: fix compile if procd-ujail is not selected 86a5105 jail: fs: fix build on uClibc-ng bfce7d1 jail: fix some more mount options 268126a jail: add support for maskedPaths and readonlyPaths Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* package: drop PKG_VERSION for purely local packagesAdrian Schmutzler2020-07-152-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the package guidelines, PKG_VERSION is supposed to be used as "The upstream version number that we're downloading", while PKG_RELEASE is referred to as "The version of this package Makefile". Thus, the variables in a strict interpretation provide a clear distinction between "their" (upstream) version in PKG_VERSION and "our" (local OpenWrt trunk) version in PKG_RELEASE. For local (OpenWrt-only) packages, this implies that those will only need PKG_RELEASE defined, while PKG_VERSION does not apply following a strict interpretation. While the majority of "our" packages actually follow that scheme, there are also some that mix both variables or have one of them defined but keep them at "1". This is misleading and confusing, which can be observed by the fact that there typically either one of the variables is never bumped or the choice of the variable to increase depends on the person doing the change. Consequently, this patch aims at clarifying the situation by consistently using only PKG_RELEASE for "our" packages. To achieve that, PKG_VERSION is removed there, bumping PKG_RELEASE where necessary to ensure the resulting package version string is bigger than before. During adjustment, one has to make sure that the new resulting composite package version will not be considered "older" than the previous one. A useful tool for evaluating that is 'opkg compare-versions'. In principle, there are the following cases: 1. Sole PKG_VERSION replaced by sole PKG_RELEASE: In this case, the resulting version string does not change, it's just the value of the variable put in the file. Consequently, we do not bump the number in these cases so nobody is tempted to install the same package again. 2. PKG_VERSION and PKG_RELEASE replaced by sole PKG_RELEASE: In this case, the resulting version string has been "version-release", e.g. 1-3 or 1.0-3. For this case, the new PKG_RELEASE will just need to be higher than the previous PKG_VERSION. For the cases where PKG_VERSION has always sticked to "1", and PKG_RELEASE has been incremented, we take the most recent value of PKG_RELEASE. Apart from that, a few packages appear to have developed their own complex versioning scheme, e.g. using x.y.z number for PKG_VERSION _and_ a PKG_RELEASE (qos-scripts) or using dates for PKG_VERSION (adb-enablemodem, wwan). I didn't touch these few in this patch. Cc: Hans Dedecker <dedeckeh@gmail.com> Cc: Felix Fietkau <nbd@nbd.name> Cc: Andre Valentin <avalentin@marcant.net> Cc: Matthias Schiffer <mschiffer@universe-factory.net> Cc: Jo-Philipp Wich <jo@mein.io> Cc: Steven Barth <steven@midlink.org> Cc: Daniel Golle <dgolle@allnet.de> Cc: John Crispin <john@phrozen.org> Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* procd: allow optional watchdog instance parameterDaniel Bailey2020-07-141-2/+2
| | | | | | | | | | | | | | Optional instance watchdog timeout and watchdog mode can be set by adding: procd_set_param $mode $timeout $mode is an integer [0-1] representing instance watchdog mode of operation: 0 = disabled 1 = passive mode, client must periodically poke watchdog via ubus $timeout is an integer representing how often, in seconds, the watchdog must be poked. Signed-off-by: Daniel Bailey <danielb@meshplusplus.com>
* procd: update to git HEADDaniel Golle2020-07-141-3/+3
| | | | | | | 639df57 uxc: fix build with uClibc-ng b2230e4 procd: add service instance watchdog Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-131-3/+3
| | | | | | | | | | | | | | aed7fb3 procd: fix compilation with uClibc-ng 9d0f831 jail: fix segfault with len(uidmap/gidmap) > 1 42a6217 jail: consider PATH for argv in OCI container 83f4b72 jail: actually chdir into OCI defined CWD fc9f614 jail: parse and run OCI hooks 02eec92 jail: memory allocation fixes 71e75f4 jail: refactor mount support to cover OCI spec b586e7d jail: don't make mount source read-only dacab12 uxc: fix 'stop' command Signed-off-by: Daniel Golle <daniel@makrotopia.org>
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-27 20:39:32 +0000