[PATCH 1/2] libnl: add libnl-cli library

2021-01-13 Thread Pavel Šimerda 
---
 package/libs/libnl/Makefile | 19 ++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/package/libs/libnl/Makefile b/package/libs/libnl/Makefile
index db0c65c7a7..3b9bad4533 100644
--- a/package/libs/libnl/Makefile
+++ b/package/libs/libnl/Makefile
@@ -52,16 +52,26 @@ $(call Package/libnl/default)
   DEPENDS:=+libnl-route
 endef
 
+define Package/libnl-cli
+$(call Package/libnl/default)
+  TITLE:=Netlink Library CLI
+  DEPENDS:=+libnl-genl +libnl-route +libnl-nf
+endef
+
 define Package/libnl
 $(call Package/libnl/default)
   TITLE:=Full Netlink Library
-  DEPENDS:=+libnl-genl +libnl-route +libnl-nf
+  DEPENDS:=+libnl-genl +libnl-route +libnl-nf +libnl-cli
 endef
 
 define Package/libnl-core/description
  Common code for all netlink libraries
 endef
 
+define Package/libnl-cli/description
+ CLI Netlink Library Functions
+endef
+
 define Package/libnl-genl/description
  Generic Netlink Library Functions
 endef
@@ -92,6 +102,7 @@ define Build/InstallDev
 
# Copy symlinks
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-3.so $(1)/usr/lib/libnl.so
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-cli-3.so $(1)/usr/lib/libnl.so
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-genl-3.so 
$(1)/usr/lib/libnl-genl.so
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-nf-3.so $(1)/usr/lib/libnl-nf.so
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-route-3.so 
$(1)/usr/lib/libnl-route.so
@@ -102,6 +113,11 @@ define Package/libnl-core/install
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-3.so.* $(1)/usr/lib/
 endef
 
+define Package/libnl-cli/install
+   $(INSTALL_DIR) $(1)/usr/lib
+   $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-cli-3.so.* $(1)/usr/lib/
+endef
+
 define Package/libnl-genl/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnl-genl-3.so.* $(1)/usr/lib/
@@ -122,6 +138,7 @@ define Package/libnl/install
 endef
 
 $(eval $(call BuildPackage,libnl-core))
+$(eval $(call BuildPackage,libnl-cli))
 $(eval $(call BuildPackage,libnl-genl))
 $(eval $(call BuildPackage,libnl-route))
 $(eval $(call BuildPackage,libnl-nf))
-- 
2.29.2


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 2/2] libteam: add library to control team devices

2021-01-13 Thread Pavel Šimerda 
---
 package/network/services/libteam/Makefile | 30 +
 .../0001-fix-build-on-OpenWRT-musl-libc.patch | 43 +++
 2 files changed, 73 insertions(+)
 create mode 100644 package/network/services/libteam/Makefile
 create mode 100644 
package/network/services/libteam/patches/0001-fix-build-on-OpenWRT-musl-libc.patch

diff --git a/package/network/services/libteam/Makefile 
b/package/network/services/libteam/Makefile
new file mode 100644
index 00..367134656b
--- /dev/null
+++ b/package/network/services/libteam/Makefile
@@ -0,0 +1,30 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME := libteam
+PKG_FIXUP := autoreconf
+PKG_BUILD_DEPENDS := libdaemon jansson
+PKG_INSTALL := 1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL=https://github.com/jpirko/libteam.git
+PKG_SOURCE_DATE:=2021-01-12
+PKG_SOURCE_VERSION:=61efd6de2fbb8ee077863ee5a355ac3dfd9365b9
+
+PKG_LICENSE:=LGPL-2.1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/libteam
+  SECTION := base
+  CATEGORY := Network
+  DEPENDS := +libnl +libnl-cli +libnl-core +libnl-genl +libnl-nf +libnl-route 
+libdaemon +jansson
+  TITLE := Library for controlling team network device
+  URL := http://libteam.org/
+endef
+
+define Package/libteam/install
+   $(INSTALL_DIR) $(1)/
+   $(CP) $(PKG_INSTALL_DIR)/. $(1)/
+endef
+
+$(eval $(call BuildPackage,libteam))
diff --git 
a/package/network/services/libteam/patches/0001-fix-build-on-OpenWRT-musl-libc.patch
 
b/package/network/services/libteam/patches/0001-fix-build-on-OpenWRT-musl-libc.patch
new file mode 100644
index 00..71b2b8abba
--- /dev/null
+++ 
b/package/network/services/libteam/patches/0001-fix-build-on-OpenWRT-musl-libc.patch
@@ -0,0 +1,43 @@
+From 5a5825708ba0bfcb7700a9fba4ea9f8c41c1ae6c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20=C5=A0imerda?= 
+Date: Tue, 5 Jan 2021 22:13:06 +0100
+Subject: [PATCH] fix build on OpenWRT/musl-libc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Pavel Šimerda 
+---
+ teamd/teamd_runner_lacp.c | 2 --
+ utils/teamnl.c| 1 +
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/teamd/teamd_runner_lacp.c b/teamd/teamd_runner_lacp.c
+index 9437f05..f524be2 100644
+--- a/teamd/teamd_runner_lacp.c
 b/teamd/teamd_runner_lacp.c
+@@ -23,9 +23,7 @@
+ #include 
+ #include 
+ #include 
+-#include 
+ #include 
+-#include 
+ #include 
+ #include 
+ #include 
+diff --git a/utils/teamnl.c b/utils/teamnl.c
+index c53345d..ec2b435 100644
+--- a/utils/teamnl.c
 b/utils/teamnl.c
+@@ -24,6 +24,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+-- 
+2.29.2
+
-- 
2.29.2


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: ath10k-ct all hash values are different?

2021-01-13 Thread Sven Roederer 
Ben,

seems to me, that at least "firmware-5-ct-full-community-12.bin-lede.013" is 
still not recovered. File is there, but contains only 0x00.
This seems to cause my fresh build of 19.07.5 to fail.


+ curl -f --connect-timeout 20 --retry 5 --location --insecure https://
www.candelatech.com/downloads/ath10k-10-4b/firmware-5-ct-full-
community-12.bin-lede.013
  % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
 Dload  Upload   Total   SpentLeft  Speed

  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
100  548k  100  548k0 0   985k  0 --:--:-- --:--:-- --:--:--  985k
Hash of the downloaded file does not match (file: 
6a95c4323e008499af8d3549513c8a128c69b97296888a4c4b642e6c14a65508, requested: 
6fa74a3fc87cba97dbc4a7213b760f8d997cd9c5f11900d47d387b23764cf20a) - deleting 
download.


Can you check please?

Sven




___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH v2 00/10] kernel: mtdsplit_uimage: use device tree properties for non-standard uimage parsing

2021-01-13 Thread Sander Vanheule 
Hi,

On Mon, 2020-11-30 at 23:19 +0100, Bjørn Mork wrote:
> Bjørn Mork (10):
>   dt-bindings: mtd: partitions: add OpenWrt defined U-Boot Image
>   kernel: mtdsplit_uimage: read extralen from device tree
>   kernel: mtdsplit_uimage: replace "fonfxc" and "sge" parsers
>   kernel: mtdsplit_uimage: add "openwrt,ih-magic" device-tree
> property
>   kernel: mtdsplit_uimage: replace "openwrt,okli" parser
>   kernel: mtdsplit_uimage: replace "allnet,uimage" parser
>   kernel: mtdsplit_uimage: add "openwrt,ih-type" device-tree property
>   kernel: mtdsplit_uimage: replace "netgear,uimage" parser
>   kernel: mtdsplit_uimage: add "openwrt,offset" and
>     "openwrt,partition-magic"
>   kernel: mtdsplit_uimage: replace "edimax,uimage" parser

Using Petr's builds and my own builds, I've run-tested this on my
WNDR3700v2 (ath79/generic). Flashing first Petr's build, I ended up in
a boot loop, although booting only failed after the partitions were
correctly processed, similar to [1]. My own build and a second flash
with ynezz's test build have  produced no issues, so I think the boot-
loop is unrelated to the patches.

Tested-by: Sander Vanheule 

[1] https://bugs.openwrt.org/index.php?do=details_id=478

Best,
Sander



___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: SELinux status report and call to action

2021-01-13 Thread Dominick Grift 


On 1/13/21 5:42 PM, David Lang wrote:
> OpenWRT uses different commands than other distros for manipulating
> configs, so those different programs are going to need to be given
> appropriate permissions.

UCI should already be addressed barring any loose ends (LuCI coverage is
still rough though)

> 
> Who is going to do that work? Who is going to field all the issues that
> will come up because the permissions are not correct for some user's
> setup (and how many people will be able to figure out that SELinux
> caused the problem as opposed to "OpenWRT doesn't work")

UCI should be covered and the README in my repository clearly states:

"Contributing
Thank you for considering contributing! Please send patches with
git-send-email to dominick.gr...@defensec.nl and sign your work."

I suppose I should clarify that bug reports can also be directed to the
above email address.

If you have better ideas then please let us know.

I guess people can also report github issues for the "selinux-policy"
packages. I am monitoring github as well so if something shows up i will
probably be on top of it.

> 
> If it's just enabled with a permissive ruleset, what's the advantage of
> the additional overhead (both from the permission checking, and the
> logging of the results)?

It is currently *not* enabled with a permissive ruleset. But i think
that, for now, it might be a good idea to leave SELinux in permisisve
mode. There are two reasons for this:

1. SELinux will be in detection only mode rather than prevention mode so
that stuff just works but events that would have been prevented if
SELinux were enforcing are still logged.

2. This will make it so that SELinux doesnt actively block (for now) so
that we can identify any permissions that are needed (because SELinux
will print any events that it would have blocked and those events can be
feed back to me so that i can append the needed rules)

Then after a while we can switch to enforcing mode.

Ofcourse any of you OpenWrt devs can just modify the package to make
SELinux permissive yourself easily (its easy, but if making it
permissive for now by default helps people get to try it then we might
want to default to permisisve)

> 
> Yes other distros had to go through this same pain, but that doesn't
> mean that the pain isn't there for OpenWRT as well.

The difference is that we had a chance to learn from their "mistakes". I
went to great lengths to make it proof.

Also OpenWrt is not like other distro's. It is *much* simpler.

LuCI poses a challenge though. There are various components involved and
to address it in a meaningful way is rather intrusive. (however one can
build the policy without the LuCI aspects which simplifies things a
great deal.

LuCI is also very modular, and al these modules have to be addressed.
Otherwise you end up with LuCI where various spokes do not show up or if
they show up the will not be allowed to function.

I addressed most of the basic LuCI apects. So the basics work but again
there are many optional modules that have to be supported and then tested.

> 
> David Lang
> 
>  On Wed, 13 Jan 2021, Dac Override wrote:
> 
>> Date: Wed, 13 Jan 2021 17:34:56 +0100
>> From: Dac Override 
>> To: openwrt-devel@lists.openwrt.org
>> Subject: Re: Re: SELinux status report and call to action
>>
>> Hello Alberto,
>>
>> Thanks for you input. I agree that leveraging SELinux is, like for
>> example leveraging Linux netfilter, not trivial.
>> SELinux is however well documenting and with the exception of OpenWrt
>> specifics it might not be productive to yet again document aspects
>> that are already published elsewhere.
>>
>> I have created a document that explains how to build and edit the
>> OpenWrt policy and I have also enclosed a link to the policy language
>> used to write the OpenWrt policy:
>>
>> https://git.defensec.nl/?p=selinux-policy.git;a=summary
>>
>> 1. The CIL used to write OpenWrt policy:
>> https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/README.md
>>
>> 2. OpenWrt policy customization and testing:
>> https://github.com/doverride/openwrt-selinux-policy/blob/master/README.md
>>
>> Generally one should not have to interact with SELinux in OpenWrt but
>> there are some exceptions
>>
>> 1. Some commands might be "targeted" by default and *if* a command
>> cannot operate properly because it is targeted then you can manually
>> run the command "unconfined": For example: you want to use `iw` but
>> SELinux blocks it, then you can run iw from a shell with `runcon -t
>> sys.subj -- iw`  to by pass the SELinux restrictions.
>>
>> 2. Some commands might *not* be targeted by default and *if* you want
>> to run  that command with "basic" set of restrictions then you can run
>> the command in a "SELinux sandbox". For example you want to run `bmon`
>> with restricted permissions but SELinux does not target it by default
>> then you can run bmon from a shell with `runcon -t sandbox.subj --
>> bmon` or `runcon -t sandbox.net,subj --

Re: Re: SELinux status report and call to action

2021-01-13 Thread David Lang 
OpenWRT uses different commands than other distros for manipulating configs, so 
those different programs are going to need to be given appropriate permissions.


Who is going to do that work? Who is going to field all the issues that will 
come up because the permissions are not correct for some user's setup (and how 
many people will be able to figure out that SELinux caused the problem as 
opposed to "OpenWRT doesn't work")


If it's just enabled with a permissive ruleset, what's the advantage of the 
additional overhead (both from the permission checking, and the logging of the 
results)?


Yes other distros had to go through this same pain, but that doesn't mean that 
the pain isn't there for OpenWRT as well.


David Lang

 On Wed, 13 Jan 2021, Dac Override wrote:


Date: Wed, 13 Jan 2021 17:34:56 +0100
From: Dac Override 
To: openwrt-devel@lists.openwrt.org
Subject: Re: Re: SELinux status report and call to action

Hello Alberto,

Thanks for you input. I agree that leveraging SELinux is, like for
example leveraging Linux netfilter, not trivial.
SELinux is however well documenting and with the exception of OpenWrt
specifics it might not be productive to yet again document aspects
that are already published elsewhere.

I have created a document that explains how to build and edit the
OpenWrt policy and I have also enclosed a link to the policy language
used to write the OpenWrt policy:

https://git.defensec.nl/?p=selinux-policy.git;a=summary

1. The CIL used to write OpenWrt policy:
https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/README.md
2. OpenWrt policy customization and testing:
https://github.com/doverride/openwrt-selinux-policy/blob/master/README.md

Generally one should not have to interact with SELinux in OpenWrt but
there are some exceptions

1. Some commands might be "targeted" by default and *if* a command
cannot operate properly because it is targeted then you can manually
run the command "unconfined": For example: you want to use `iw` but
SELinux blocks it, then you can run iw from a shell with `runcon -t
sys.subj -- iw`  to by pass the SELinux restrictions.

2. Some commands might *not* be targeted by default and *if* you want
to run  that command with "basic" set of restrictions then you can run
the command in a "SELinux sandbox". For example you want to run `bmon`
with restricted permissions but SELinux does not target it by default
then you can run bmon from a shell with `runcon -t sandbox.subj --
bmon` or `runcon -t sandbox.net,subj -- bmon` (you can also execute a
restricted shell or tmux  session this way (runcon -t sandbox.net.subj
-- sh or runcon -t sandbox.net.subj -- tmux)

3. If a file for some reason ends up with a bad label (SELinux
associates labels with inodes using the security.selinux security
extended attribute) then you can use restorecon command.

I have many video's on youtube with casual demonstrations on how to
address various SELinux/OpenWrt issues and other case studies:

For example: chronyd recently (in november last year) enhanced
configuration and packaging, and so I had to adjust the policy so that
the changes work. I documented the whole process here:

https://www.youtube.com/watch?v=xC-YrlCR7iU

Here is a demonstration of the SELinux openwrt sandbox functionality:

https://www.youtube.com/watch?v=Ic_k9qknh_Q

Filesystem management with SELinux and OpenWrt (zram example with f2fs):

https://www.youtube.com/watch?v=R1wyv_poN4U

There are various other videos on my channel with casual demo's and ramblings:

Here is approx. 3 hours of SELinux with OpenWrt ramble touching on
various topic:

https://www.youtube.com/watch?v=Q4_SWTAcQSY

Maybe we should create a Wiki page on the OpenWrt website where we can
bundle these resources.

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: Re: SELinux status report and call to action

2021-01-13 Thread Dac Override 
Hello Alberto,

Thanks for you input. I agree that leveraging SELinux is, like for
example leveraging Linux netfilter, not trivial.
SELinux is however well documenting and with the exception of OpenWrt
specifics it might not be productive to yet again document aspects
that are already published elsewhere.

I have created a document that explains how to build and edit the
OpenWrt policy and I have also enclosed a link to the policy language
used to write the OpenWrt policy:

https://git.defensec.nl/?p=selinux-policy.git;a=summary

1. The CIL used to write OpenWrt policy:
https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/README.md
2. OpenWrt policy customization and testing:
https://github.com/doverride/openwrt-selinux-policy/blob/master/README.md

Generally one should not have to interact with SELinux in OpenWrt but
there are some exceptions

1. Some commands might be "targeted" by default and *if* a command
cannot operate properly because it is targeted then you can manually
run the command "unconfined": For example: you want to use `iw` but
SELinux blocks it, then you can run iw from a shell with `runcon -t
sys.subj -- iw`  to by pass the SELinux restrictions.

2. Some commands might *not* be targeted by default and *if* you want
to run  that command with "basic" set of restrictions then you can run
the command in a "SELinux sandbox". For example you want to run `bmon`
 with restricted permissions but SELinux does not target it by default
then you can run bmon from a shell with `runcon -t sandbox.subj --
bmon` or `runcon -t sandbox.net,subj -- bmon` (you can also execute a
restricted shell or tmux  session this way (runcon -t sandbox.net.subj
-- sh or runcon -t sandbox.net.subj -- tmux)

3. If a file for some reason ends up with a bad label (SELinux
associates labels with inodes using the security.selinux security
extended attribute) then you can use restorecon command.

I have many video's on youtube with casual demonstrations on how to
address various SELinux/OpenWrt issues and other case studies:

For example: chronyd recently (in november last year) enhanced
configuration and packaging, and so I had to adjust the policy so that
the changes work. I documented the whole process here:

https://www.youtube.com/watch?v=xC-YrlCR7iU

Here is a demonstration of the SELinux openwrt sandbox functionality:

https://www.youtube.com/watch?v=Ic_k9qknh_Q

Filesystem management with SELinux and OpenWrt (zram example with f2fs):

https://www.youtube.com/watch?v=R1wyv_poN4U

There are various other videos on my channel with casual demo's and ramblings:

Here is approx. 3 hours of SELinux with OpenWrt ramble touching on
various topic:

https://www.youtube.com/watch?v=Q4_SWTAcQSY

Maybe we should create a Wiki page on the OpenWrt website where we can
bundle these resources.

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: base-files: flush kernel memory cache during sysupgrade

2021-01-13 Thread Hannu Nyman 

Stijn Segers kirjoitti 13.1.2021 klo 0.48:
Have tested this on a few low-RAM devices, among which a TL-WR841N v7 (32 
MiB) and a WNDR3700 v2 (64 MiB).


No idea if this is still necessary/wanted but would be nice to see this end 
up in master (and trickle down to 21.xx :-D ).


Tested-by: Stijn Segers 


Hi Stijn,

this has been merged already in December as commit 3d12b4798:

https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=3d12b47985fc1983849925d2dc23430f55210c80



___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH v2 0/12] add ubus support to ltq-[v|a]dsl-app

2021-01-13 Thread Martin Schiller 

On 2021-01-09 09:40, Andre Heider wrote:

Hi,

(cc'ed some recent commiters for lantiq)

On 15/12/2020 10:35, Andre Heider wrote:

v2:
- drop 0002-ltq-vdsl-app-fix-Wundef-warnings.patch
- use "/dev/dsl_cpe_api" without the "0" suffix for the adsl daemon:
   package/kernel/lantiq/ltq-adsl/patches/100-dsl_compat.patch:+   
device_create(dsl_class, NULL, MKDEV(DRV_DSL_CPE_API_DEV_MAJOR, 0), 
NULL, "dsl_cpe_api");
   package/kernel/lantiq/ltq-vdsl/patches/100-compat.patch:+   
device_create(dsl_class, NULL, dsl_devt, NULL, "dsl_cpe_api0");

- use callDSLMetrics() for luci, per jo
- add Tested-by tags

This is to significantly speed up the generation of the metrics.

The motivation comes from the fact that ~2.6s is just way too
ineffcient for interval based metric collectors like prometheus or
collectd.

The luci status page also loads/refreshes alot faster.

$ time /etc/init.d/dsl_control dslstat
real0m 2.66s
user0m 0.90s
sys 0m 1.76s

$ time ubus call dsl metrics
real0m 0.02s
user0m 0.00s
sys 0m 0.01s

The ltq-adsl-app changes are only compile time tested.


who do I need to convince to review this? ;)


I would also like this great work to be merged.

Martin

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] firmware-utils: bcm4908img: tool adding BCM4908 image tail

2021-01-13 Thread Rafał Miłecki 
From: Rafał Miłecki 

Flashing image with BCM4908 CFE bootloader requires specific firmware
format. It needs 20 extra bytes with magic numbers and CRC32 appended.

This tools allows appending such a tail to the specified image and also
verifying CRC32 of existing BCM4908 image.

Signed-off-by: Rafał Miłecki 
---
 tools/firmware-utils/Makefile |   1 +
 tools/firmware-utils/src/bcm4908img.c | 379 ++
 2 files changed, 380 insertions(+)
 create mode 100644 tools/firmware-utils/src/bcm4908img.c

diff --git a/tools/firmware-utils/Makefile b/tools/firmware-utils/Makefile
index a8c6ab4f65..055082593b 100644
--- a/tools/firmware-utils/Makefile
+++ b/tools/firmware-utils/Makefile
@@ -27,6 +27,7 @@ define Host/Compile
$(call cc,add_header)
$(call cc,addpattern)
$(call cc,asustrx)
+   $(call cc,bcm4908img,-Wall)
$(call cc,bcm4908kernel,-Wall)
$(call cc,buffalo-enc buffalo-lib,-Wall)
$(call cc,buffalo-tag buffalo-lib,-Wall)
diff --git a/tools/firmware-utils/src/bcm4908img.c 
b/tools/firmware-utils/src/bcm4908img.c
new file mode 100644
index 00..86a187b146
--- /dev/null
+++ b/tools/firmware-utils/src/bcm4908img.c
@@ -0,0 +1,379 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2021 Rafał Miłecki 
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#if !defined(__BYTE_ORDER)
+#error "Unknown byte order"
+#endif
+
+#if __BYTE_ORDER == __BIG_ENDIAN
+#define cpu_to_le32(x) bswap_32(x)
+#define le32_to_cpu(x) bswap_32(x)
+#elif __BYTE_ORDER == __LITTLE_ENDIAN
+#define cpu_to_le32(x) (x)
+#define le32_to_cpu(x) (x)
+#else
+#error "Unsupported endianness"
+#endif
+
+struct bcm4908img_tail {
+   uint32_t crc32;
+   uint32_t unk1;
+   uint32_t family;
+   uint32_t unk2;
+   uint32_t unk3;
+};
+
+char *pathname;
+static size_t prefix_len;
+static size_t suffix_len;
+
+static inline size_t bcm4908img_min(size_t x, size_t y) {
+   return x < y ? x : y;
+}
+
+/**
+ * CRC32
+ **/
+
+static const uint32_t crc32_tbl[] = {
+   0x, 0x77073096, 0xee0e612c, 0x990951ba,
+   0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3,
+   0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
+   0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91,
+   0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
+   0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
+   0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec,
+   0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5,
+   0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
+   0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
+   0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940,
+   0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
+   0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116,
+   0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f,
+   0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
+   0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d,
+   0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a,
+   0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
+   0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818,
+   0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
+   0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
+   0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457,
+   0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c,
+   0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
+   0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
+   0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb,
+   0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
+   0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9,
+   0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086,
+   0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
+   0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4,
+   0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad,
+   0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
+   0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683,
+   0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
+   0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
+   0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe,
+   0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7,
+   0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
+   0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
+   0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252,
+   0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
+   0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60,
+   0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79,
+   0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
+   0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f,
+   0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04,
+   0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
+   0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a,
+   0x9c0906a9, 0xeb0e363f,

Re: SELinux status report and call to action

2021-01-13 Thread Alberto Bursi 




On 12/01/21 18:27, Dominick Grift wrote:


-
My question to the reader is: why haven't you enabled SELinux yet on
your test builds at least? Or maybe you have but you havent given any
feedback. Why is that?


Thanks,



Lack of documentation. Selinux is not an easy topic even on a normal 
Linux distro, and there is little if any info on how to use it (or why 
use it) in OpenWrt.


I think a necessary first step for adoption is writing some docs about 
what it is, and how to use it in the wiki/site openwrt.org


Since I know very little about it, I can't do that.

But you said you gave a talk about this topic in a large conference, 
maybe you can write some documentation?


-Alberto

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: SELinux status report and call to action

2021-01-13 Thread Dominick Grift 
On 1/12/21 6:27 PM, Dominick Grift wrote:
> 
> Community,
> 
> Optional SELinux support has been added to OpenWrt for a while now and I
> gave a talk about the status at "Battle of the meshes 13th edition".
> 
> There was a comment mentioning that there was an impression that
> "rolling out SELinux on OpenWrt" would still require lots of work and
> that there are still lots of "loose ends". I failed to ask the person
> what work and what loose ends he still see's.
> 
> Regardless in the few months that have passed I have had give or take three
> times feedback on SELinux in OpenWrt:
> 
> 1. dangole tests bootstrap every once in a while and if needed he
> provides me with information and contributions needed to get and keep
> that to work on atleast devices and configurations he is using.
> 
> 2. I had one person e-mailing me mentioning that, i guess, WPA
> enterprise, does not work and that wpa_supplicant needs to be able to
> connect to a radius server for this  (i addressed that issue to the
> best of my ability but havent heared from the person since and I am not
> sure whether that means that its is fixed or that the person hasnt
> tested it since the fixed trickled down)
> 
> 3. jow gave some casual feedback on running services on alternate
> network ports and i addressed this issue as well although the fix for
> that might not have trickled down yet.
> 
> I was hoping for a little more exposure and feedback than this. The way
> i see it, it should not be much of an extra burden for OpenWrt devs to
> build their systems with SELinux support and to report any obvious
> issues back so that the effort can evolve instead of face early death.
> 
> My question to the reader is: why haven't you enabled SELinux yet on
> your test builds at least? Or maybe you have but you havent given any
> feedback. Why is that?
> 
> Is it too much of a burden? If that is the case we could for now
> consider shipping a "permissive" policy so that SELinux will never
> be in your way if that helps.
> 
> Can you please consider just enabling SELinux on your tests? If there
> are any observations and SELinux related messages in the logs then
> please report those to me via email or IRC?
> 
> If you have objections then please let me know what those objections are
> so that I can identify whether those objections can be addressed.
> 
> I did not, and do not expect that SELinux adoption would be popular but
> for developers that are very familiar with OpenWrt I do not see much of
> a reason not to enable it on test builds/systems either. Your feedback
> is valuable and is important to help improve the experience.
> 
> SELinux on OpenWrt works great for me and to be honest that is my first
> priority but with a little more involvement and interest from others
> there is much more room for improvement.
> 
> If you just build your systems with SELinux enabled and then provide
> feedback if there is something to report then that would be
> appreciated. If something is stopping you and if there is something i
> can do to make it easier then please let it be known.
> 
> Thanks,
> 

I received some feedback off-list and there was some chatter on IRC.
This reminds me that I should mention that LuCI integration is known to
have a lot of rough edges (although, with the exception of sysupgrade
and package management, most of the *LuCI-basics* should work). To be
honest I did not expect it that aside from LuCI developers, users of
this list would be using LuCI on development snapshots.

Nevertheless, be aware that LuCI has known rough edges and that I see
LuCI as a separate optional layer. I am not trying to justify the issues
there (and I do also appreciate any LuCI feedback), but LuCI needs a lot
more work.

Please do not let that stand in the way of testing the remainder of OpenWrt.

Thanks

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[no subject]

2021-01-13 Thread Etan Kissling via openwrt-devel 
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.--- Begin Message ---
This allows configuration of multicast_to_unicast and per_sta_vif options.
- multicast_to_unicast requests multicast-to-unicast conversion.
- per_sta_vif assigns each station its own AP_VLAN interface.

Signed-off-by: Etan Kissling 
---
 package/network/services/hostapd/Makefile |  2 +-
 package/network/services/hostapd/files/hostapd.sh | 15 ++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/package/network/services/hostapd/Makefile 
b/package/network/services/hostapd/Makefile
index f57b072974..a6d56d1433 100644
--- a/package/network/services/hostapd/Makefile
+++ b/package/network/services/hostapd/Makefile
@@ -7,7 +7,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostapd
-PKG_RELEASE:=23
+PKG_RELEASE:=24
 
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git
diff --git a/package/network/services/hostapd/files/hostapd.sh 
b/package/network/services/hostapd/files/hostapd.sh
index 7d9ee5121e..cee9a8eaa2 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -331,6 +331,8 @@ hostapd_common_add_bss_config() {
config_add_array airtime_sta_weight
config_add_int airtime_bss_weight airtime_bss_limit
 
+   config_add_boolean multicast_to_unicast per_sta_vif
+
config_add_array hostapd_bss_options
 }
 
@@ -480,7 +482,8 @@ hostapd_set_bss_options() {
acct_server acct_secret acct_port acct_interval \
bss_load_update_period chan_util_avg_period sae_require_mfp \
multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key 
skip_inactivity_poll \
-   airtime_bss_weight airtime_bss_limit airtime_sta_weight
+   airtime_bss_weight airtime_bss_limit airtime_sta_weight \
+   multicast_to_unicast per_sta_vif
 
set_default isolate 0
set_default maxassoc 0
@@ -942,6 +945,16 @@ hostapd_set_bss_options() {
json_for_each_item append_operator_icon operator_icon
fi
 
+   set_default multicast_to_unicast 0
+   if [ "$multicast_to_unicast" -gt 0 ]; then
+   append bss_conf "multicast_to_unicast=$multicast_to_unicast" 
"$N"
+   fi
+
+   set_default per_sta_vif 0
+   if [ "$per_sta_vif" -gt 0 ]; then
+   append bss_conf "per_sta_vif=$per_sta_vif" "$N"
+   fi
+
json_get_values opts hostapd_bss_options
for val in $opts; do
append bss_conf "$val" "$N"
-- 
2.21.1 (Apple Git-122.3)




--- End Message ---
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel