Hello all,
can you please add asterisk13-chan-lantiq to the LEDE packages for mips_24kc?
It's possible to build this package via the SDK and I would appreciate if you
can build it automatically.
Best regards
Tim
___
Lede-dev mailing list
Lede-dev@lis
When a service is started for the first time without trace
attribute (e.g. during boot), then it was impossible to restart it in
tracing mode (/etc/init.d/service trace). This is fixed here.
Signed-off-by: Michal Sojka
---
service/instance.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/se
We want to copy the existing environment instead of the new one to
itself. Other bugs in this code are fixed in the next commit.
Signed-off-by: Michal Sojka
---
trace/trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/trace/trace.c b/trace/trace.c
index fdffaba..04bf7a5
When uloop_process_add() is called outside of uloop_run(), i.e. not
from a callback (which is the case of at least utrace and ujail),
child events can be missed. The reason is that when SIGCHILD handler
is installed in uloop_run(), after the uloop_process_add() is called,
then an initial signal cou
This fixes two errors:
1) memcpy() copies envc elements starting from index 1, so the number
of elements in target array should be envc + 1. But only envc was
allocated.
2) If original environment envp is empty, i.e. it contains only a NULL
element, the while loop misses it.
Signed-off-
When a service is started with "/etc/init.d/ trace" or when
it has seccomp enabled (i.e. runs under seccomp-trace), stopping the
service with "/etc/init.d/ stop" stops only the tracer. The
service itself continue executing. This patch ensures that the service
is terminated as well.
Signed-off-by:
Hi all,
this patch series enhances seccomp sandboxing of procd services. It
introduces two main features:
1. Support for multi-threaded and multi-process services (previously,
utrace which creates seccomp whitelists was usable only for
single-threaded processes) and
2. logging of seccomp v
Signed-off-by: Michal Sojka
---
trace/trace.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/trace/trace.c b/trace/trace.c
index f882c2e..4c25a4f 100644
--- a/trace/trace.c
+++ b/trace/trace.c
@@ -163,7 +163,9 @@ static void tracer_cb(struct uloop_process *c, int ret)
seccomp and service jailing announce email [1] mentioned that "utrace
tool will sort the syscalls by the number of invocations". The code
did not do that until this commit.
[1] https://lists.openwrt.org/pipermail/openwrt-devel/2015-March/032197.html
Signed-off-by: Michal Sojka
---
trace/trace.c
Without this change, traced processes do not receive any signal,
because all the signals are "eaten" by the tracer.
Signed-off-by: Michal Sojka
---
trace/trace.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/trace/trace.c b/trace/trace.c
index 4c25a4f..cad2d37 10
This makes it easier to handle initial ptrace-stops (after
fork/clone/...), because we don't need to distinguish whether SIGSTOP
is from user or from ptrace. Also execve() does not deliver an extra
SIGTRAP, which we would have to handle.
Signed-off-by: Michal Sojka
---
trace/preload.c | 1 -
tr
---
trace/trace.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/trace/trace.c b/trace/trace.c
index 6fbe608..eead9c5 100644
--- a/trace/trace.c
+++ b/trace/trace.c
@@ -25,6 +25,7 @@
#include
#include
#include
+#include
#ifndef PTRACE_EVENT_STOP
/* PTRACE_EVE
Without this change, utrace can trace only a single process. When the
process forks, syscalls of its children do not appear in utrace
output. This is a problem, because seccomp filters are inherited by
children and therefore filters generated by utrace may lack legitimate
syscalls.
This commit ena
Signed-off-by: Michal Sojka
---
jail/seccomp.c | 10 +-
jail/seccomp.h | 4
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/jail/seccomp.c b/jail/seccomp.c
index 1a2bb27..27bf3ce 100644
--- a/jail/seccomp.c
+++ b/jail/seccomp.c
@@ -67,13 +67,13 @@ int install_syscall_
Previously, when seccomp configuration file for a service was not
found, the service was started without seccomp. I consider this
potential attack vector.
With this change, procd starts the service as if the configuration
existed but the service fails in libpreload-seccomp.so, because the
configur
This is needed for Linux < 4.7 or < 4.4.13 to report ptrace events in
threads.
Signed-off-by: Michal Sojka
---
uloop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/uloop.c b/uloop.c
index 3813e18..e6d77df 100644
--- a/uloop.c
+++ b/uloop.c
@@ -369,7 +369,7 @@ static void u
Print "SECCOMP_FILE not specified" instead of "failed to load (null)".
Signed-off-by: Michal Sojka
---
jail/preload.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/jail/preload.c b/jail/preload.c
index 5466f27..24358c6 100644
--- a/jail/preload.c
+++ b/jail/preload.c
@@ -27,6 +27,11 @
Older kernel version shipped by LEDE/OpenWrt contained patch
target/linux/generic/patches-3.18/999-seccomp_log.patch that logged
seccomp violations. For some reason, newer kernels do not have this
patch. Without this kind of logging, it is very hard to setup seccomp
whitelist properly, so this comm
Signed-off-by: Michal Sojka
---
package/system/procd/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile
index fd1bca3f4b..425bf09a0b 100644
--- a/package/system/procd/Makefile
+++ b/package/system/procd/Makefile
@@ -130,6 +13
Signed-off-by: Michal Sojka
---
service/instance.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/service/instance.c b/service/instance.c
index 1760a09..7703686 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -303,16 +303,13 @@ instance_run(struct service
This unifies all logs messages produced by utrace and removes
duplicated functionality.
Signed-off-by: Michal Sojka
---
trace/trace.c | 49 +++--
1 file changed, 19 insertions(+), 30 deletions(-)
diff --git a/trace/trace.c b/trace/trace.c
index 8228ed
ARM architecture does not have its system call numbers contiguous. So
far, utrace ignored the non-contiguous system calls, but it makes it
difficult to setup seccomp whitelists. This patch adds support for
these extra out-of-range syscalls.
It extends the generated file syscall_names.h to include
In commit b11c51916cb9 ("ramips: Improve Sanlinking D240 config") I made
a mistake with regards GPIO numbering. And in addition to specifying the
wrong GPIO for controling the power of one of the mini-PCIe, I recently
discovered that the power of both slots can be controlled.
This patch specifies
On Tue, Sep 12, 2017 at 12:49:54PM +0200, sca...@arcor.de wrote:
> Hello all,
>
> can you please add asterisk13-chan-lantiq to the LEDE packages for
> mips_24kc? It's possible to build this package via the SDK and I would
> appreciate if you can build it automatically.
Hi Tim,
The package depend
12.09.2017 20:28, Sebastian Kemper:
On Tue, Sep 12, 2017 at 12:49:54PM +0200, sca...@arcor.de wrote:
Hello all,
can you please add asterisk13-chan-lantiq to the LEDE packages for
mips_24kc? It's possible to build this package via the SDK and I would
appreciate if you can build it automatically.
25 matches
Mail list logo
