Re: [OpenWrt-Devel] [PATCH procd 4/9] instance, ujail: wire capabilities (-C) support

> > John > > On 01/12/2015 00:09, Etienne CHAMPETIER wrote: > > Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> > > --- > > service/instance.c | 22 ++ > > service/instance.h | 1 + > > 2 files changed, 23 in

Re: [OpenWrt-Devel] procd/ujail docs

Hi, 2015-12-11 12:03 GMT+01:00 John Crispin : > > Hi, > > with you adding lots of new features i am starting to not know what > ujail can now do ;) > > how about if we start creating man page style docs and put them into the > source tree and maintain them int he git. so

Re: [OpenWrt-Devel] Fast build testing [Was: Git mirror with branches, tags and full history]

Hi 2015-12-02 12:14 GMT+01:00 Bastian Bittorf : > * Petr Štetiar [30.11.2015 13:47]: > > That sounds really great, can you please share more details? It's just > your > > guess or you've achieved such build times already? > > today tested PowerPC/mpc85xx

[OpenWrt-Devel] [PATCH procd 3/9] instance, ujail: remove "-P " option

we can now launch multiple time the same ujail command without conflict Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c| 64 +++--- service/instance.c | 13 --- service/instance.h | 1 - 3

[OpenWrt-Devel] [PATCH procd 6/9] ujail: add no_new_privs (-c) option

set PR_SET_NO_NEW_PRIVS to 1 Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/jail/jail.c b/jail/jail.c index 25ad4d7..97ddaab 100644 --- a/jail/jail.c +++ b/jail/jail.c @@

[OpenWrt-Devel] [PATCH procd 7/9] instance, ujail: wire no_new_privs (-c) option

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- service/instance.c | 11 +++ service/instance.h | 1 + 2 files changed, 12 insertions(+) diff --git a/service/instance.c b/service/instance.c index 586c0ee..ad0d284 100644 --- a/service/instance.c +++ b/s

[OpenWrt-Devel] [PATCH procd 8/9] ujail: split name (-n) and hostname (-h) options

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 97ddaab..541363a 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -35,10 +35,11 @@ #include #

[OpenWrt-Devel] [PATCH 2/2] base-file: remove /tmp/.jail (now useless)

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- package/base-files/Makefile | 2 +- package/base-files/files/etc/init.d/boot | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/package/base-files/Makefile b/package/base-files/Makefile

[OpenWrt-Devel] [PATCH 1/2] procd: update procd.sh to support new ujail options

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- package/system/procd/files/procd.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/system/procd/files/procd.sh b/package/system/procd/files/procd.sh index e83e75c..a2a63f8 100644 --- a/p

[OpenWrt-Devel] [PATCH procd 5/9] instance, ujail: wire remount / read only option (-o)

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- service/instance.c | 10 ++ service/instance.h | 1 + 2 files changed, 11 insertions(+) diff --git a/service/instance.c b/service/instance.c index 0f4e711..586c0ee 100644 --- a/service/instance.c +++ b/s

[OpenWrt-Devel] [PATCH procd 1/9] ujail: fixup code style // -> /* */

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 4297f71..5c995e5 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -237,7 +237,7 @@ static int exec_jai

[OpenWrt-Devel] [PATCH procd 9/9] instance, ujail: wire hostname (-h) option

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- service/instance.c | 13 + service/instance.h | 1 + 2 files changed, 14 insertions(+) diff --git a/service/instance.c b/service/instance.c index ad0d284..bca36e1 100644 --- a/service/instance.c +++ b/s

[OpenWrt-Devel] [PATCH procd v3 08/17] ujail: remove "#include log.h" from elf.h

headers must include all there dependencies, no more, no less Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 1 + jail/elf.h | 2 -- jail/jail.c | 1 + 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 6

[OpenWrt-Devel] [PATCH procd v3 07/17] ujail: add and to seccomp.h

headers must include all there dependencies, no more, no less Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/preload.c | 2 -- jail/seccomp.c | 2 -- jail/seccomp.h | 3 +++ 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/jail/preload.c b/jail/pre

[OpenWrt-Devel] [PATCH procd v3 11/17] ujail: add init_library_search()

move all libraries search initialisation stuff into elf.c / init_library_search() for now we don't handle musl specific files Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 13 +++-- jail/elf.h | 3 +-- jail/jail.c | 6 +- 3 files chang

[OpenWrt-Devel] [PATCH procd v3 13/17] ujail: remove some debug/dev hack

this code is present since first ujail commit (dfcfcca7) Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 7 +-- jail/jail.c | 8 ++-- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index c3a392c..7c52880

[OpenWrt-Devel] [PATCH procd v3 17/17] ujail: add ELF interpreter (DT_INTERP) to the jail

this is needed by musl (openwrt DD) uClibc/glibc is working without this this partly fixes https://dev.openwrt.org/ticket/20785 we still don't handle DT_RPATH, DT_RUNPATH, nodeflib, ... see http://man7.org/linux/man-pages/man8/ld.so.8.html Signed-off-by: Etienne CHAMPETIER <champetier.e

[OpenWrt-Devel] [PATCH procd v3 14/17] ujail: DT_STRTAB uses d_ptr in d_un union (not d_val)

see https://docs.oracle.com/cd/E19683-01/817-3677/chapter6-42444/index.html Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 7c52880..46c19df 100644 ---

[OpenWrt-Devel] [PATCH procd v3 00/17] ujail fs jail rework/fixes/improvements

same as v2 serie, just using include guard instead of pragma once Etienne CHAMPETIER (17): ujail: don't add non existant library_path ujail: don't pass unused arg in clone call ujail: stop using extern in elf.h ujail: use more const in elf.* ujail: put #include guard macro in all *.h

[OpenWrt-Devel] [PATCH procd v3 03/17] ujail: stop using extern in elf.h

extern qualifiers for function definitions doesn't really make sense Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/elf.h b/jail/elf.h index 3ae311e..19ceb3e 100644 --- a/jail

[OpenWrt-Devel] [PATCH procd v3 04/17] ujail: use more const in elf.*

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 28 +++- jail/elf.h | 4 ++-- jail/jail.c | 2 +- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 34a5aca..fb046b4 100644 --- a/jail

[OpenWrt-Devel] [PATCH procd v3 06/17] ujail: add to log.h

headers must include all there dependencies, no more, no less (it uses fprintf) Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 1 - jail/jail.c | 1 - jail/log.h | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/jail/elf.c b/jail

[OpenWrt-Devel] [PATCH procd v3 02/17] ujail: don't pass unused arg in clone call

clone() call need a function with "void *" arg (else we have a compilation error) Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 56dc9ca

[OpenWrt-Devel] [PATCH procd v3 15/17] ujail: rework fs jail part

th_and_deps() function to handle file/lib openning and mmaping Check if file is an elf (magic number) before passing it to elf_load_deps() elf_load_deps() now only handle elf parsing part next commit adds script (#!) handling Use add_path_and_deps() with -r and -w args to automatically a

[OpenWrt-Devel] [PATCH procd v3 16/17] ujail: automatically add script (#!) interpreter

this make simple script work easily with ujail Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/fs.c | 28 1 file changed, 28 insertions(+) diff --git a/jail/fs.c b/jail/fs.c index aeab730..c848700 100644 --- a/jail/fs.c +++ b/jai

[OpenWrt-Devel] [PATCH procd v3 10/17] ujail: use PATH_MAX for path related buffers

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 9 + jail/jail.c | 9 + 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 5e22606..2acac71 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -22,6

[OpenWrt-Devel] [PATCH procd v3 12/17] ujail: fixup code style: "func()" -> "func(void)"

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 5b24f63..b7e6946 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -139,7 +139,7 @@ static int mount_bind(cons

[OpenWrt-Devel] [PATCH procd v3 01/17] ujail: don't add non existant library_path

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index cbb3051..34a5aca 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -33,6 +33,10 @@ static LIST_HEAD(library

[OpenWrt-Devel] [PATCH procd v3 09/17] ujail: search libs in /lib before /lib64

, not in /lib64 (/lib64 is also a symlink to /lib) /lib64 is before /lib since the first commit, i don't know if it was on purpose this partly fixes https://dev.openwrt.org/ticket/20785 Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 2 +- 1 file chan

[OpenWrt-Devel] [PATCH procd v3 05/17] ujail: put #include guard macro in all *.h

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/capabilities.h | 4 jail/elf.h | 3 ++- jail/log.h | 3 +++ jail/seccomp.h | 4 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/jail/capabilities.h b/jail/capabilities.h

[OpenWrt-Devel] [PATCH procd v2 02/17] ujail: don't pass unused arg in clone call

clone() call need a function with "void *" arg (else we have a compilation error) Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 56dc9ca

[OpenWrt-Devel] [PATCH procd v2 03/17] ujail: stop using extern in elf.h

extern qualifiers for function definitions doesn't really make sense Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/elf.h b/jail/elf.h index 3ae311e..19ceb3e 100644 --- a/jail

[OpenWrt-Devel] [PATCH procd v2 10/17] ujail: use PATH_MAX for path related buffers

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 9 + jail/jail.c | 9 + 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 5e22606..2acac71 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -22,6

Re: [OpenWrt-Devel] [PATCH procd v2 00/17] ujail fs jail rework/fixes/improvements

Hi, 2015-11-25 20:05 GMT+01:00 John Crispin <blo...@openwrt.org>: > Hi, > > On 25/11/2015 18:54, Etienne CHAMPETIER wrote: > > As requested, i've split up in smaller patches my work > > I also follow the unwritten code style requirement :) > > > > "re

[OpenWrt-Devel] [PATCH procd v2 06/17] ujail: add to log.h

headers must include all there dependencies, no more, no less (it uses fprintf) Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 1 - jail/jail.c | 1 - jail/log.h | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/jail/elf.c b/jail

[OpenWrt-Devel] [PATCH procd v2 09/17] ujail: search libs in /lib before /lib64

, not in /lib64 (/lib64 is also a symlink to /lib) /lib64 is before /lib since the first commit, i don't know if it was on purpose this partly fixes https://dev.openwrt.org/ticket/20785 Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 2 +- 1 file chan

[OpenWrt-Devel] [PATCH procd v2 17/17] ujail: add ELF interpreter (DT_INTERP) to the jail

this is needed by musl (openwrt DD) uClibc/glibc is working without this this partly fixes https://dev.openwrt.org/ticket/20785 we still don't handle DT_RPATH, DT_RUNPATH, nodeflib, ... see http://man7.org/linux/man-pages/man8/ld.so.8.html Signed-off-by: Etienne CHAMPETIER <champetier.e

[OpenWrt-Devel] [PATCH procd v2 00/17] ujail fs jail rework/fixes/improvements

As requested, i've split up in smaller patches my work I also follow the unwritten code style requirement :) "rework fs jail part" commit is still a bit big but if i split it further i will edit the same line in each commit (tell me if it too big) Etienne CHAMPETIER (17): ujail: don

[OpenWrt-Devel] [PATCH procd v2 04/17] ujail: use more const in elf.*

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 28 +++- jail/elf.h | 4 ++-- jail/jail.c | 2 +- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 34a5aca..fb046b4 100644 --- a/jail

[OpenWrt-Devel] [PATCH procd v2 05/17] ujail: use "#pragma once" in .h where needed

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/capabilities.h | 1 + jail/elf.h | 4 +--- jail/log.h | 1 + jail/seccomp.h | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/jail/capabilities.h b/jail/capabilities.h

[OpenWrt-Devel] [PATCH procd v2 07/17] ujail: add and to seccomp.h

headers must include all there dependencies, no more, no less Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/preload.c | 2 -- jail/seccomp.c | 2 -- jail/seccomp.h | 3 +++ 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/jail/preload.c b/jail/pre

[OpenWrt-Devel] [PATCH procd v2 11/17] ujail: add init_library_search()

move all libraries search initialisation stuff into elf.c / init_library_search() for now we don't handle musl specific files Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 13 +++-- jail/elf.h | 3 +-- jail/jail.c | 6 +- 3 files chang

[OpenWrt-Devel] [PATCH procd v2 12/17] ujail: fixup code style: "func()" -> "func(void)"

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 5b24f63..b7e6946 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -139,7 +139,7 @@ static int mount_bind(cons

[OpenWrt-Devel] [PATCH procd v2 15/17] ujail: rework fs jail part

th_and_deps() function to handle file/lib openning and mmaping Check if file is an elf (magic number) before passing it to elf_load_deps() elf_load_deps() now only handle elf parsing part next commit adds script (#!) handling Use add_path_and_deps() with -r and -w args to automatically a

[OpenWrt-Devel] [PATCH procd v2 13/17] ujail: remove some debug/dev hack

this code is present since first ujail commit (dfcfcca7) Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 7 +-- jail/jail.c | 8 ++-- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index c3a392c..7c52880

[OpenWrt-Devel] [PATCH procd v2 01/17] ujail: don't add non existant library_path

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index cbb3051..34a5aca 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -33,6 +33,10 @@ static LIST_HEAD(library

[OpenWrt-Devel] [PATCH procd v2 08/17] ujail: remove "#include log.h" from elf.h

headers must include all there dependencies, no more, no less Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 1 + jail/elf.h | 2 -- jail/jail.c | 1 + 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 6

[OpenWrt-Devel] [PATCH procd v2 14/17] ujail: DT_STRTAB uses d_ptr in d_un union (not d_val)

see https://docs.oracle.com/cd/E19683-01/817-3677/chapter6-42444/index.html Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 7c52880..46c19df 100644 ---

Re: [OpenWrt-Devel] [PATCH procd 3/4] ujail: use const, stop using extern

e it in v2 > John > > On 23/11/2015 01:39, Etienne CHAMPETIER wrote: > > extern for function declaration in '.h' doesn't make sense > > > > Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> > > --- > > jail/elf.c | 28 +++

Re: [OpenWrt-Devel] [PATCH procd 2/4] ujail: remove useless arg in clone call

Hi, Le 23 nov. 2015 08:18, "John Crispin" <blo...@openwrt.org> a écrit : > > > > On 23/11/2015 01:39, Etienne CHAMPETIER wrote: > > spawn_jail(void) produce a compilation error, > > so we use spawn_jail() > > > > Signed-off-by: Etienne CHAMPET

Re: [OpenWrt-Devel] [PATCH procd 2/4] ujail: remove useless arg in clone call

Hey, 2015-11-23 12:52 GMT+01:00 Paul Fertser <fercer...@gmail.com>: > Hey Etienne, > > Etienne Champetier <champetier.etie...@gmail.com> writes: > > i know that spawn_jail(void) is valid code, but then the clone call > > refuses to compile > > That's typ

Re: [OpenWrt-Devel] [PATCH procd 2/4] ujail: remove useless arg in clone call

2015-11-23 9:11 GMT+01:00 John Crispin <blo...@openwrt.org>: > > > On 23/11/2015 09:09, Etienne Champetier wrote: > > Hi, > > > > Le 23 nov. 2015 08:18, "John Crispin" <blo...@openwrt.org > > <mailto:blo...@openwrt.org>> a écrit : >

[OpenWrt-Devel] [PATCH procd 1/4] ujail: don't add non existant library_path

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index cbb3051..34a5aca 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -33,6 +33,10 @@ static LIST_HEAD(library

[OpenWrt-Devel] [PATCH procd 2/4] ujail: remove useless arg in clone call

spawn_jail(void) produce a compilation error, so we use spawn_jail() Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 56dc9ca..08babde 100644 --- a/jail/

[OpenWrt-Devel] [PATCH procd 4/4] ujail: rework fs jail part

/20785 Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- CMakeLists.txt | 2 +- jail/elf.c | 132 +++--- jail/elf.h | 9 ++- jail/fs.c | 179 + jail/fs.h

[OpenWrt-Devel] [PATCH procd 3/4] ujail: use const, stop using extern

extern for function declaration in '.h' doesn't make sense Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/elf.c | 28 +++- jail/elf.h | 10 +- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/jail/elf.c b/jail/elf.c

Re: [OpenWrt-Devel] [PATCH procd 2/2] ujail: rework file dependencies detection (use ldd)

t;j...@phrozen.org>: > > > On 21/11/2015 00:05, Etienne CHAMPETIER wrote: > > Using ldd (via popen()) is a hack, but it's simpler (and working) > > indeed > > > we have 3 libc and many archs, too many ways to resolve .so > where does it break ? > > >

[OpenWrt-Devel] [PATCH procd 2/2] ujail: rework file dependencies detection (use ldd)

on 64bits images) -do not handle RPATH This patch: -use ldd to detect ELF dependencies -add support for shell script uClibc ldd doesn't work with shared lib, thus this patch break seccomp with uClibc Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- CMakeLists.txt

[OpenWrt-Devel] [PATCH procd 1/2] ujail: remove useless arg in clone call

Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 56dc9ca..08babde 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -272,7 +272,7 @@ static int exe

Re: [OpenWrt-Devel] [PATCH CC] procd: rework makefile, split ujail/seccomp

Hi 2015-10-29 22:04 GMT+01:00 Etienne CHAMPETIER <champetier.etie...@gmail.com> : > ujail doesn't depend on seccomp and some archs dont support seccomp > > Backport of r46936 > needed since last procd update (r47268) > friendly ping this is run tested o

[OpenWrt-Devel] ujail not working with musl / DD

Hi all, John, I'm a bit out of my game on this bug, ujail is not adding the interpretor in the jail (/lib/ld-musl-x86_64.so.1) with musl DD it's working with uclibc CC, on my ubuntu 14.04, but not with musl DD https://dev.openwrt.org/ticket/20785 ___

[OpenWrt-Devel] [PATCH CC] procd: rework makefile, split ujail/seccomp

ujail doesn't depend on seccomp and some archs dont support seccomp Backport of r46936 needed since last procd update (r47268) Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- package/system/procd/Makefile | 52 +-- 1 file chang

[OpenWrt-Devel] backport 46936 (procd: rework makefile, split ujail/seccomp)

Hi John, since 47268, we need -DUTRACE_SUPPORT=1 to compile utrace https://dev.openwrt.org/changeset/47268/ http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=summary can you (or anyone else) backport r46936 or should i resend? https://dev.openwrt.org/changeset/46936/trunk/package/system/procd

Re: [OpenWrt-Devel] [PATCH] busybox: enable find mtime support by default

Hi, Le 18 oct. 2015 21:31, "Dirk Brenken" a écrit : > > Hi, > > I can't see the diff/patch below on patchwork, anything wrong with the > submitted patch? How did you generate it? You should use git send-email, and resend. Also add the size before/after in the commit message. >

Re: [OpenWrt-Devel] [PATCH] busybox: enable find mtime support by default

Hi Dirk, 2015-10-16 12:10 GMT+02:00 Dirk Brenken : > busybox binary in openwrt neither supports stat nor find mtime. This patch > adds find mtime support by default. > what's the size before/after (ipk size) > Signed-off-by: Dirk Brenken > --- > ---

Re: [OpenWrt-Devel] SVN to GIT transition

Hi again, 2015-10-12 23:49 GMT+02:00 Etienne Champetier <champetier.etie...@gmail.com> : > Hi All, > > Here are some commands to make a "full" git repo, from the "trunk" repo > (the only complaint that everyone agrees on) > We keep git commit sha's fo

Re: [OpenWrt-Devel] [PATCH procd v3 0/7] jail work

Hi, Le 5 oct. 2015 13:49, "Etienne Champetier" <champetier.etie...@gmail.com> a écrit : > > Hi John, > > 2015-10-05 11:14 GMT+02:00 John Crispin <blo...@openwrt.org>: >> >> >> >> On 27/08/2015 01:26, Etienne CHAMPETIER wrote: >> >

[OpenWrt-Devel] [PATCH procd] jail: Add MS_NODEV MS_NOEXEC MS_NOSUID mount options where needed

this completes fafbf7338ec8304f2a0ec0ba76048fba2c01c07e Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index f459a5e..56dc9ca 100644 --- a/jail/jail.c +++

Re: [OpenWrt-Devel] [PATCH procd v3 0/7] jail work

Hi John, 2015-10-05 11:14 GMT+02:00 John Crispin <blo...@openwrt.org>: > > > On 27/08/2015 01:26, Etienne CHAMPETIER wrote: > > v3 of my (u)jail work, you can now use separately > > namespaces jail, capabilities and seccomp > > > > Openwrt procd Makefile pa

Re: [OpenWrt-Devel] [RFC] libubox/binary.h design proposal

Hi, 2015-10-04 22:47 GMT+02:00 Javier Domingo Cansino : > Hello, > > I asked Friday on IRC how to write blobs, I was suggested using > blob_raw_put from libubox/blob.h, but as I have to implement a binary > protocol that uses different endianess, non aligned data etc., I

Re: [OpenWrt-Devel] [PATCH] dnsmasq: remove dnssec timecheck enable on SIGHUP

Hi, 2015-10-01 12:19 GMT+02:00 Kevin Darbyshire-Bryant < ke...@darbyshire-bryant.me.uk>: > This patch stops SIGHUP from enabling dnssec timechecks if disabled by > use of --dnssec-no-timecheck option. --dnssec-timestamp continues to > work correctly. > I haven't really followed the previous

Re: [OpenWrt-Devel] [PATCH] dnsmasq: remove dnssec timecheck enable on SIGHUP

2015-10-01 13:21 GMT+02:00 Kevin Darbyshire-Bryant < ke...@darbyshire-bryant.me.uk>: > > > On 01/10/15 11:37, Etienne Champetier wrote: > > Hi, > > > > 2015-10-01 12:19 GMT+02:00 Kevin Darbyshire-Bryant > > <ke...@darbyshire-bryant.m

Re: [OpenWrt-Devel] [RFC] procd: Allow to enable endless respawning of services

Hi, 2015-09-21 17:26 GMT+02:00 Helmut Schaa : > Extend /etc/config/system with a parameter to enable > infinite respawn mode: > > config system > option service_endless_respawn 1 > why not "service_respawn_retry", which set "respawn_retry"

[OpenWrt-Devel] [PATCH procd] Add MS_NODEV MS_NOEXEC MS_NOSUID mount options where needed

serie Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- initd/early.c | 12 ++-- plug/coldplug.c | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/initd/early.c b/initd/early.c index 89c8104..f410256 100644 --- a/initd/early.c +++ b/initd/e

Re: [OpenWrt-Devel] [PATCH] procd: Allow override of default respawn parameters

Hi, 2015-09-18 11:03 GMT+02:00 Helmut Schaa : > Hi John, > > On Fri, Sep 18, 2015 at 10:18 AM, John Crispin wrote: > > Hi > > > > On 18/09/2015 09:59, Helmut Schaa wrote: > >> Allow to pass RESPAWN_THESHOLD_DEFAULT, DRESPAWN_TIMEOUT_DEFAULT > >>

Re: [OpenWrt-Devel] r46816, remove unused crypt() algorithms -> switch to sha512?

Hi, Le 15 sept. 2015 01:40, "Felix Fietkau" <n...@openwrt.org> a écrit : > > On 2015-09-15 00:22, Etienne Champetier wrote: > > Hi Felix, > > > > Maybe we should keep sha512 and switch to it? md5 is not best security > > practice these days. &g

[OpenWrt-Devel] r46816, remove unused crypt() algorithms -> switch to sha512?

Hi Felix, Maybe we should keep sha512 and switch to it? md5 is not best security practice these days. I've checked, ubuntu 14.04 and fedora 22 both use sha512 in /etc/shadow I wonder if AF_ALG can be of any interest here (integrate needed algo by default into the kernel, then patch core software

Re: [OpenWrt-Devel] [PATCH procd v2 0/5] jail work

hi, 2015-08-27 13:38 GMT+02:00 John Crispin <blo...@openwrt.org>: > > > On 27/08/2015 13:25, Etienne Champetier wrote: > > > > > > 2015-08-27 12:18 GMT+02:00 John Crispin <blo...@openwrt.org > > <mailto:blo...@openwrt.org>>: > > >

Re: [OpenWrt-Devel] OpenWRT www version banner a security risk

Hi, Le 14 sept. 2015 06:36, "Daniel Dickinson" <open...@daniel.thecshore.com> a écrit : > > On 2015-09-14 12:30 AM, Daniel Dickinson wrote: >> >> On 2015-09-13 11:39 PM, Florian Fainelli wrote: >>> >>> On Sep 13, 2015 2:00 PM, &q

Re: [OpenWrt-Devel] OpenWRT www version banner a security risk

Hi, Le 13 sept. 2015 16:34, "Daniel Dickinson" a écrit : > > Actually two far more useful solutions: > > 1) By default only answer requests from 'lan' network in /etc/config/uhttp instead of 0.0.0.0/32 > 2) Some useful alert if what appears to be a firewally

Re: [OpenWrt-Devel] OpenWRT www version banner a security risk

Hi again, Le 13 sept. 2015 22:50, "Daniel Dickinson" a écrit : > > On 2015-09-13 4:41 PM, Luiz Angelo Daros de Luca wrote: >> >> While openwrt doesn't offer security release, hiding version in banner >> is not very effective. If the attacker can detect it is OpenWRT

Re: [OpenWrt-Devel] OpenWRT www version banner a security risk

Hi Daniel, Le 13 sept. 2015 22:04, "Daniel Dickinson" a écrit : > > I do think allowing to choose to disable the banner is a minor benefit, however, as I've said, there are much more effective means of preventing accidential exposure, and quite frankly if the user

Re: [OpenWrt-Devel] Renaming trunk to Dxx Dxx ? Or seperate name for Trunk?

2015-09-11 8:46 GMT+02:00 John Crispin : > > > On 11/09/2015 08:39, Rafał Miłecki wrote: > > On 11 September 2015 at 07:51, John Crispin wrote: > >> On 11/09/2015 07:18, Rafał Miłecki wrote: > >>> On 9 September 2015 at 17:24, Tobias Welz

Re: [OpenWrt-Devel] Renaming trunk to Dxx Dxx ? Or seperate name for Trunk?

2015-09-11 8:59 GMT+02:00 John Crispin <blo...@openwrt.org>: > > > On 11/09/2015 08:53, Etienne Champetier wrote: > > > > > > 2015-09-11 8:46 GMT+02:00 John Crispin <blo...@openwrt.org > > <mailto:blo...@openwrt.org>>: > > > > > &

Re: [OpenWrt-Devel] Renaming trunk to Dxx Dxx ?

2015-09-09 15:20 GMT+02:00 Hannu Nyman : > I repeat my earlier wish that trunk should be renamed as soon as possible. > > There has been several changes during the summer that have made trunk to > significantly deviate from the CC branch. Some of the changes are under the >

Re: [OpenWrt-Devel] [PATCH procd v2 0/5] jail work

2015-08-27 12:18 GMT+02:00 John Crispin blo...@openwrt.org: On 26/08/2015 18:20, Etienne Champetier wrote: 2015-08-26 15:48 GMT+02:00 John Crispin blo...@openwrt.org mailto:blo...@openwrt.org: On 26/08/2015 01:00, Etienne CHAMPETIER wrote: This patch series rework a bit

Re: [OpenWrt-Devel] [PATCH procd v2 0/5] jail work

2015-08-26 15:48 GMT+02:00 John Crispin blo...@openwrt.org: On 26/08/2015 01:00, Etienne CHAMPETIER wrote: This patch series rework a bit ujail, and add capabilities support to it nice Seccomp filter are very powerful but not totally generic, each arch can have different set

[OpenWrt-Devel] [PATCH procd v3 5/7] jail: add capabilities support

If there is one or more capabilities in cap.keep, drop all capabilities not in cap.keep. Always drop all capabalities in cap.drop exemple json syntax: { cap.keep: [ cap_net_raw ], cap.drop: [] } Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- CMakeLists.txt

[OpenWrt-Devel] [PATCH procd v3 6/7] jail: cleanup include

Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- jail/elf.c | 14 -- jail/jail.c | 10 -- jail/log.h | 1 + 3 files changed, 1 insertion(+), 24 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index c198599..cbb3051 100644 --- a/jail/elf.c +++ b/jail

[OpenWrt-Devel] [PATCH procd v3 3/7] jail, seccomp: remove useless root check

prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN see https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- jail/preload.c | 6

[OpenWrt-Devel] [PATCH procd v3 1/7] add UTRACE_SUPPORT build option

we can now build preload-seccomp, ujail, utrace separately Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6af17a3..805e2ed 100644 --- a/CMakeLists.txt +++ b

[OpenWrt-Devel] [PATCH procd v3 0/7] jail work

v3 of my (u)jail work, you can now use separately namespaces jail, capabilities and seccomp Openwrt procd Makefile patch v2 is still ok ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org

[OpenWrt-Devel] [PATCH procd v3 4/7] jail: reworks cleanups

and add it's dependencies Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- jail/jail.c | 393 1 file changed, 157 insertions(+), 236 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 2bba292..f8139b8 100644

[OpenWrt-Devel] [PATCH procd v3 2/7] jail, seccomp: fix typo/improve log prefix

(perload-jail - preload-seccomp) Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- jail/seccomp.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/seccomp.h b/jail/seccomp.h index 6c585ad..c44a607 100644 --- a/jail/seccomp.h +++ b/jail/seccomp.h

[OpenWrt-Devel] [PATCH procd v3 7/7] jail: allow to not use namespaces

building a generic jail can be hard, choosing to drop some capabilities can be easier. This commit permit to use namespaces, capabilities and seccomp combined as you like. Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- jail/jail.c | 76

[OpenWrt-Devel] [PATCH procd v2 3/5] jail, seccomp: remove useless root check

prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN see https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- jail/preload.c | 6

[OpenWrt-Devel] [PATCH procd v2 2/5] jail, seccomp: fix typo/improve log prefix

(perload-jail - preload-seccomp) Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- jail/seccomp.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/seccomp.h b/jail/seccomp.h index 6c585ad..c44a607 100644 --- a/jail/seccomp.h +++ b/jail/seccomp.h

[OpenWrt-Devel] [PATCH procd v2 5/5] jail: add capabilities support

If there is one or more capabilities in cap.keep, drop all capabilities not in cap.keep. Always drop all capabalities in cap.drop exemple json syntax: { cap.keep: [ cap_net_raw ], cap.drop: [] } Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- CMakeLists.txt

[OpenWrt-Devel] [PATCH v2] procd: rework makefile, split ujail/seccomp

this need to be applied after my work on ujail (procd git) ujail doesn't depend on seccomp and some archs dont support seccomp Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- package/system/procd/Makefile | 50 +-- 1 file changed, 25

[OpenWrt-Devel] [PATCH procd v2 1/5] add UTRACE_SUPPORT build option

we can now build preload-seccomp, ujail, utrace separately Signed-off-by: Etienne CHAMPETIER champetier.etie...@gmail.com --- CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6af17a3..805e2ed 100644 --- a/CMakeLists.txt +++ b

<    1   2   3   4   5   >