Re: [PATCH 0/2] enable procd security features by default

Hi Petr, Daniel, Le jeu. 26 nov. 2020 à 11:45, Petr Štetiar a écrit : > > Daniel Golle [2020-11-07 14:17:12]: > > Hi, > > > Please report back > > testing now the latest master on rtl8382 booted from initramfs and seeing > following: > > Thu Nov 26 14:45:35 2020 user.notice dnsmasq: DNS rebind

Re: [RFC] raise gcc/make versions for 20.x

Le mer. 16 déc. 2020 à 07:33, Yousong Zhou a écrit : > > On Wed, 16 Dec 2020 at 13:11, Petr Štetiar wrote: > > > > Paul Spooren [2020-12-15 16:26:14]: > > > > Hi, > > > > > I've seen two patches for version raises of build requirements and would > > > like to know if we should merge them before

Re: Job board support on openwrt.org?

Hi All, Le sam. 23 janv. 2021 à 18:09, Sam Kuper a écrit : > > On Sat, Jan 23, 2021 at 02:55:05PM +, Ted Hess wrote: > > [T]here must be some sort of criteria (contributions, legitimate > > business site or references) to get your name/outfit listed. And, as > > Daniel said, we don't want to

Requiring 2FA on OpenWrt GitHub organization

Hi All, There are currently 65 members in OpenWrt org, 58 of them with 2FA enabled. Requiring 2FA would kick out the 7 users without 2FA, 6 of them have no OpenWrt related activity for more than 2 or 3 years, I've emailed the 7th one privately. Anyone see any problem enforcing 2FA ? Best Etienne

Re: Requiring 2FA on OpenWrt GitHub organization

it access and no 2FA, it was added > afterwards. I saw that, I just convinced one more to enable 2FA and only one "almost active" is still a member (but without access) Once this person answers (or not) I just want to make sure we don't "regress" Best Etienne > -- >

Re: [OpenWrt-Devel] [PATCH] Add sch_fq and sch_pie to the kmod-sched package.

2015-06-03 18:08 GMT+02:00 Etienne Champetier : > Hi Toke, > > 2015-06-03 14:15 GMT+02:00 Toke Høiland-Jørgensen : > >> >> These are two new packet schedulers introduced in Linux 3.12 and 3.14 >> respectively. sch_fq is a perfect fairness queueing scheduler that a

Re: [OpenWrt-Devel] How to keep disabled services disabled after sysupgrade

Hi guys, Le 18 juin 2015 17:18, "Stefan Tomanek" < stefan.tomanek+open...@wertarbyte.de> a écrit : > > Dies schrieb Bastian Bittorf (bitt...@bluebottle.com): > > > > Can anyone supply any different ideas or provide some feedback? > > > > maybe: disabled services are stored during sysupgrade in > >

Re: [OpenWrt-Devel] [PATCH procd] service: start apps with LD_PRELOAD & lib disabling buffering

Hi, 2015-06-20 21:35 GMT+02:00 John Crispin : > > > On 20/06/2015 20:53, Rafał Miłecki wrote: > > On 20 June 2015 at 13:56, Jo-Philipp Wich wrote: > >>> i dont like this idea at all. calling ld-preload on every started app > >>> just seems wrong > >> > >> I was the one suggesting the idea since

[OpenWrt-Devel] Revert 46119 (hardening: make override variables more intuitive)

Hi all, Please reread r46119 Relro full != relro partial Fortify source 1 != fortify source 2 Ssp != ssp strong Regards Etienne ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-de

Re: [OpenWrt-Devel] Revert 46119 (hardening: make override variables more intuitive)

Hi, Le 24 juin 2015 16:19, "Steven Barth" a écrit : > > Hi Etienne, > > I don't get your issue. 46119 only unifies the override variables, > meaning if a package maintainer wants to override e.g. RELRO he now > only needs to add PKG_RELRO:=0 instead of adding two for both RELRO > modes. > Sorry i

Re: [OpenWrt-Devel] Dualradio 2.4/5GHz ath9k-Hardware which is deliverable?

hi bastian, 2015-07-01 21:55 GMT+02:00 Bastian Bittorf : > * Emmanuel Deloget [01.07.2015 21:50]: > > You should try Aliexpress - it seems they still have some 4900 (be aware > > that prices might be a bit weird). > > my question is not about "tricks" to get these devices. > it's about what can

[OpenWrt-Devel] [PATCH procd] jail: fix jail root folder permissions

We need a+x rights on the path to the root of the jails so we can use users other than root (like nobody) This partly fixes jailed dnsmasq Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jail/jail.c b/jail/jail.c index

[OpenWrt-Devel] [PATCH 1/2] base-files: fix /tmp/.jail permissions

We need a+x rights on the path to the root of the jails so we can use users other than root (like nobody) This partly fixes jailed dnsmasq Signed-off-by: Etienne CHAMPETIER --- package/base-files/files/etc/init.d/boot | 1 - 1 file changed, 1 deletion(-) diff --git a/package/base-files/files

[OpenWrt-Devel] [PATCH 2/2] dnsmasq: add some missing files to the jail

found with strace, not sure we got all of them though Signed-off-by: Etienne CHAMPETIER --- package/network/services/dnsmasq/files/dnsmasq.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services

[OpenWrt-Devel] jail patches -> CC & trunk

Hi guys Just forgot to says that my 3 patches fixing jails are also for CC https://patchwork.ozlabs.org/patch/497899/ https://patchwork.ozlabs.org/patch/497900/ https://patchwork.ozlabs.org/patch/497901/ Regards Etienne ___ openwrt-devel mailing list op

Re: [OpenWrt-Devel] jail patches -> CC & trunk

, i've no idea yet) 2015-07-22 12:50 GMT+02:00 Etienne Champetier : > Hi guys > > Just forgot to says that my 3 patches fixing jails are also for CC > https://patchwork.ozlabs.org/patch/497899/ > https://patchwork.ozlabs.org/patch/497900/ > https://patchwork.ozlabs.org/pa

Re: [OpenWrt-Devel] [PATCH] procd: add helper binaries to jail

Hi Maxim, Le 12 août 2015 13:25, "Maxim Storchak" a écrit : > > This allows to build jails with more than a single binary. > May be used to run main program with a wrapper, f.e. ionice, > or to add helper binaries for the main one (like gzip for tar with no > build-in compression support). > > Usa

[OpenWrt-Devel] [PATCH 1/2] [procd] add UTRACE_SUPPORT option

we now can build seccomp, ujail, utrace separatly Signed-off-by: Etienne CHAMPETIER --- CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6af17a3..805e2ed 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -84,7 +84,9

[OpenWrt-Devel] [PATCH 2/2] [procd, RFC] ujail: reworks & cleanups

child Feature request: -when we add a file or dir, detect if it's an exec and add it's dependencies Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 390 1 file changed, 155 insertions(+), 235 deletions(-) diff --git a/

Re: [OpenWrt-Devel] [PATCH 2/2] [procd, RFC] ujail: reworks & cleanups

2015-08-21 0:39 GMT+02:00 Etienne CHAMPETIER : > This is an RFC patch for ujail > > -use EXIT_SUCCESS/EXIT_FAILURE (not -1) > -parse every options in main, put them in opts struct > -add CLONE_NEWIPC to the clone() call (it's already compiled in openwrt > kernel) > -ret

[OpenWrt-Devel] [PATCH] procd: rework makefile, split ujail/seccomp

this need to be applied after my work on ujail (procd git) ujail doesn't depend on seccomp and some archs dont support seccomp Signed-off-by: Etienne CHAMPETIER --- package/system/procd/Makefile | 50 +-- 1 file changed, 25 insertions(+), 25 dele

[OpenWrt-Devel] [PATCH procd v2 0/5] jail work

This patch series rework a bit ujail, and add capabilities support to it Seccomp filter are very powerful but not totally generic, each arch can have different set of syscalls, each libc can use different syscall for the same function, and seccomp isn't supported on all arch. Capabilities are mor

[OpenWrt-Devel] [PATCH procd v2 1/5] add UTRACE_SUPPORT build option

we can now build preload-seccomp, ujail, utrace separately Signed-off-by: Etienne CHAMPETIER --- CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6af17a3..805e2ed 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -84,7 +84,9

[OpenWrt-Devel] [PATCH procd v2 2/5] jail, seccomp: fix typo/improve log prefix

(perload-jail -> preload-seccomp) Signed-off-by: Etienne CHAMPETIER --- jail/seccomp.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/seccomp.h b/jail/seccomp.h index 6c585ad..c44a607 100644 --- a/jail/seccomp.h +++ b/jail/seccomp.h @@ -12,8 +1

[OpenWrt-Devel] [PATCH procd v2 3/5] jail, seccomp: remove useless root check

prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN see https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Signed-off-by: Etienne CHAMPETIER --- jail/preload.c | 6 -- 1 file chang

[OpenWrt-Devel] [PATCH procd v2 4/5] ujail: reworks & cleanups

t's an exec and add it's dependencies Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 391 1 file changed, 156 insertions(+), 235 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 2bba292..487d18f 100644 --- a/jail

[OpenWrt-Devel] [PATCH procd v2 5/5] jail: add capabilities support

If there is one or more capabilities in cap.keep, drop all capabilities not in cap.keep. Always drop all capabalities in cap.drop exemple json syntax: { "cap.keep": [ "cap_net_raw" ], "cap.drop": [] } Signed-off-by: Etienne CHAMPETIER --- CMakeLists.tx

[OpenWrt-Devel] [PATCH v2] procd: rework makefile, split ujail/seccomp

this need to be applied after my work on ujail (procd git) ujail doesn't depend on seccomp and some archs dont support seccomp Signed-off-by: Etienne CHAMPETIER --- package/system/procd/Makefile | 50 +-- 1 file changed, 25 insertions(+), 25 dele

Re: [OpenWrt-Devel] [PATCH procd v2 0/5] jail work

2015-08-26 15:48 GMT+02:00 John Crispin : > > > On 26/08/2015 01:00, Etienne CHAMPETIER wrote: > > This patch series rework a bit ujail, > > and add capabilities support to it > > nice > > > > > Seccomp filter are very powerful but not totally generi

[OpenWrt-Devel] [PATCH procd v3 0/7] jail work

v3 of my (u)jail work, you can now use separately namespaces jail, capabilities and seccomp Openwrt procd Makefile patch v2 is still ok ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/open

[OpenWrt-Devel] [PATCH procd v3 1/7] add UTRACE_SUPPORT build option

we can now build preload-seccomp, ujail, utrace separately Signed-off-by: Etienne CHAMPETIER --- CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6af17a3..805e2ed 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -84,7 +84,9

[OpenWrt-Devel] [PATCH procd v3 4/7] jail: reworks & cleanups

t's an exec and add it's dependencies Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 393 1 file changed, 157 insertions(+), 236 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 2bba292..f8139b8 100644 --- a/jail

[OpenWrt-Devel] [PATCH procd v3 2/7] jail, seccomp: fix typo/improve log prefix

(perload-jail -> preload-seccomp) Signed-off-by: Etienne CHAMPETIER --- jail/seccomp.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/seccomp.h b/jail/seccomp.h index 6c585ad..c44a607 100644 --- a/jail/seccomp.h +++ b/jail/seccomp.h @@ -12,8 +1

[OpenWrt-Devel] [PATCH procd v3 3/7] jail, seccomp: remove useless root check

prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN see https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Signed-off-by: Etienne CHAMPETIER --- jail/preload.c | 6 -- 1 file chang

[OpenWrt-Devel] [PATCH procd v3 6/7] jail: cleanup include

Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 14 -- jail/jail.c | 10 -- jail/log.h | 1 + 3 files changed, 1 insertion(+), 24 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index c198599..cbb3051 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -12,33 +12,19

[OpenWrt-Devel] [PATCH procd v3 5/7] jail: add capabilities support

If there is one or more capabilities in cap.keep, drop all capabilities not in cap.keep. Always drop all capabalities in cap.drop exemple json syntax: { "cap.keep": [ "cap_net_raw" ], "cap.drop": [] } Signed-off-by: Etienne CHAMPETIER --- CMakeLists.tx

[OpenWrt-Devel] [PATCH procd v3 7/7] jail: allow to not use namespaces

building a generic jail can be hard, choosing to drop some capabilities can be easier. This commit permit to use namespaces, capabilities and seccomp combined as you like. Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 76 + 1

Re: [OpenWrt-Devel] [PATCH procd v2 0/5] jail work

2015-08-27 12:18 GMT+02:00 John Crispin : > > > On 26/08/2015 18:20, Etienne Champetier wrote: > > > > > > 2015-08-26 15:48 GMT+02:00 John Crispin > <mailto:blo...@openwrt.org>>: > > > > On 26/08/2015 01:00, Etienne CHAMPETIER wr

Re: [OpenWrt-Devel] Renaming trunk to Dxx Dxx ?

2015-09-09 15:20 GMT+02:00 Hannu Nyman : > I repeat my earlier wish that trunk should be renamed as soon as possible. > > There has been several changes during the summer that have made trunk to > significantly deviate from the CC branch. Some of the changes are under the > hood (like musl vs. uCl

Re: [OpenWrt-Devel] Renaming trunk to Dxx Dxx ? Or seperate name for Trunk?

2015-09-11 8:46 GMT+02:00 John Crispin : > > > On 11/09/2015 08:39, Rafał Miłecki wrote: > > On 11 September 2015 at 07:51, John Crispin wrote: > >> On 11/09/2015 07:18, Rafał Miłecki wrote: > >>> On 9 September 2015 at 17:24, Tobias Welz wrote: > BTW: Why does the trunk has to be "renamed"

Re: [OpenWrt-Devel] Renaming trunk to Dxx Dxx ? Or seperate name for Trunk?

2015-09-11 8:59 GMT+02:00 John Crispin : > > > On 11/09/2015 08:53, Etienne Champetier wrote: > > > > > > 2015-09-11 8:46 GMT+02:00 John Crispin > <mailto:blo...@openwrt.org>>: > > > > > > > > On 11/09/2015 08:39, Rafał Miłec

Re: [OpenWrt-Devel] OpenWRT www version banner a security risk

Hi, Le 13 sept. 2015 16:34, "Daniel Dickinson" a écrit : > > Actually two far more useful solutions: > > 1) By default only answer requests from 'lan' network in /etc/config/uhttp instead of 0.0.0.0/32 > 2) Some useful alert if what appears to be a firewally misconfiguration is created (default O

Re: [OpenWrt-Devel] OpenWRT www version banner a security risk

Hi Daniel, Le 13 sept. 2015 22:04, "Daniel Dickinson" a écrit : > > I do think allowing to choose to disable the banner is a minor benefit, however, as I've said, there are much more effective means of preventing accidential exposure, and quite frankly if the user is *choosing* to open the web in

Re: [OpenWrt-Devel] OpenWRT www version banner a security risk

Hi again, Le 13 sept. 2015 22:50, "Daniel Dickinson" a écrit : > > On 2015-09-13 4:41 PM, Luiz Angelo Daros de Luca wrote: >> >> While openwrt doesn't offer security release, hiding version in banner >> is not very effective. If the attacker can detect it is OpenWRT and if >> there is a known sec

Re: [OpenWrt-Devel] OpenWRT www version banner a security risk

Hi, Le 14 sept. 2015 06:36, "Daniel Dickinson" a écrit : > > On 2015-09-14 12:30 AM, Daniel Dickinson wrote: >> >> On 2015-09-13 11:39 PM, Florian Fainelli wrote: >>> >>> On Sep 13, 2015 2:00 PM, "Etienne Champetier" >>> mailto:

Re: [OpenWrt-Devel] [PATCH procd v2 0/5] jail work

hi, 2015-08-27 13:38 GMT+02:00 John Crispin : > > > On 27/08/2015 13:25, Etienne Champetier wrote: > > > > > > 2015-08-27 12:18 GMT+02:00 John Crispin > <mailto:blo...@openwrt.org>>: > > > > > > > > On 26/08/2015 18:20, Etienn

[OpenWrt-Devel] r46816, remove unused crypt() algorithms -> switch to sha512?

Hi Felix, Maybe we should keep sha512 and switch to it? md5 is not best security practice these days. I've checked, ubuntu 14.04 and fedora 22 both use sha512 in /etc/shadow I wonder if AF_ALG can be of any interest here (integrate needed algo by default into the kernel, then patch core software

Re: [OpenWrt-Devel] r46816, remove unused crypt() algorithms -> switch to sha512?

Hi, Le 15 sept. 2015 01:40, "Felix Fietkau" a écrit : > > On 2015-09-15 00:22, Etienne Champetier wrote: > > Hi Felix, > > > > Maybe we should keep sha512 and switch to it? md5 is not best security > > practice these days. > I don't see the point.

Re: [OpenWrt-Devel] John, no permission to change patches even own

Hi You should respond to the original mail and not create a new thread each time Le 19 janv. 2016 03:03, "Daniel Dickinson" daniel.thecshore.com > a écrit : > > Hi John, > > Contrary to what you believed it is not possible for the ordinary users (of which I am one at the moment) to modify their o

Re: [OpenWrt-Devel] Multi-wwan and AP only radio0

Hi, Le 5 févr. 2016 07:14, "Okupandolared" a écrit : > > Hello. > > I have a WR740N with Barrie braker, I achieved to create my own image with all requirements and after flash image, install mwan3 and luci-app-mwa3. > > Currently I connect to a wireless network as a client-A WWAN, and create anot

Re: [OpenWrt-Devel] svn.openwrt.org down?

You should switch to git (haven't checked if it works right now though) Le 25 févr. 2016 21:39, "Shankar Unni" a écrit : > The svn server on svn.openwrt.org seems to be down? The machine itself > is up and running, however. > > Is there a known outage? > > > % svn up > svn: Can't connect to host

Re: [OpenWrt-Devel] [PATCH] procd: restrict ujail to supported platforms

cc list 2016-04-13 14:40 GMT+02:00 Etienne Champetier : > Hi Zefir > > 2016-04-13 14:26 GMT+02:00 Zefir Kurtisi : > >> ujail can be selected on e.g. PowerPC platforms, which >> currently causes the procd build to fail: >> ./trace/trace.c:48:2: error: #error tr

[OpenWrt-Devel] git.openwrt.org site half broken

Hi, someone messed with git.openwrt.org nginx config, i can't get the js and css. see https://git.openwrt.org/project/static/gitweb.css (doesn't look like a css :) ) Cheers Etienne ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://

Re: [OpenWrt-Devel] [LEDE-DEV] git.openwrt.org site half broken

2016-06-03 11:13 GMT+02:00 John Crispin : > > > On 02/06/2016 13:20, Etienne Champetier wrote: >> Hi, >> >> someone messed with git.openwrt.org nginx config, i can't get the js and css. >> >> see https://git.openwrt.org/project/static/gitweb.css (

[OpenWrt-Devel] ujail bug/feature with file replacement with mv

Hi, Just a heads up, ujail uses "bind mount" to include file and directories into the jail, so if you include a file named aaa (procd_add_jail_mount(_rw) aaa), and then replace it outside of the jail using "mv bbb aaa", in the jail you will still have file aaa. Workaround is to use a directory in

Re: [OpenWrt-Devel] [PATCH] procd: Allow override of default respawn parameters

Hi, 2015-09-18 11:03 GMT+02:00 Helmut Schaa : > Hi John, > > On Fri, Sep 18, 2015 at 10:18 AM, John Crispin wrote: > > Hi > > > > On 18/09/2015 09:59, Helmut Schaa wrote: > >> Allow to pass RESPAWN_THESHOLD_DEFAULT, DRESPAWN_TIMEOUT_DEFAULT > >> and RESPAWN_RETRY_DEFAULT as parameters to cmake t

[OpenWrt-Devel] [PATCH procd] Add MS_NODEV MS_NOEXEC MS_NOSUID mount options where needed

patch serie Signed-off-by: Etienne CHAMPETIER --- initd/early.c | 12 ++-- plug/coldplug.c | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/initd/early.c b/initd/early.c index 89c8104..f410256 100644 --- a/initd/early.c +++ b/initd/early.c @@ -62,18 +

Re: [OpenWrt-Devel] [RFC] procd: Allow to enable endless respawning of services

Hi, 2015-09-21 17:26 GMT+02:00 Helmut Schaa : > Extend /etc/config/system with a parameter to enable > infinite respawn mode: > > config system > option service_endless_respawn 1 > why not "service_respawn_retry", which set "respawn_retry" default value (if i want to set

Re: [OpenWrt-Devel] [PATCH] dnsmasq: remove dnssec timecheck enable on SIGHUP

Hi, 2015-10-01 12:19 GMT+02:00 Kevin Darbyshire-Bryant < ke...@darbyshire-bryant.me.uk>: > This patch stops SIGHUP from enabling dnssec timechecks if disabled by > use of --dnssec-no-timecheck option. --dnssec-timestamp continues to > work correctly. > I haven't really followed the previous dis

Re: [OpenWrt-Devel] [PATCH] dnsmasq: remove dnssec timecheck enable on SIGHUP

2015-10-01 13:21 GMT+02:00 Kevin Darbyshire-Bryant < ke...@darbyshire-bryant.me.uk>: > > > On 01/10/15 11:37, Etienne Champetier wrote: > > Hi, > > > > 2015-10-01 12:19 GMT+02:00 Kevin Darbyshire-Bryant > > mailto:ke...@darbyshire-bryant.me.uk>>: >

Re: [OpenWrt-Devel] [RFC] libubox/binary.h design proposal

Hi, 2015-10-04 22:47 GMT+02:00 Javier Domingo Cansino : > Hello, > > I asked Friday on IRC how to write blobs, I was suggested using > blob_raw_put from libubox/blob.h, but as I have to implement a binary > protocol that uses different endianess, non aligned data etc., I think the > best solution

Re: [OpenWrt-Devel] [PATCH procd v3 0/7] jail work

Hi John, 2015-10-05 11:14 GMT+02:00 John Crispin : > > > On 27/08/2015 01:26, Etienne CHAMPETIER wrote: > > v3 of my (u)jail work, you can now use separately > > namespaces jail, capabilities and seccomp > > > > Openwrt procd Makefile patch v2 is still ok >

Re: [OpenWrt-Devel] [PATCH procd v3 0/7] jail work

Hi, Le 5 oct. 2015 13:49, "Etienne Champetier" a écrit : > > Hi John, > > 2015-10-05 11:14 GMT+02:00 John Crispin : >> >> >> >> On 27/08/2015 01:26, Etienne CHAMPETIER wrote: >> > v3 of my (u)jail work, you can now use separately >>

[OpenWrt-Devel] [PATCH procd] jail: Add MS_NODEV MS_NOEXEC MS_NOSUID mount options where needed

this completes fafbf7338ec8304f2a0ec0ba76048fba2c01c07e Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index f459a5e..56dc9ca 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -193,11 +193,11

Re: [OpenWrt-Devel] SVN to GIT transition

Hi All, Here are some commands to make a "full" git repo, from the "trunk" repo (the only complaint that everyone agrees on) We keep git commit sha's for the trunk, and we add all branches/tags It needs some more tunning, but it's a good start :) 1) clone the trunk repo git clone git://git.openw

Re: [OpenWrt-Devel] SVN to GIT transition

Hi again, 2015-10-12 23:49 GMT+02:00 Etienne Champetier : > Hi All, > > Here are some commands to make a "full" git repo, from the "trunk" repo > (the only complaint that everyone agrees on) > We keep git commit sha's for the trunk, and we add all bran

Re: [OpenWrt-Devel] [PATCH] busybox: enable find mtime support by default

Hi Dirk, 2015-10-16 12:10 GMT+02:00 Dirk Brenken : > busybox binary in openwrt neither supports stat nor find mtime. This patch > adds find mtime support by default. > what's the size before/after (ipk size) > Signed-off-by: Dirk Brenken > --- > --- trunk/package/utils/busybox/Config-default

Re: [OpenWrt-Devel] [PATCH] busybox: enable find mtime support by default

Hi, Le 18 oct. 2015 21:31, "Dirk Brenken" a écrit : > > Hi, > > I can't see the diff/patch below on patchwork, anything wrong with the > submitted patch? How did you generate it? You should use git send-email, and resend. Also add the size before/after in the commit message. > > Thanks > Dirk >

[OpenWrt-Devel] backport 46936 (procd: rework makefile, split ujail/seccomp)

Hi John, since 47268, we need -DUTRACE_SUPPORT=1 to compile utrace https://dev.openwrt.org/changeset/47268/ http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=summary can you (or anyone else) backport r46936 or should i resend? https://dev.openwrt.org/changeset/46936/trunk/package/system/procd Thank

[OpenWrt-Devel] [PATCH CC] procd: rework makefile, split ujail/seccomp

ujail doesn't depend on seccomp and some archs dont support seccomp Backport of r46936 needed since last procd update (r47268) Signed-off-by: Etienne CHAMPETIER --- package/system/procd/Makefile | 52 +-- 1 file changed, 26 insertions(+), 26 dele

Re: [OpenWrt-Devel] [PATCH CC] procd: rework makefile, split ujail/seccomp

Hi 2015-10-29 22:04 GMT+01:00 Etienne CHAMPETIER : > ujail doesn't depend on seccomp and some archs dont support seccomp > > Backport of r46936 > needed since last procd update (r47268) > friendly ping this is run tested on

[OpenWrt-Devel] ujail not working with musl / DD

Hi all, John, I'm a bit out of my game on this bug, ujail is not adding the interpretor in the jail (/lib/ld-musl-x86_64.so.1) with musl DD it's working with uclibc CC, on my ubuntu 14.04, but not with musl DD https://dev.openwrt.org/ticket/20785 ___ op

[OpenWrt-Devel] [PATCH procd 1/2] ujail: remove useless arg in clone call

Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 56dc9ca..08babde 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -272,7 +272,7 @@ static int exec_jail() exit(EXIT_FAILURE

[OpenWrt-Devel] [PATCH procd 2/2] ujail: rework file dependencies detection (use ldd)

even on 64bits images) -do not handle RPATH This patch: -use ldd to detect ELF dependencies -add support for shell script uClibc ldd doesn't work with shared lib, thus this patch break seccomp with uClibc Signed-off-by: Etienne CHAMPETIER --- CMakeLists.txt | 2 +- jail/deps.

Re: [OpenWrt-Devel] [PATCH procd 2/2] ujail: rework file dependencies detection (use ldd)

00 John Crispin : > > > On 21/11/2015 00:05, Etienne CHAMPETIER wrote: > > Using ldd (via popen()) is a hack, but it's simpler (and working) > > indeed > > > we have 3 libc and many archs, too many ways to resolve .so > where does it break ? > > > > Curre

[OpenWrt-Devel] [PATCH procd 1/4] ujail: don't add non existant library_path

Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index cbb3051..34a5aca 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -33,6 +33,10 @@ static LIST_HEAD(library_paths); void alloc_library_path

[OpenWrt-Devel] [PATCH procd 2/4] ujail: remove useless arg in clone call

spawn_jail(void) produce a compilation error, so we use spawn_jail() Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 56dc9ca..08babde 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -272,7

[OpenWrt-Devel] [PATCH procd 3/4] ujail: use const, stop using extern

extern for function declaration in '.h' doesn't make sense Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 28 +++- jail/elf.h | 10 +- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 34a5aca..a26aa

[OpenWrt-Devel] [PATCH procd 4/4] ujail: rework fs jail part

org/ticket/20785 Signed-off-by: Etienne CHAMPETIER --- CMakeLists.txt | 2 +- jail/elf.c | 132 +++--- jail/elf.h | 9 ++- jail/fs.c | 179 + jail/fs.h | 20 +++ jail/jail.

Re: [OpenWrt-Devel] [PATCH procd 2/4] ujail: remove useless arg in clone call

Hi, Le 23 nov. 2015 08:18, "John Crispin" a écrit : > > > > On 23/11/2015 01:39, Etienne CHAMPETIER wrote: > > spawn_jail(void) produce a compilation error, > > so we use spawn_jail() > > > > Signed-off-by: Etienne CHAMPETIER > > --- > &g

Re: [OpenWrt-Devel] [PATCH procd 3/4] ujail: use const, stop using extern

John > > On 23/11/2015 01:39, Etienne CHAMPETIER wrote: > > extern for function declaration in '.h' doesn't make sense > > > > Signed-off-by: Etienne CHAMPETIER > > --- > > jail/elf.c | 28 +++- > > jail/elf.h | 10 ++

Re: [OpenWrt-Devel] [PATCH procd 2/4] ujail: remove useless arg in clone call

2015-11-23 9:11 GMT+01:00 John Crispin : > > > On 23/11/2015 09:09, Etienne Champetier wrote: > > Hi, > > > > Le 23 nov. 2015 08:18, "John Crispin" > <mailto:blo...@openwrt.org>> a écrit : > >> > >> > >> > >

Re: [OpenWrt-Devel] [PATCH procd 2/4] ujail: remove useless arg in clone call

Hey, 2015-11-23 12:52 GMT+01:00 Paul Fertser : > Hey Etienne, > > Etienne Champetier writes: > > i know that spawn_jail(void) is valid code, but then the clone call > > refuses to compile > > That's type-safety for you. spawn_jail() is valid code too but it

[OpenWrt-Devel] [PATCH procd v2 01/17] ujail: don't add non existant library_path

Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index cbb3051..34a5aca 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -33,6 +33,10 @@ static LIST_HEAD(library_paths); void alloc_library_path

[OpenWrt-Devel] [PATCH procd v2 02/17] ujail: don't pass unused arg in clone call

clone() call need a function with "void *" arg (else we have a compilation error) Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 56dc9ca..9952ed9 100644 --- a/jail/jail.c +++ b/j

[OpenWrt-Devel] [PATCH procd v2 03/17] ujail: stop using extern in elf.h

extern qualifiers for function definitions doesn't really make sense Signed-off-by: Etienne CHAMPETIER --- jail/elf.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jail/elf.h b/jail/elf.h index 3ae311e..19ceb3e 100644 --- a/jail/elf.h +++ b/jail/elf.h @@

[OpenWrt-Devel] [PATCH procd v2 04/17] ujail: use more const in elf.*

Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 28 +++- jail/elf.h | 4 ++-- jail/jail.c | 2 +- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 34a5aca..fb046b4 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -69,7 +69,7

[OpenWrt-Devel] [PATCH procd v2 00/17] ujail fs jail rework/fixes/improvements

As requested, i've split up in smaller patches my work I also follow the unwritten code style requirement :) "rework fs jail part" commit is still a bit big but if i split it further i will edit the same line in each commit (tell me if it too big) Etienne CHAMPETIER (17): ujail

[OpenWrt-Devel] [PATCH procd v2 05/17] ujail: use "#pragma once" in .h where needed

Signed-off-by: Etienne CHAMPETIER --- jail/capabilities.h | 1 + jail/elf.h | 4 +--- jail/log.h | 1 + jail/seccomp.h | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/jail/capabilities.h b/jail/capabilities.h index e6699e9..beb67cc 100644 --- a/jail

[OpenWrt-Devel] [PATCH procd v2 07/17] ujail: add and to seccomp.h

headers must include all there dependencies, no more, no less Signed-off-by: Etienne CHAMPETIER --- jail/preload.c | 2 -- jail/seccomp.c | 2 -- jail/seccomp.h | 3 +++ 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/jail/preload.c b/jail/preload.c index a1cc0b6..5466f27 100644

[OpenWrt-Devel] [PATCH procd v2 08/17] ujail: remove "#include log.h" from elf.h

headers must include all there dependencies, no more, no less Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 1 + jail/elf.h | 2 -- jail/jail.c | 1 + 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 6d36215..5e22606 100644 --- a/jail/elf.c

[OpenWrt-Devel] [PATCH procd v2 06/17] ujail: add to log.h

headers must include all there dependencies, no more, no less (it uses fprintf) Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 1 - jail/jail.c | 1 - jail/log.h | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index fb046b4..6d36215 100644

[OpenWrt-Devel] [PATCH procd v2 09/17] ujail: search libs in /lib before /lib64

, not in /lib64 (/lib64 is also a symlink to /lib) /lib64 is before /lib since the first commit, i don't know if it was on purpose this partly fixes https://dev.openwrt.org/ticket/20785 Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

[OpenWrt-Devel] [PATCH procd v2 11/17] ujail: add init_library_search()

move all libraries search initialisation stuff into elf.c / init_library_search() for now we don't handle musl specific files Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 13 +++-- jail/elf.h | 3 +-- jail/jail.c | 6 +- 3 files changed, 13 insertions(+), 9 dele

[OpenWrt-Devel] [PATCH procd v2 10/17] ujail: use PATH_MAX for path related buffers

Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 9 + jail/jail.c | 9 + 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 5e22606..2acac71 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -22,6 +22,7 @@ #include #include #include

[OpenWrt-Devel] [PATCH procd v2 13/17] ujail: remove some debug/dev hack

this code is present since first ujail commit (dfcfcca7) Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 7 +-- jail/jail.c | 8 ++-- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index c3a392c..7c52880 100644 --- a/jail/elf.c +++ b/jail

[OpenWrt-Devel] [PATCH procd v2 12/17] ujail: fixup code style: "func()" -> "func(void)"

Signed-off-by: Etienne CHAMPETIER --- jail/jail.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 5b24f63..b7e6946 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -139,7 +139,7 @@ static int mount_bind(const char *root, const char *path

[OpenWrt-Devel] [PATCH procd v2 15/17] ujail: rework fs jail part

th_and_deps() function to handle file/lib openning and mmaping Check if file is an elf (magic number) before passing it to elf_load_deps() elf_load_deps() now only handle elf parsing part next commit adds script (#!) handling Use add_path_and_deps() with -r and -w args to automatically a

[OpenWrt-Devel] [PATCH procd v2 14/17] ujail: DT_STRTAB uses d_ptr in d_un union (not d_val)

see https://docs.oracle.com/cd/E19683-01/817-3677/chapter6-42444/index.html Signed-off-by: Etienne CHAMPETIER --- jail/elf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jail/elf.c b/jail/elf.c index 7c52880..46c19df 100644 --- a/jail/elf.c +++ b/jail/elf.c @@ -182,7

[OpenWrt-Devel] [PATCH procd v2 16/17] ujail: automatically add script (#!) interpreter

this make simple script work easily with ujail Signed-off-by: Etienne CHAMPETIER --- jail/fs.c | 28 1 file changed, 28 insertions(+) diff --git a/jail/fs.c b/jail/fs.c index aeab730..c848700 100644 --- a/jail/fs.c +++ b/jail/fs.c @@ -79,6 +79,29 @@ void

  1   2   3   4   5   >