Daniel Golle <dan...@makrotopia.org> [2020-11-07 14:17:12]: Hi,
> A while ago we have added some useful kernel features to !SMALL_FLASH > devices[1]. To make more use of that by default in a way which will > make exploiting potential vulnerabilities in OpenWrt's services much > harder, it'd be great to also have procd-ujail as well as procd-seccomp > installed by default, adding about 38kB to squashfs rootfs. thanks a lot for your work on this features! > As it was reverted after it (actually something else) had broken the > build, I've extensively tested ujail on x86/64, ath79/generic, > ramips/mt7621, malta/mips64be and armvirt/64. I've started QEMU x86/64 (4 cores, 512MB RAM) with LAN/WAN interfaces yesterday in the afternoon and found it in unusable state this morning, without network and constantly OOMing. root@OpenWrt:/# uptime 05:33:32 up 15:22, load average: 0.00, 0.00, 0.00 root@OpenWrt:/# logread ^CFailed to connect to ubus root@OpenWrt:/# cat /proc/$(pgrep ubusd)/syscall 44 0x8 0x7fffa9faff58 0x4c 0x0 0x0 0x0 0x7fffa9fafea0 0x7f8fd7b7273a (44 is sendto) The OOMing is happening probably due to 8h DHCP lease time on WAN interface and following processes stuck on ubus access: root@OpenWrt:/# ps w | grep -c "ubus call network.interface notify_proto" 587 root@OpenWrt:/# ps w | grep -c "fw3 -q network wan6" 358 root@OpenWrt:/# ps w | grep -c "/lib/netifd/dhcpv6.script eth1 rebound" 640 BTW it is not related to your changes which made ubusd running under ubus user (it was happening with ubusd running as root also), but certainly caused by the ujail/seccomp stuff as I don't experience this issues without those features. My current config: CONFIG_TARGET_x86=y CONFIG_TARGET_x86_64=y CONFIG_TARGET_x86_64_DEVICE_generic=y CONFIG_DEVEL=y CONFIG_DEBUG=y CONFIG_FEED_luci=y CONFIG_FEED_packages=y CONFIG_GRUB_TIMEOUT="1" CONFIG_JSON_OVERVIEW_IMAGE_INFO=y CONFIG_KERNEL_PERF_EVENTS=y CONFIG_PACKAGE_MAC80211_DEBUGFS=y CONFIG_PACKAGE_MAC80211_MESH=y CONFIG_PACKAGE_block-mount=y CONFIG_PACKAGE_hostapd-common=y CONFIG_PACKAGE_ip-tiny=y CONFIG_PACKAGE_ipset=y CONFIG_PACKAGE_ipset-dns=y CONFIG_PACKAGE_iw=y CONFIG_PACKAGE_kmod-cfg80211=y CONFIG_PACKAGE_kmod-ipt-ipset=y CONFIG_PACKAGE_kmod-mac80211=y CONFIG_PACKAGE_kmod-nfnetlink=y CONFIG_PACKAGE_kmod-udptunnel4=y CONFIG_PACKAGE_kmod-udptunnel6=y CONFIG_PACKAGE_kmod-wireguard=y CONFIG_PACKAGE_libbfd=y CONFIG_PACKAGE_libbz2=y CONFIG_PACKAGE_libctf=y CONFIG_PACKAGE_libdw=y CONFIG_PACKAGE_libelf=y CONFIG_PACKAGE_libgmp=y CONFIG_PACKAGE_libipset=y CONFIG_PACKAGE_libiwinfo=y CONFIG_PACKAGE_liblua=y CONFIG_PACKAGE_libmnl=y CONFIG_PACKAGE_libnettle=y CONFIG_PACKAGE_libopcodes=y CONFIG_PACKAGE_libunwind=y CONFIG_PACKAGE_objdump=y CONFIG_PACKAGE_perf=y CONFIG_PACKAGE_procd-seccomp=y CONFIG_PACKAGE_rpcd=y CONFIG_PACKAGE_rpcd-mod-file=y CONFIG_PACKAGE_rpcd-mod-iwinfo=y CONFIG_PACKAGE_rpcd-mod-luci=y CONFIG_PACKAGE_rpcd-mod-rpcsys=y CONFIG_PACKAGE_trace-cmd=y CONFIG_PACKAGE_trace-cmd-extra=y CONFIG_PACKAGE_uhttpd=y CONFIG_PACKAGE_uhttpd-mod-lua=y CONFIG_PACKAGE_uhttpd-mod-ubus=y CONFIG_PACKAGE_wireguard=y CONFIG_PACKAGE_wireguard-tools=y CONFIG_PACKAGE_wireless-regdb=y CONFIG_PACKAGE_zlib=y CONFIG_SRC_TREE_OVERRIDE=y # CONFIG_TARGET_IMAGES_GZIP is not set CONFIG_TARGET_INITRAMFS_COMPRESSION_LZMA=y CONFIG_TARGET_ROOTFS_INITRAMFS=y CONFIG_uhttpd_lua=y Cheers, Petr _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
