[OpenWrt-Devel] [PATCH] [package] Properly enable 802.11w support in hostapd
Add CONFIG_IEEE80211W variable to DRIVER_MAKEOPTS so that 802.11w support is properly compiled in full variant. This fixes #20179 Signed-off-by: Janusz Dziemidowicz --- package/network/services/hostapd/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index 3dff7b4..c16cb11 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -71,7 +71,7 @@ DRIVER_MAKEOPTS= \ CONFIG_DRIVER_WEXT=$(CONFIG_DRIVER_WEXT_SUPPORT) \ ifeq ($(LOCAL_VARIANT),full) - CONFIG_IEEE80211W=$(CONFIG_PACKAGE_kmod-ath9k) + DRIVER_MAKEOPTS += CONFIG_IEEE80211W=$(CONFIG_PACKAGE_kmod-ath9k) endif ifneq ($(LOCAL_TYPE),hostapd) -- 2.5.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] brcm63xx: add Comtrend VR-3026e support
Hi, On Wed, Aug 26, 2015 at 7:09 AM, Martin TesaĆ wrote: > Hi, > > here is an updated patch. Please send the patch inline like you did the first time (easier to review and comment on), and: diff --git a/target/linux/brcm63xx/patches-3.18/999-board_VR-3026e.patch b/target/linux/brcm63xx/patches-3.18/999-board_VR-3026e.patch new file mode 100644 index 000..3142f84 --- /dev/null +++ b/target/linux/brcm63xx/patches-3.18/999-board_VR-3026e.patch Please use the next free number in the 5xx range (which is intended for board support patches). Regards Jonas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH procd v2 0/5] jail work
On 26/08/2015 01:00, Etienne CHAMPETIER wrote: > This patch series rework a bit ujail, > and add capabilities support to it nice > > Seccomp filter are very powerful but not totally generic, > each arch can have different set of syscalls, > each libc can use different syscall for the same function, > and seccomp isn't supported on all arch. > > Capabilities are more high level, but still can restrict > jail to a sane minimum of privileges. > > Patch 4 is a bit big and i can split it if needed, just tell me how will have a closer look next few days there seem to be a way to escape from the rebind mount jail that QCA has found and i have not had the time yet to finish my jailfs module. it runs and loads, i can do mounts and access files inside them using normal shell calls. however if is point a jail instance at the mountpoint it oops horribly. i suspect that i am either using vfs wrong or am missing locking/ref-counting somewhere. i'll throw the code onto github later today or tomorrow and post the link. maybe someone with more knowledge of vfs can help fix it. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] uci: add import call
similiar to import from uci cli.
import removes all old configs and import the new config.
example:
ubus call uci import \
'{"config": "dhcp", "values": { "srv": { ".type": "host", ".name": "srv",
"mac": "00:11:22:33:44:55", "ip": "192.168.1.2" } } }'
---
uci.c | 152 ++
1 file changed, 152 insertions(+)
diff --git a/uci.c b/uci.c
index 8b5dafd..86c3b6e 100644
--- a/uci.c
+++ b/uci.c
@@ -32,6 +32,21 @@ static struct ubus_context *apply_ctx;
static char apply_sid[RPC_SID_LEN + 1];
enum {
+ RPC_ADD_TYPE,
+ RPC_ADD_NAME,
+ RPC_ADD_ANONYMOUS,
+ RPC_ADD_INDEX,
+ __RPC_ADD_MAX,
+};
+
+static const struct blobmsg_policy rpc_uci_add_section_policy[__RPC_ADD_MAX] =
{
+ [RPC_ADD_TYPE] = { .name = ".type", .type = BLOBMSG_TYPE_STRING },
+ [RPC_ADD_NAME] = { .name = ".name", .type = BLOBMSG_TYPE_STRING },
+ [RPC_ADD_ANONYMOUS] = { .name = ".anonymous", .type = BLOBMSG_TYPE_BOOL },
+ [RPC_ADD_INDEX] = { .name = ".index", .type = BLOBMSG_TYPE_INT32 },
+};
+
+enum {
RPC_G_CONFIG,
RPC_G_SECTION,
RPC_G_OPTION,
@@ -90,6 +105,20 @@ static const struct blobmsg_policy
rpc_uci_set_policy[__RPC_S_MAX] = {
};
enum {
+ RPC_I_CONFIG,
+ RPC_I_VALUES,
+ RPC_I_SESSION,
+ __RPC_I_MAX,
+};
+
+static const struct blobmsg_policy rpc_uci_import_policy[__RPC_I_MAX] = {
+ [RPC_I_CONFIG] = { .name = "config", .type = BLOBMSG_TYPE_STRING },
+ [RPC_I_VALUES] = { .name = "values", .type = BLOBMSG_TYPE_TABLE },
+ [RPC_I_SESSION] = { .name = "ubus_rpc_session",
+ .type = BLOBMSG_TYPE_STRING },
+};
+
+enum {
RPC_D_CONFIG,
RPC_D_SECTION,
RPC_D_TYPE,
@@ -179,6 +208,9 @@ static const struct blobmsg_policy
rpc_uci_rollback_policy[__RPC_B_MAX] = {
.type = BLOBMSG_TYPE_STRING },
};
+static void
+rpc_uci_merge_delete(struct blob_attr *opt, struct uci_ptr *ptr);
+
/*
* Turn uci error state into ubus return code
*/
@@ -729,6 +761,125 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr
*ptr)
}
static int
+rpc_uci_add_section(struct uci_package *p, struct blob_attr *msg)
+{
+ struct uci_section *s;
+ struct uci_ptr ptr = { 0 };
+ struct blob_attr *cur, *elem;
+ struct blob_attr *tb[__RPC_ADD_MAX];
+ int rem, rem2;
+
+ blobmsg_parse(rpc_uci_add_section_policy, __RPC_ADD_MAX, tb,
+ blobmsg_data(msg), blobmsg_len(msg));
+
+ ptr.package = p->e.name;
+
+ if (!tb[RPC_ADD_TYPE])
+goto out;
+
+ /* add named section */
+ if (tb[RPC_ADD_NAME])
+ {
+ptr.section = blobmsg_data(tb[RPC_ADD_NAME]);
+ptr.value = blobmsg_data(tb[RPC_ADD_TYPE]);
+ptr.option = NULL;
+
+if (rpc_uci_lookup(&ptr) || uci_set(cursor, &ptr))
+ goto out;
+ } else {
+if (uci_add_section(cursor, p, blobmsg_data(tb[RPC_ADD_TYPE]), &s) || !s)
+ goto out;
+
+ptr.section = s->e.name;
+ }
+
+ blobmsg_for_each_attr(cur, msg, rem)
+ {
+if (!strcmp(blobmsg_name(cur), ".type") ||
+!strcmp(blobmsg_name(cur), ".anonymous") ||
+!strcmp(blobmsg_name(cur), ".name") ||
+!strcmp(blobmsg_name(cur), ".index"))
+ continue;
+ptr.o = NULL;
+ptr.option = blobmsg_name(cur);
+
+if (rpc_uci_lookup(&ptr) || !ptr.s)
+ continue;
+
+switch (blobmsg_type(cur))
+{
+case BLOBMSG_TYPE_ARRAY:
+ blobmsg_for_each_attr(elem, cur, rem2)
+if (rpc_uci_format_blob(elem, &ptr.value))
+ uci_add_list(cursor, &ptr);
+ break;
+
+default:
+ if (rpc_uci_format_blob(cur, &ptr.value))
+uci_set(cursor, &ptr);
+ break;
+}
+ }
+
+ return 0;
+
+out:
+ return 1;
+}
+
+/* blobmsg example: { "wan": { ".type": "interface", ".name":"wan",
".anonymous": false }, .. } */
+static int
+rpc_uci_import(struct ubus_context *ctx, struct ubus_object *obj,
+struct ubus_request_data *req, const char *method,
+struct blob_attr *msg)
+{
+ struct blob_attr *tb[__RPC_I_MAX];
+ struct blob_attr *cur;
+ struct uci_package *p = NULL;
+ struct uci_element *e, *tmp;
+ struct uci_ptr ptr = { 0 };
+ int rem;
+
+
+ blobmsg_parse(rpc_uci_import_policy, __RPC_I_MAX, tb,
+ blob_data(msg), blob_len(msg));
+
+ if (!tb[RPC_I_CONFIG] || !tb[RPC_I_VALUES])
+ return UBUS_STATUS_INVALID_ARGUMENT;
+
+ if (!rpc_uci_write_access(tb[RPC_I_SESSION], tb[RPC_I_CONFIG]))
+ return UBUS_STATUS_PERMISSION_DENIED;
+
+ ptr.package = blobmsg_data(tb[RPC_I_CONFIG]);
+
+ if (uci_load(cursor, ptr.package, &p))
+ return rpc_uci_status();
+
+ /* delete all section within package */
+ uci_foreach_element_safe(&p->sections, tmp, e)
+ {
+ptr.s = NULL;
+ptr.section = e->name;
+rpc_uci_merge_delete(NULL, &ptr);
+ }
+
+ /* add new sections */
+ blobm
Re: [OpenWrt-Devel] [PATCH] uci: add import call
Sorry I forgot an rpcd prefix in the subject. This is a patch for rpcd. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH procd v2 0/5] jail work
2015-08-26 15:48 GMT+02:00 John Crispin :
>
>
> On 26/08/2015 01:00, Etienne CHAMPETIER wrote:
> > This patch series rework a bit ujail,
> > and add capabilities support to it
>
> nice
>
> >
> > Seccomp filter are very powerful but not totally generic,
> > each arch can have different set of syscalls,
> > each libc can use different syscall for the same function,
> > and seccomp isn't supported on all arch.
> >
> > Capabilities are more high level, but still can restrict
> > jail to a sane minimum of privileges.
>
>
> >
> > Patch 4 is a bit big and i can split it if needed, just tell me how
>
> will have a closer look next few days
>
forgot to say it's tested on ar71xx with CC (and also on ubuntu 14.04)
there seem to be a way to escape from the rebind mount jail that QCA has
> found
more than one ;) can you share? (with root rights you can kexec, mount
/dev, ...)
that's why you really need to limit rights with capabilities drop or
seccomp filter
(i'm adding a vague warning in usage)
> and i have not had the time yet to finish my jailfs module.
with my patches you don't see all the bind mount anymore ("in the host"),
they are only in the jail mount namespace.
to see the mounts inside the jail you can still do
cat /proc//mounts
it
> runs and loads, i can do mounts and access files inside them using
> normal shell calls. however if is point a jail instance at the
> mountpoint it oops horribly. i suspect that i am either using vfs wrong
> or am missing locking/ref-counting somewhere. i'll throw the code onto
> github later today or tomorrow and post the link. maybe someone with
> more knowledge of vfs can help fix it.
>
what problem are you fixing with jailfs? (real question/to be sure there is
no simpler solution)
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v3] bcm63xx: add Comtrend VR-3026e support
Here is the third version. I hope it will be fine, finally. Regards, Martin ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v3] bcm63xx: add Comtrend VR-3026e support
Add support for Comtrend VR-3026e v1.
The device is almost identical to the Comtrend VR-3025un.
Signed-off-by: Martin Tesar
---
target/linux/brcm63xx/base-files/etc/diag.sh | 3 +
.../base-files/etc/uci-defaults/02_network | 3 +-
.../base-files/etc/uci-defaults/09_fix_crc | 1 +
target/linux/brcm63xx/base-files/lib/brcm63xx.sh | 3 +
.../lib/preinit/05_init_interfaces_brcm63xx| 1 +
target/linux/brcm63xx/dts/vr-3026e.dts | 88 ++
target/linux/brcm63xx/image/Makefile | 2 +
.../brcm63xx/patches-3.18/572-board_VR-3026e.patch | 79 +++
.../brcm63xx/patches-4.1/572-board_VR-3026e.patch | 79 +++
target/linux/brcm63xx/profiles/comtrend.mk | 9 +++
10 files changed, 267 insertions(+), 1 deletion(-)
create mode 100644 target/linux/brcm63xx/dts/vr-3026e.dts
create mode 100644 target/linux/brcm63xx/patches-3.18/572-board_VR-3026e.patch
create mode 100644 target/linux/brcm63xx/patches-4.1/572-board_VR-3026e.patch
diff --git a/target/linux/brcm63xx/base-files/etc/diag.sh
b/target/linux/brcm63xx/base-files/etc/diag.sh
index 7916ac2..7826fad 100644
--- a/target/linux/brcm63xx/base-files/etc/diag.sh
+++ b/target/linux/brcm63xx/base-files/etc/diag.sh
@@ -39,6 +39,9 @@ set_state() {
vr-3025u)
status_led="VR-3025u:green:power"
;;
+ vr-3026e)
+ status_led="VR-3026e:green:power"
+ ;;
wap-5813n)
status_led="WAP-5813n:green:power"
;;
diff --git a/target/linux/brcm63xx/base-files/etc/uci-defaults/02_network
b/target/linux/brcm63xx/base-files/etc/uci-defaults/02_network
index 2ff9e45..4de861c 100644
--- a/target/linux/brcm63xx/base-files/etc/uci-defaults/02_network
+++ b/target/linux/brcm63xx/base-files/etc/uci-defaults/02_network
@@ -94,8 +94,9 @@ fast2504n |\
fast2704v2 |\
hg655b |\
p870hw-51a_v2 |\
+vr-3025u |\
vr-3025un |\
-vr-3025u)
+vr-3026e)
ucidef_set_interface_lan "eth0.1"
ucidef_add_switch "eth0" "1" "1"
ucidef_add_switch_vlan "eth0" "1" "0 1 2 3 8t"
diff --git a/target/linux/brcm63xx/base-files/etc/uci-defaults/09_fix_crc
b/target/linux/brcm63xx/base-files/etc/uci-defaults/09_fix_crc
index 4a167dc..f307a4c 100644
--- a/target/linux/brcm63xx/base-files/etc/uci-defaults/09_fix_crc
+++ b/target/linux/brcm63xx/base-files/etc/uci-defaults/09_fix_crc
@@ -30,6 +30,7 @@ case "$(brcm63xx_board_name)" in
v2500v_bb |\
vr-3025u |\
vr-3025un |\
+ vr-3026e |\
wap-5813n)
do_fixcrc
;;
diff --git a/target/linux/brcm63xx/base-files/lib/brcm63xx.sh
b/target/linux/brcm63xx/base-files/lib/brcm63xx.sh
index 92fa5f2..1a97c86 100755
--- a/target/linux/brcm63xx/base-files/lib/brcm63xx.sh
+++ b/target/linux/brcm63xx/base-files/lib/brcm63xx.sh
@@ -102,6 +102,9 @@ brcm63xx_dt_detect() {
"Comtrend VR-3025un")
board_name="vr-3025un"
;;
+ "Comtrend VR-3026e")
+ board_name="vr-3026e"
+ ;;
"Comtrend WAP-5813n")
board_name="wap-5813n"
;;
diff --git
a/target/linux/brcm63xx/base-files/lib/preinit/05_init_interfaces_brcm63xx
b/target/linux/brcm63xx/base-files/lib/preinit/05_init_interfaces_brcm63xx
index d6ec537..abf5b89 100644
--- a/target/linux/brcm63xx/base-files/lib/preinit/05_init_interfaces_brcm63xx
+++ b/target/linux/brcm63xx/base-files/lib/preinit/05_init_interfaces_brcm63xx
@@ -32,6 +32,7 @@ set_preinit_iface() {
v2110 |\
vr-3025un |\
vr-3025u |\
+ vr-3026e |\
wap-5813n)
ifname=eth0
;;
diff --git a/target/linux/brcm63xx/dts/vr-3026e.dts
b/target/linux/brcm63xx/dts/vr-3026e.dts
new file mode 100644
index 000..49790e2
--- /dev/null
+++ b/target/linux/brcm63xx/dts/vr-3026e.dts
@@ -0,0 +1,88 @@
+/dts-v1/;
+
+#include "bcm6368.dtsi"
+
+#include
+
+/ {
+ model = "Comtrend VR-3026e";
+ compatible = "comtrend,vr-3026e", "brcm,bcm6368";
+
+ gpio-keys-polled {
+ compatible = "gpio-keys-polled";
+ #address-cells = <1>;
+ #size-cells = <0>;
+ poll-interval = <20>;
+ debounce-interval = <60>;
+
+ reset {
+ label = "reset";
+ gpios = <&gpio1 2 1>;
+ linux,code = ;
+ };
+ };
+
+ gpio-leds {
+ compatible = "gpio-leds";
+
+ dsl_green {
+ label = "VR-3026e:green:dsl";
+ gpios = <&gpio0 2 1>;
+ };
+ inet_green {
+ label = "VR-3026e:green:inet";
+ gpios = <&gpio0 5 0>;
+ };
+ lan1_green {
+ label = "VR-3026e:green:lan1";
+ gpios =
[OpenWrt-Devel] [PATCH] toolchain/uClibc: add support of uClibc-ng
uClibc-ng is a spin-off of original uClibc, see http://www.uclibc-ng.org/ We try to regularly add changes from uClibc to uClibc-ng. We even sent patches and bug reports to the uClibc mailing list. The config file is compatible between uClibc-ng 1.0 and uClibc git master. This might change in the future. Our main goal is to provide regularly a stable and tested release to make embedded system developers happy. The main advantage of uClibc-ng over olde good uClibc is regular releases so there's no need to keep tons of patches on top of years old 0.9.33.2 Build-tested for [1] ARM: Sunxi generic [2] MIPS: Netgear WNDR3600/3700/3800 Run-tested for [yet out of the tree] Synopsys Designware ARC AXS101. Signed-off-by: Alexey Brodkin Cc: Waldemar Brodkorb Cc: Mathieu Olivari Cc: Felix Fietkau Cc: John Crispin --- toolchain/uClibc/Config.in | 4 + toolchain/uClibc/Config.version| 4 + toolchain/uClibc/common.mk | 15 +- toolchain/uClibc/config-ng-1.0.6/arm | 9 + toolchain/uClibc/config-ng-1.0.6/armeb | 9 + toolchain/uClibc/config-ng-1.0.6/common| 223 + toolchain/uClibc/config-ng-1.0.6/debug | 6 + toolchain/uClibc/config-ng-1.0.6/i386 | 21 +++ toolchain/uClibc/config-ng-1.0.6/i686 | 21 +++ toolchain/uClibc/config-ng-1.0.6/m68k | 6 + toolchain/uClibc/config-ng-1.0.6/mips | 18 ++ toolchain/uClibc/config-ng-1.0.6/mips64| 18 ++ toolchain/uClibc/config-ng-1.0.6/mips64.32 | 19 +++ toolchain/uClibc/config-ng-1.0.6/mips64.64 | 19 +++ toolchain/uClibc/config-ng-1.0.6/mips64.n32| 19 +++ toolchain/uClibc/config-ng-1.0.6/mips64el | 18 ++ toolchain/uClibc/config-ng-1.0.6/mips64el.32 | 19 +++ toolchain/uClibc/config-ng-1.0.6/mips64el.64 | 19 +++ toolchain/uClibc/config-ng-1.0.6/mips64el.n32 | 19 +++ toolchain/uClibc/config-ng-1.0.6/mipsel| 18 ++ toolchain/uClibc/config-ng-1.0.6/mipsel.cobalt | 18 ++ toolchain/uClibc/config-ng-1.0.6/powerpc | 6 + toolchain/uClibc/config-ng-1.0.6/powerpc.e500 | 6 + toolchain/uClibc/config-ng-1.0.6/sparc | 8 + toolchain/uClibc/config-ng-1.0.6/sparc.leon| 8 + toolchain/uClibc/config-ng-1.0.6/x86_64| 6 + 26 files changed, 553 insertions(+), 3 deletions(-) create mode 100644 toolchain/uClibc/config-ng-1.0.6/arm create mode 100644 toolchain/uClibc/config-ng-1.0.6/armeb create mode 100644 toolchain/uClibc/config-ng-1.0.6/common create mode 100644 toolchain/uClibc/config-ng-1.0.6/debug create mode 100644 toolchain/uClibc/config-ng-1.0.6/i386 create mode 100644 toolchain/uClibc/config-ng-1.0.6/i686 create mode 100644 toolchain/uClibc/config-ng-1.0.6/m68k create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64 create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64.32 create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64.64 create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64.n32 create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64el create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64el.32 create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64el.64 create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64el.n32 create mode 100644 toolchain/uClibc/config-ng-1.0.6/mipsel create mode 100644 toolchain/uClibc/config-ng-1.0.6/mipsel.cobalt create mode 100644 toolchain/uClibc/config-ng-1.0.6/powerpc create mode 100644 toolchain/uClibc/config-ng-1.0.6/powerpc.e500 create mode 100644 toolchain/uClibc/config-ng-1.0.6/sparc create mode 100644 toolchain/uClibc/config-ng-1.0.6/sparc.leon create mode 100644 toolchain/uClibc/config-ng-1.0.6/x86_64 diff --git a/toolchain/uClibc/Config.in b/toolchain/uClibc/Config.in index 08ea00a..c923bc0 100644 --- a/toolchain/uClibc/Config.in +++ b/toolchain/uClibc/Config.in @@ -11,6 +11,10 @@ choice select UCLIBC_VERSION_0_9_33 bool "uClibc 0.9.33.2" + config UCLIBC_USE_VERSION_NG + select UCLIBC_VERSION_NG + bool "uClibc-ng" + endchoice # Debug version. diff --git a/toolchain/uClibc/Config.version b/toolchain/uClibc/Config.version index dd302f2..b6aa471 100644 --- a/toolchain/uClibc/Config.version +++ b/toolchain/uClibc/Config.version @@ -2,8 +2,12 @@ config UCLIBC_VERSION string depends on USE_UCLIBC default "0.9.33.2" if UCLIBC_VERSION_0_9_33 + default "1.0.6" if UCLIBC_VERSION_NG default "0.9.33.2" config UCLIBC_VERSION_0_9_33 default y if !TOOLCHAINOPTS && USE_UCLIBC bool + +config UCLIBC_VERSION_NG + bool diff --git a/toolchain/uClibc/common.mk b/toolchain/uClibc/common.mk index 53a8443..026d69d 100644 --- a/toolchain/uClibc/common.mk +++ b/toolchain/uClibc/common.mk @@ -7,15 +7,24 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/ta
Re: [OpenWrt-Devel] [PATCH] toolchain/uClibc: add support of uClibc-ng
Hi, On 26/08/2015 20:11, Alexey Brodkin wrote: > uClibc-ng is a spin-off of original uClibc, see http://www.uclibc-ng.org/ > > We try to regularly add changes from uClibc to uClibc-ng. > We even sent patches and bug reports to the uClibc mailing list. > The config file is compatible between uClibc-ng 1.0 and uClibc git master. > This might change in the future. > > Our main goal is to provide regularly a stable and tested release > to make embedded system developers happy. > > The main advantage of uClibc-ng over olde good uClibc is regular releases > so there's no need to keep tons of patches on top of years old > 0.9.33.2 > why do you not use musl ? it is actively support rather than being hooked on life support. John > Build-tested for > [1] ARM: Sunxi generic > [2] MIPS: Netgear WNDR3600/3700/3800 > > Run-tested for [yet out of the tree] Synopsys Designware ARC AXS101. > > Signed-off-by: Alexey Brodkin > Cc: Waldemar Brodkorb > Cc: Mathieu Olivari > Cc: Felix Fietkau > Cc: John Crispin > --- > toolchain/uClibc/Config.in | 4 + > toolchain/uClibc/Config.version| 4 + > toolchain/uClibc/common.mk | 15 +- > toolchain/uClibc/config-ng-1.0.6/arm | 9 + > toolchain/uClibc/config-ng-1.0.6/armeb | 9 + > toolchain/uClibc/config-ng-1.0.6/common| 223 > + > toolchain/uClibc/config-ng-1.0.6/debug | 6 + > toolchain/uClibc/config-ng-1.0.6/i386 | 21 +++ > toolchain/uClibc/config-ng-1.0.6/i686 | 21 +++ > toolchain/uClibc/config-ng-1.0.6/m68k | 6 + > toolchain/uClibc/config-ng-1.0.6/mips | 18 ++ > toolchain/uClibc/config-ng-1.0.6/mips64| 18 ++ > toolchain/uClibc/config-ng-1.0.6/mips64.32 | 19 +++ > toolchain/uClibc/config-ng-1.0.6/mips64.64 | 19 +++ > toolchain/uClibc/config-ng-1.0.6/mips64.n32| 19 +++ > toolchain/uClibc/config-ng-1.0.6/mips64el | 18 ++ > toolchain/uClibc/config-ng-1.0.6/mips64el.32 | 19 +++ > toolchain/uClibc/config-ng-1.0.6/mips64el.64 | 19 +++ > toolchain/uClibc/config-ng-1.0.6/mips64el.n32 | 19 +++ > toolchain/uClibc/config-ng-1.0.6/mipsel| 18 ++ > toolchain/uClibc/config-ng-1.0.6/mipsel.cobalt | 18 ++ > toolchain/uClibc/config-ng-1.0.6/powerpc | 6 + > toolchain/uClibc/config-ng-1.0.6/powerpc.e500 | 6 + > toolchain/uClibc/config-ng-1.0.6/sparc | 8 + > toolchain/uClibc/config-ng-1.0.6/sparc.leon| 8 + > toolchain/uClibc/config-ng-1.0.6/x86_64| 6 + > 26 files changed, 553 insertions(+), 3 deletions(-) > create mode 100644 toolchain/uClibc/config-ng-1.0.6/arm > create mode 100644 toolchain/uClibc/config-ng-1.0.6/armeb > create mode 100644 toolchain/uClibc/config-ng-1.0.6/common > create mode 100644 toolchain/uClibc/config-ng-1.0.6/debug > create mode 100644 toolchain/uClibc/config-ng-1.0.6/i386 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/i686 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/m68k > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64.32 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64.64 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64.n32 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64el > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64el.32 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64el.64 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mips64el.n32 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mipsel > create mode 100644 toolchain/uClibc/config-ng-1.0.6/mipsel.cobalt > create mode 100644 toolchain/uClibc/config-ng-1.0.6/powerpc > create mode 100644 toolchain/uClibc/config-ng-1.0.6/powerpc.e500 > create mode 100644 toolchain/uClibc/config-ng-1.0.6/sparc > create mode 100644 toolchain/uClibc/config-ng-1.0.6/sparc.leon > create mode 100644 toolchain/uClibc/config-ng-1.0.6/x86_64 > > diff --git a/toolchain/uClibc/Config.in b/toolchain/uClibc/Config.in > index 08ea00a..c923bc0 100644 > --- a/toolchain/uClibc/Config.in > +++ b/toolchain/uClibc/Config.in > @@ -11,6 +11,10 @@ choice > select UCLIBC_VERSION_0_9_33 > bool "uClibc 0.9.33.2" > > + config UCLIBC_USE_VERSION_NG > + select UCLIBC_VERSION_NG > + bool "uClibc-ng" > + > endchoice > > # Debug version. > diff --git a/toolchain/uClibc/Config.version b/toolchain/uClibc/Config.version > index dd302f2..b6aa471 100644 > --- a/toolchain/uClibc/Config.version > +++ b/toolchain/uClibc/Config.version > @@ -2,8 +2,12 @@ config UCLIBC_VERSION > string > depends on USE_UCLIBC > default "0.9.33.2" if UCLIBC_VERSION_0_9_33 > + default "1.0.6" if UCLIBC_VERSION_NG > default "0.9.33.2" > > config UCLIBC_VERSION_
Re: [OpenWrt-Devel] [PATCH] toolchain/uClibc: add support of uClibc-ng
Hi John, On Wed, 2015-08-26 at 20:20 +0200, John Crispin wrote: > Hi, > > On 26/08/2015 20:11, Alexey Brodkin wrote: > > uClibc-ng is a spin-off of original uClibc, see http://www.uclibc-ng.org/ > > > > We try to regularly add changes from uClibc to uClibc-ng. > > We even sent patches and bug reports to the uClibc mailing list. > > The config file is compatible between uClibc-ng 1.0 and uClibc git master. > > This might change in the future. > > > > Our main goal is to provide regularly a stable and tested release > > to make embedded system developers happy. > > > > The main advantage of uClibc-ng over olde good uClibc is regular releases > > so there's no need to keep tons of patches on top of years old > > 0.9.33.2 > > > > why do you not use musl ? it is actively support rather than being > hooked on life support. The point is I'm about to submit patch with support of new architecture (ARC) in OpenWRT. And unfortunately the only libc we have now is uClibc. And since "original" uClibc lack recent releases (where ARC support might exist as we're in uclibc's master branch for quite some time already) I went forward with uClibc-ng which sees releases much more often and in released tarballs we already have support of ARC. So I understand that other architectures may not benefit a lot from newer uClibc but for us (ARC) there's no other way. Hope that makes sense. -Alexey ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] OpenWrt Summit Session Deadline - this FRIDAY, August 28
First, I promise this is the last reminder of the OpenWrt Summit Session deadline. :) I just wanted to remind folks that the deadline for submitting OpenWrt Summit sessions is this Friday, August 28. We have some great session submissions but we're still looking for YOUR session submission. If you have a topic on OpenWrt you'd like to discuss or want to show off some great work, the OpenWrt Summit is the place to do it! You can submit a session by visiting http://summit.prplfoundation.org and following the instructions. We've tried to make the form simple and straightforward but if you have any questions, don't hesitate to contact me (eschu...@prplfoundation.org) If you've never presented at a conference before, we welcome your submissions and participation. We want your views and experiences shared. I'm also happy to help anyone who would like help with their submissions. Lastly, OpenWrt Summit is a welcoming conference and we value the participation of all people. In particular, I want to encourage folks from marginalized communities to submit their sessions, including women and people of color. Your experiences are part of OpenWrt and we welcome your sessions. As always, please contact me if you have any questions or concerns. I look forward to seeing the final sessions that come in from everyone. Thanks everyone again, Eric -- Eric Schultz, Community Manager, prpl Foundation http://www.prplfoundation.org eschu...@prplfoundation.org cell: 920-539-0404 skype: ericschultzwi @EricPrpl ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd v3 0/7] jail work
v3 of my (u)jail work, you can now use separately namespaces jail, capabilities and seccomp Openwrt procd Makefile patch v2 is still ok ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd v3 1/7] add UTRACE_SUPPORT build option
we can now build preload-seccomp, ujail, utrace separately
Signed-off-by: Etienne CHAMPETIER
---
CMakeLists.txt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6af17a3..805e2ed 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -84,7 +84,9 @@ TARGET_LINK_LIBRARIES(ujail ubox)
INSTALL(TARGETS ujail
RUNTIME DESTINATION sbin
)
+endif()
+IF(UTRACE_SUPPORT)
ADD_EXECUTABLE(utrace trace/trace.c)
TARGET_LINK_LIBRARIES(utrace ubox ${json} blobmsg_json)
INSTALL(TARGETS utrace
--
1.9.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd v3 4/7] jail: reworks & cleanups
-use EXIT_SUCCESS/EXIT_FAILURE (not -1)
-parse every option in main, put them in opts struct
-add CLONE_NEWIPC to the clone() call (it's already compiled in openwrt kernel)
-return the exit status of the jailed process, or the num of the signal that
killed it
-add missing options to usage()
-add a warning in usage() about ujail security
-debug option can now take an int as parameter (~debug level),
with -d2 you now activate "LD_DEBUG=all" for exemple
-do not depend on libpreload-seccomp.so if -S is not present
-there is now only one ujail process instead of two
jail creation is now as follow:
1) create jail root dir (mkdir)
2) create new namespace (clone)
(in the parent wait for the child with uloop)
3) build the jail root fs (mount bind all the libs/bins ...),
pivot_root and mount special fs (procfs, sysfs) (build_jail_fs())
4) build envp (LD_PRELOAD the seccomp helper or ...)
5) drop capabilities (next patch)
6) execve the jailed bin
7) remove jail root dir (once child is dead)
there is no need to umount anything because we are already in a namespace
Todo:
-allow signals from the parent to the child
Feature request:
-when we add a file or dir, detect if it's an exec and add it's dependencies
Signed-off-by: Etienne CHAMPETIER
---
jail/jail.c | 393
1 file changed, 157 insertions(+), 236 deletions(-)
diff --git a/jail/jail.c b/jail/jail.c
index 2bba292..f8139b8 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -43,7 +43,17 @@
#include
#define STACK_SIZE (1024 * 1024)
-#define OPT_ARGS "P:S:n:r:w:psuldo"
+#define OPT_ARGS "P:S:n:r:w:d:psulo"
+
+static struct {
+ char *path;
+ char *name;
+ char **jail_argv;
+ char *seccomp;
+ int procfs;
+ int ronly;
+ int sysfs;
+} opts;
struct extra {
struct list_head list;
@@ -125,7 +135,7 @@ static int mount_bind(const char *root, const char *path,
const char *name, int
return -1;
}
- if (readonly && mount(old, new, NULL, MS_BIND | MS_REMOUNT | MS_RDONLY,
NULL)) {
+ if (readonly && mount(NULL, new, NULL, MS_BIND | MS_REMOUNT |
MS_RDONLY, NULL)) {
ERROR("failed to remount ro %s: %s\n", new, strerror(errno));
return -1;
}
@@ -135,80 +145,75 @@ static int mount_bind(const char *root, const char *path,
const char *name, int
return 0;
}
-static int build_jail(const char *path)
+static int build_jail_fs()
{
struct library *l;
struct extra *m;
- int ret = 0;
- mkdir(path, 0755);
-
- if (mount("tmpfs", path, "tmpfs", MS_NOATIME, "mode=0755")) {
+ if (mount("tmpfs", opts.path, "tmpfs", MS_NOATIME, "mode=0755")) {
ERROR("tmpfs mount failed %s\n", strerror(errno));
return -1;
}
- avl_for_each_element(&libraries, l, avl)
- if (mount_bind(path, l->path, l->name, 1, -1))
- return -1;
-
- list_for_each_entry(m, &extras, list)
- if (mount_bind(path, m->path, m->name, m->readonly, 0))
- return -1;
-
- return ret;
-}
+ if (chdir(opts.path)) {
+ ERROR("failed to chdir() in the jail root\n");
+ return -1;
+ }
-static void _umount(const char *root, const char *path)
-{
- char *buf = NULL;
+ avl_init(&libraries, avl_strcmp, false, NULL);
+ alloc_library_path("/lib64");
+ alloc_library_path("/lib");
+ alloc_library_path("/usr/lib");
+ load_ldso_conf("/etc/ld.so.conf");
- if (asprintf(&buf, "%s%s", root, path) < 0) {
- ERROR("failed to alloc umount buffer: %s\n", strerror(errno));
- } else {
- DEBUG("umount %s\n", buf);
- umount(buf);
- free(buf);
+ if (elf_load_deps(*opts.jail_argv)) {
+ ERROR("failed to load dependencies\n");
+ return -1;
}
-}
-static int stop_jail(const char *root)
-{
- struct library *l;
- struct extra *m;
+ if (opts.seccomp && elf_load_deps("libpreload-seccomp.so")) {
+ ERROR("failed to load libpreload-seccomp.so\n");
+ return -1;
+ }
- avl_for_each_element(&libraries, l, avl) {
- char path[256];
- char *p = l->path;
+ avl_for_each_element(&libraries, l, avl)
+ if (mount_bind(opts.path, l->path, l->name, 1, -1))
+ return -1;
- if (strstr(p, "local"))
- p = "/lib";
+ list_for_each_entry(m, &extras, list)
+ if (mount_bind(opts.path, m->path, m->name, m->readonly, 0))
+ return -1;
- snprintf(path, sizeof(path), "%s%s/%s", root, p, l->name);
- DEBUG("umount %s\n", path);
- umount(path);
+ char *mpoint;
+ if (asprintf(&mpoint
[OpenWrt-Devel] [PATCH procd v3 2/7] jail, seccomp: fix typo/improve log prefix
(perload-jail -> preload-seccomp)
Signed-off-by: Etienne CHAMPETIER
---
jail/seccomp.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/jail/seccomp.h b/jail/seccomp.h
index 6c585ad..c44a607 100644
--- a/jail/seccomp.h
+++ b/jail/seccomp.h
@@ -12,8 +12,8 @@
*/
#define INFO(fmt, ...) do { \
- syslog(0,"perload-jail: "fmt, ## __VA_ARGS__); \
- fprintf(stderr,"perload-jail: "fmt, ## __VA_ARGS__); \
+ syslog(0,"preload-seccomp: "fmt, ## __VA_ARGS__); \
+ fprintf(stderr,"preload-seccomp: "fmt, ## __VA_ARGS__); \
} while (0)
int install_syscall_filter(const char *argv, const char *file);
--
1.9.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd v3 3/7] jail, seccomp: remove useless root check
prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN
see
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
Signed-off-by: Etienne CHAMPETIER
---
jail/preload.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/jail/preload.c b/jail/preload.c
index 97ac44d..a1cc0b6 100644
--- a/jail/preload.c
+++ b/jail/preload.c
@@ -27,14 +27,8 @@ static main_t __main__;
static int __preload_main__(int argc, char **argv, char **envp)
{
- uid_t uid = getuid();
char *env_file = getenv("SECCOMP_FILE");
- if (uid) {
- INFO("preload-seccomp: %s: not root, cannot install seccomp
filter\n", *argv);
- return -1;
- }
-
if (install_syscall_filter(*argv, env_file))
return -1;
--
1.9.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd v3 6/7] jail: cleanup include
Signed-off-by: Etienne CHAMPETIER
---
jail/elf.c | 14 --
jail/jail.c | 10 --
jail/log.h | 1 +
3 files changed, 1 insertion(+), 24 deletions(-)
diff --git a/jail/elf.c b/jail/elf.c
index c198599..cbb3051 100644
--- a/jail/elf.c
+++ b/jail/elf.c
@@ -12,33 +12,19 @@
*/
#define _GNU_SOURCE
-#include
#include
-#include
-#include
-#include
#include
#include
-#include
-#include
-#include
-#include
-#include
#include
#include
#include
#include
-#include
#include
#include
#include
-#include
-#include
#include
-#include
-#include
#include "elf.h"
diff --git a/jail/jail.c b/jail/jail.c
index 3d0830e..40b7558 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -12,12 +12,6 @@
*/
#define _GNU_SOURCE
-#include
-#include
-#include
-#include
-#include
-#include
#include
#include
#include
@@ -30,16 +24,12 @@
#include
#include
#include
-#include
#include
-#include
-#include
#include
#include "elf.h"
#include "capabilities.h"
-#include
#include
#include
diff --git a/jail/log.h b/jail/log.h
index f8590b3..b1d201e 100644
--- a/jail/log.h
+++ b/jail/log.h
@@ -12,6 +12,7 @@
*/
extern int debug;
+#include
#define INFO(fmt, ...) do { \
printf("jail: "fmt, ## __VA_ARGS__); \
--
1.9.1
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH procd v3 5/7] jail: add capabilities support
If there is one or more capabilities in cap.keep,
drop all capabilities not in cap.keep.
Always drop all capabalities in cap.drop
exemple json syntax:
{
"cap.keep": [
"cap_net_raw"
],
"cap.drop": []
}
Signed-off-by: Etienne CHAMPETIER
---
CMakeLists.txt | 18 +---
jail/capabilities.c| 116 +
jail/capabilities.h| 14 ++
jail/jail.c| 15 +--
make_capabilities_h.sh | 10 +
5 files changed, 164 insertions(+), 9 deletions(-)
create mode 100644 jail/capabilities.c
create mode 100644 jail/capabilities.h
create mode 100755 make_capabilities_h.sh
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 805e2ed..cc1e4a5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -67,7 +67,14 @@ ADD_CUSTOM_COMMAND(
COMMAND ./make_syscall_h.sh ${CMAKE_C_COMPILER} > ./syscall-names.h
DEPENDS ./make_syscall_h.sh
)
-ADD_CUSTOM_TARGET(headers DEPENDS syscall-names.h)
+ADD_CUSTOM_TARGET(syscall-names-h DEPENDS syscall-names.h)
+
+ADD_CUSTOM_COMMAND(
+ OUTPUT capabilities-names.h
+ COMMAND ./make_capabilities_h.sh ${CMAKE_C_COMPILER} >
./capabilities-names.h
+ DEPENDS ./make_capabilities_h.sh
+)
+ADD_CUSTOM_TARGET(capabilities-names-h DEPENDS capabilities-names.h)
IF(SECCOMP_SUPPORT)
ADD_LIBRARY(preload-seccomp SHARED jail/preload.c jail/seccomp.c)
@@ -75,15 +82,16 @@ TARGET_LINK_LIBRARIES(preload-seccomp dl ubox blobmsg_json)
INSTALL(TARGETS preload-seccomp
LIBRARY DESTINATION lib
)
-ADD_DEPENDENCIES(preload-seccomp headers)
+ADD_DEPENDENCIES(preload-seccomp syscall-names-h)
endif()
IF(JAIL_SUPPORT)
-ADD_EXECUTABLE(ujail jail/jail.c jail/elf.c)
-TARGET_LINK_LIBRARIES(ujail ubox)
+ADD_EXECUTABLE(ujail jail/jail.c jail/elf.c jail/capabilities.c)
+TARGET_LINK_LIBRARIES(ujail ubox blobmsg_json)
INSTALL(TARGETS ujail
RUNTIME DESTINATION sbin
)
+ADD_DEPENDENCIES(ujail capabilities-names-h)
endif()
IF(UTRACE_SUPPORT)
@@ -92,7 +100,7 @@ TARGET_LINK_LIBRARIES(utrace ubox ${json} blobmsg_json)
INSTALL(TARGETS utrace
RUNTIME DESTINATION sbin
)
-ADD_DEPENDENCIES(utrace headers)
+ADD_DEPENDENCIES(utrace syscall-names-h)
ADD_LIBRARY(preload-trace SHARED trace/preload.c)
TARGET_LINK_LIBRARIES(preload-trace dl)
diff --git a/jail/capabilities.c b/jail/capabilities.c
new file mode 100644
index 000..b5ea965
--- /dev/null
+++ b/jail/capabilities.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2015 Etienne CHAMPETIER
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#define _GNU_SOURCE 1
+#include
+#include
+
+#include
+#include
+
+#include "log.h"
+#include "../capabilities-names.h"
+#include "capabilities.h"
+
+static int find_capabilities(const char *name)
+{
+ int i;
+
+ for (i = 0; i <= CAP_LAST_CAP; i++)
+ if (capabilities_names[i] && !strcmp(capabilities_names[i],
name))
+ return i;
+
+ return -1;
+}
+
+int drop_capabilities(const char *file)
+{
+ enum {
+ CAP_KEEP,
+ CAP_DROP,
+ __CAP_MAX
+ };
+ static const struct blobmsg_policy policy[__CAP_MAX] = {
+ [CAP_KEEP] = { .name = "cap.keep", .type = BLOBMSG_TYPE_ARRAY },
+ [CAP_DROP] = { .name = "cap.drop", .type = BLOBMSG_TYPE_ARRAY },
+ };
+ struct blob_buf b = { 0 };
+ struct blob_attr *tb[__CAP_MAX];
+ struct blob_attr *cur;
+ int rem, cap;
+ char *name;
+ uint64_t capdrop = 0LLU;
+
+ DEBUG("dropping capabilities\n");
+
+ blob_buf_init(&b, 0);
+ if (!blobmsg_add_json_from_file(&b, file)) {
+ ERROR("failed to load %s\n", file);
+ return -1;
+ }
+
+ blobmsg_parse(policy, __CAP_MAX, tb, blob_data(b.head),
blob_len(b.head));
+ if (!tb[CAP_KEEP] && !tb[CAP_DROP]) {
+ ERROR("failed to parse %s\n", file);
+ return -1;
+ }
+
+ blobmsg_for_each_attr(cur, tb[CAP_KEEP], rem) {
+ name = blobmsg_get_string(cur);
+ if (!name) {
+ ERROR("invalid capability name in cap.keep\n");
+ return -1;
+ }
+ cap = find_capabilities(name);
+ if (cap == -1) {
+ ERROR("unknown capability %s in cap.keep\n", name);
+ return -1;
+ }
+ capdrop |= (1LLU << cap);
+ }
+
+ if (capdrop == 0LLU) {
+ DEBUG("cap.keep empty -> only dropping capabilit
[OpenWrt-Devel] [PATCH procd v3 7/7] jail: allow to not use namespaces
building a generic jail can be hard,
choosing to drop some capabilities can be easier.
This commit permit to use namespaces, capabilities
and seccomp combined as you like.
Signed-off-by: Etienne CHAMPETIER
---
jail/jail.c | 76 +
1 file changed, 56 insertions(+), 20 deletions(-)
diff --git a/jail/jail.c b/jail/jail.c
index 40b7558..f459a5e 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -42,6 +42,7 @@ static struct {
char **jail_argv;
char *seccomp;
char *capabilities;
+ int namespace;
int procfs;
int ronly;
int sysfs;
@@ -233,13 +234,14 @@ static char** build_envp(const char *seccomp)
static void usage(void)
{
fprintf(stderr, "ujail -- \n");
- fprintf(stderr, " -P \tpath where the jail will be staged\n");
- fprintf(stderr, " -S \tseccomp filter\n");
+ fprintf(stderr, " -d \tshow debug log (increase num to increase
verbosity)\n");
+ fprintf(stderr, " -S \tseccomp filter config\n");
fprintf(stderr, " -C \tcapabilities drop config\n");
fprintf(stderr, " -n \tthe name of the jail\n");
+ fprintf(stderr, "namespace jail options:\n");
+ fprintf(stderr, " -P \tpath where the jail will be staged\n");
fprintf(stderr, " -r \treadonly files that should be staged\n");
fprintf(stderr, " -w \twriteable files that should be staged\n");
- fprintf(stderr, " -d \tshow debug log (increase num to increase
verbosity)\n");
fprintf(stderr, " -p\t\tjail has /proc\n");
fprintf(stderr, " -s\t\tjail has /sys\n");
fprintf(stderr, " -l\t\tjail has /dev/log\n");
@@ -248,20 +250,14 @@ static void usage(void)
fprintf(stderr, "\nWarning: by default root inside the jail is the
same\n\
and he has the same powers as root outside the jail,\n\
thus he can escape the jail and/or break stuff.\n\
-Please use an appropriate seccomp/capabilities filter (-S/-C) to restrict his
powers\n");
+Please use seccomp/capabilities (-S/-C) to restrict his powers\n\n\
+If you use none of the namespace jail options,\n\
+ujail will not use namespace/build a jail,\n\
+and will only drop capabilities/apply seccomp filter.\n\n");
}
-static int spawn_jail(void *arg)
+static int exec_jail()
{
- if (opts.name && sethostname(opts.name, strlen(opts.name))) {
- ERROR("failed to sethostname: %s\n", strerror(errno));
- }
-
- if (build_jail_fs()) {
- ERROR("failed to build jail fs");
- exit(EXIT_FAILURE);
- }
-
char **envp = build_envp(opts.seccomp);
if (!envp)
exit(EXIT_FAILURE);
@@ -276,6 +272,20 @@ static int spawn_jail(void *arg)
exit(EXIT_FAILURE);
}
+static int spawn_jail(void *arg)
+{
+ if (opts.name && sethostname(opts.name, strlen(opts.name))) {
+ ERROR("failed to sethostname: %s\n", strerror(errno));
+ }
+
+ if (build_jail_fs()) {
+ ERROR("failed to build jail fs");
+ exit(EXIT_FAILURE);
+ }
+
+ return exec_jail();
+}
+
static int jail_running = 1;
static int jail_return_code = 0;
@@ -335,12 +345,15 @@ int main(int argc, char **argv)
debug = atoi(optarg);
break;
case 'p':
+ opts.namespace = 1;
opts.procfs = 1;
break;
case 'o':
+ opts.namespace = 1;
opts.ronly = 1;
break;
case 's':
+ opts.namespace = 1;
opts.sysfs = 1;
break;
case 'S':
@@ -352,21 +365,26 @@ int main(int argc, char **argv)
add_extra(optarg, 1);
break;
case 'P':
+ opts.namespace = 1;
opts.path = optarg;
break;
case 'n':
opts.name = optarg;
break;
case 'r':
+ opts.namespace = 1;
add_extra(optarg, 1);
break;
case 'w':
+ opts.namespace = 1;
add_extra(optarg, 0);
break;
case 'u':
+ opts.namespace = 1;
add_extra(ubus, 0);
break;
case 'l':
+ opts.namespace = 1;
add_extra(log, 0);
break;
}
@@ -377,41 +395,59 @@ int main(int argc, char **argv)
usage();
return EXIT_FAILURE;
}
+ if (!(opts.namespace||opts.capabilities||opts.seccomp)) {
+ ERROR("Not using
Re: [OpenWrt-Devel] [PATCH] toolchain/uClibc: add support of uClibc-ng
Hi all, I was wondering why OpenWRT switched to musl -- is it purely because uclibc hasn't actually maintained their code properly? One of the things I have noticed since the CC trunk builds I did with kernel 3.18.11 + uclibc is that the image sizes have ballooned out by a fair bit. For example, a build on trunk r45705 which uses uclibc and kernel 3.18.11 would allow for most features to be included in a build e.g. openvpn, luci + ssl support, more connecting protocols than just pppoe and so on with a router sporting 8MB of flash. Now with recent trunk builds, with musl and kernel 4.1.x, I've had to cut features considerably just to make it fit. Just adding openvpn with openssl support means that an image prior that built at 7MB would balloon out to 8MB which would mean that the image would not be produced as it is too big. I've yet to do a separate build with latest trunk and uclibc but certainly something has caused image build sizes to grow quite a bit recently, though in testing I've done at least, it hasn't impacted on router performance for now. Cheers Adam On 27/08/15 04:28, Alexey Brodkin wrote: Hi John, On Wed, 2015-08-26 at 20:20 +0200, John Crispin wrote: Hi, On 26/08/2015 20:11, Alexey Brodkin wrote: uClibc-ng is a spin-off of original uClibc, see http://www.uclibc-ng.org/ We try to regularly add changes from uClibc to uClibc-ng. We even sent patches and bug reports to the uClibc mailing list. The config file is compatible between uClibc-ng 1.0 and uClibc git master. This might change in the future. Our main goal is to provide regularly a stable and tested release to make embedded system developers happy. The main advantage of uClibc-ng over olde good uClibc is regular releases so there's no need to keep tons of patches on top of years old 0.9.33.2 why do you not use musl ? it is actively support rather than being hooked on life support. The point is I'm about to submit patch with support of new architecture (ARC) in OpenWRT. And unfortunately the only libc we have now is uClibc. And since "original" uClibc lack recent releases (where ARC support might exist as we're in uclibc's master branch for quite some time already) I went forward with uClibc-ng which sees releases much more often and in released tarballs we already have support of ARC. So I understand that other architectures may not benefit a lot from newer uClibc but for us (ARC) there's no other way. Hope that makes sense. -Alexey ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] malta: disable mips16
- it causes issues with qemu versions < 2.2 should fix issues with Ubuntu 14.03 LTS (qemu 2.0) errors are: Kernel panic - not syncing: Attempted to kill init! exitcode=0x0004 see ticket #16881 Signed-off-by: Dirk Neukirchen --- target/linux/malta/be/target.mk | 2 +- target/linux/malta/le/target.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/target/linux/malta/be/target.mk b/target/linux/malta/be/target.mk index 92ae58e..b505e3b 100644 --- a/target/linux/malta/be/target.mk +++ b/target/linux/malta/be/target.mk @@ -2,7 +2,7 @@ ARCH:=mips ARCH_PACKAGES:=malta_mips SUBTARGET:=be BOARDNAME:=Big Endian -FEATURES:=ramdisk mips16 +FEATURES:=ramdisk define Target/Description Build BE firmware images for MIPS Malta CoreLV board running in diff --git a/target/linux/malta/le/target.mk b/target/linux/malta/le/target.mk index 35fcf4c..7906aa7 100644 --- a/target/linux/malta/le/target.mk +++ b/target/linux/malta/le/target.mk @@ -2,7 +2,7 @@ ARCH:=mipsel ARCH_PACKAGES:=malta_mipsel SUBTARGET:=le BOARDNAME:=Little Endian -FEATURES:=ramdisk mips16 +FEATURES:=ramdisk define Target/Description Build LE firmware images for MIPS Malta CoreLV board running in -- 2.5.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
