Hi,
here is an updated patch.
Regards,
Martin
2015-08-24 11:53 GMT+02:00 Jonas Gorski :
> Hi,
>
> On Sun, Aug 23, 2015 at 5:21 PM, Martin Tesar wrote:
>
> A few words about the device would be nice. Please try to avoid an
> empty commit message.
>
> > Signed-off-by: Martin Tesar
>
> Codewise
this need to be applied after my work on ujail (procd git)
ujail doesn't depend on seccomp and some archs dont support seccomp
Signed-off-by: Etienne CHAMPETIER
---
package/system/procd/Makefile | 50 +--
1 file changed, 25 insertions(+), 25 deletions(-)
If there is one or more capabilities in cap.keep,
drop all capabilities not in cap.keep.
Always drop all capabalities in cap.drop
exemple json syntax:
{
"cap.keep": [
"cap_net_raw"
],
"cap.drop": []
}
Signed-off-by: Etienne CHAMPETIER
---
CMakeLists.txt | 18 +---
jail/capa
-use EXIT_SUCCESS/EXIT_FAILURE (not -1)
-parse every option in main, put them in opts struct
-add CLONE_NEWIPC to the clone() call (it's already compiled in openwrt kernel)
-return the exit status of the jailed process, or the num of the signal that
killed it
-add missing options to usage()
-add a
prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN
see
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
Signed-off-by: Etienne CHAMPETIER
---
jail/preload.c | 6 --
1 file changed, 6 deletio
(perload-jail -> preload-seccomp)
Signed-off-by: Etienne CHAMPETIER
---
jail/seccomp.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/jail/seccomp.h b/jail/seccomp.h
index 6c585ad..c44a607 100644
--- a/jail/seccomp.h
+++ b/jail/seccomp.h
@@ -12,8 +12,8 @@
*/
#define
we can now build preload-seccomp, ujail, utrace separately
Signed-off-by: Etienne CHAMPETIER
---
CMakeLists.txt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6af17a3..805e2ed 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -84,7 +84,9 @@ TARGET_L
This patch series rework a bit ujail,
and add capabilities support to it
Seccomp filter are very powerful but not totally generic,
each arch can have different set of syscalls,
each libc can use different syscall for the same function,
and seccomp isn't supported on all arch.
Capabilities are mor
Hi,
The lawyers of company I work for, Qualcomm, finally agreed to let me post
our project to github:
https://github.com/qca/boardfarm
Long story short, our team needed an automated way to flash/sysupgrade new
daily builds of openwrt-based software onto various devices, run tests, and
report
enables a real rootfs with custom size
use qemu with:
qemu-system-arm -M realview-pbx-a9 \
-kernel openwrt-realview-vmlinux.elf \
-nographic -m 1024M \
-sd openwrt-realview-sdcard.img \
--append "console=ttyAMA0 root=/dev/mmcblk0p1"
modified script from brcm2708 target
Signed-off-by: Dirk Neukir
qemu can be run with -sd
Signed-off-by: Dirk Neukirchen
---
target/linux/realview/config-3.18 | 4
1 file changed, 4 insertions(+)
diff --git a/target/linux/realview/config-3.18
b/target/linux/realview/config-3.18
index d619694..a8cbd38 100644
--- a/target/linux/realview/config-3.18
+++
On 2015-08-21 16:23, Rich Felker wrote:
>> 2. patch patch-kernel.sh
>>
>> ---
>> --- a/scripts/patch-kernel.sh
>> +++ b/scripts/patch-kernel.sh
>> @@ -37,7 +37,7 @@ for i in ${patchdir}/${patchpattern} ; do
>> [ -d "${i}" ] && echo "Ignoring subdirectory ${i}" && continue
>> echo ""
>>
On 2015-08-23 17:19, Linus Lüssing wrote:
> A call to pskb_may_pull() might reallocate skb->data. Therefore we
> should only assign the src-pointer after any potential reallocations.
>
> Signed-off-by: Linus Lüssing
Applied both patches with modifications:
- Ported to Linux 4.1
- Removed unnecess
13 matches
Mail list logo
