summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2015-10-26explicitely ignore return value of symlink(3) callDaniel Golle
glibc sets __attribute_warn_unused_result__ on symlink(3) if FORTIFY_SOURCE is set. This breaks procd which deliberately ignores the result of the symlink(3) call early during init as there wouldn't be anything better to do in that case other than ignoring the error and trying to survive. Introduce libc-compat.h to work-around libc anomalities. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2015-10-08jail: Add MS_NODEV MS_NOEXEC MS_NOSUID mount options where neededEtienne CHAMPETIER
this completes fafbf7338ec8304f2a0ec0ba76048fba2c01c07e Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-07jail: allow to not use namespacesEtienne CHAMPETIER
building a generic jail can be hard, choosing to drop some capabilities can be easier. This commit permit to use namespaces, capabilities and seccomp combined as you like. Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-07jail: cleanup includeEtienne CHAMPETIER
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-07jail: add capabilities supportEtienne CHAMPETIER
If there is one or more capabilities in cap.keep, drop all capabilities not in cap.keep. Always drop all capabalities in cap.drop exemple json syntax: { "cap.keep": [ "cap_net_raw" ], "cap.drop": [] } Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-03Add MS_NODEV MS_NOEXEC MS_NOSUID mount options where neededEtienne CHAMPETIER
These options aren't mandatory, but can prevent some future bugs from being exploited. Good reading: http://lwn.net/Articles/647757/ Value chosen by looking at fedora 22 / ubuntu 14.04 Not tested yet (away from my tests routers) Not touching jail/jail.c as this conflict with my pending patch serie Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-03system: fix undefined behavior in wdt offline checkAlexander Couzens
watchdog_fd() is returning a char* and not a int. checking against < 0 could lead in undefined behaviour. Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2015-10-03jail: reworks & cleanupsEtienne CHAMPETIER
-use EXIT_SUCCESS/EXIT_FAILURE (not -1) -parse every option in main, put them in opts struct -add CLONE_NEWIPC to the clone() call (it's already compiled in openwrt kernel) -return the exit status of the jailed process, or the num of the signal that killed it -add missing options to usage() -add a warning in usage() about ujail security -debug option can now take an int as parameter (~debug level), with -d2 you now activate "LD_DEBUG=all" for exemple -do not depend on libpreload-seccomp.so if -S is not present -there is now only one ujail process instead of two jail creation is now as follow: 1) create jail root dir (mkdir) 2) create new namespace (clone) (in the parent wait for the child with uloop) 3) build the jail root fs (mount bind all the libs/bins ...), pivot_root and mount special fs (procfs, sysfs) (build_jail_fs()) 4) build envp (LD_PRELOAD the seccomp helper or ...) 5) drop capabilities (next patch) 6) execve the jailed bin 7) remove jail root dir (once child is dead) there is no need to umount anything because we are already in a namespace Todo: -allow signals from the parent to the child Feature request: -when we add a file or dir, detect if it's an exec and add it's dependencies Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-03jail, seccomp: remove useless root checkEtienne CHAMPETIER
prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN see https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-03jail, seccomp: fix typo/improve log prefixEtienne CHAMPETIER
(perload-jail -> preload-seccomp) Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-03add UTRACE_SUPPORT build optionEtienne CHAMPETIER
we can now build preload-seccomp, ujail, utrace separately Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-09-15move /dev/shm to /tmp/shmDaniel Gimpelevich
Since the /dev filesystem is tiny, /dev/shm needs to live somewhere else. Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
2015-09-15inittab: always proceed to next stateSergiy Kibrik
If no S or K rc scripts provided we still should be able to go on to next state, or we won't boot properly and would not be able to reboot/shutdown later. Signed-off-by: Sergiy Kibrik <sakib@meta.ua>
2015-09-15hotplug: add BUTTON to environment vars for timeout actionGünther Kelleter
as done in pressed and released actions Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2015-08-11fix generating syscall-names.hHauke Mehrtens
Sometimes the syscall number is not defined with a number but with an offset to an other syscall and then make_syscall_h.sh created some broken header file. For example the bit/syscall.h from musl for i386 has this: #define __NR_timer_create 259 #define __NR_timer_settime (__NR_timer_create+1) With this patch the resulting array looks like this: [259] = "timer_create", [(__NR_timer_create+1)] = "timer_settime", This fixes this bug from OpenWrt: https://dev.openwrt.org/ticket/20195 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2015-07-27allow buttons to call delayed timeout actionsJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-07-24jail: fix jail root folder permissionsEtienne CHAMPETIER
We need a+x rights on the path to the root of the jails so we can use users other than root (like nobody) This partly fixes jailed dnsmasq Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-07-07service: if logging start app with LD_PRELOAD & lib for line bufferingRafał Miłecki
Using pipe automatically switches service to block buffering which kind of breaks our logging. We won't get anything from stdout FD until the buffer gets filled fully or the service exits. This makes log messages appear with an unwanted delay. This change adds a tiny libsetlbf.so switching stdout to line buffering and uses this lib for every logging-enabled service started by procd. We don't need any extra change for stderr as it's unbuffered by default. Signed-off-by: Rafał Miłecki <zajec5@gmail.com> Modified to use no buffering to align with stderr. Several cleanups. Signed-off-by: Steven Barth <steven@midlink.org>
2015-07-06Attempt to deal gracefully with allocation failures.Juliusz Chroboczek
These should probably not happen in practice, but having an explicit error message may make debugging out-of-memory situations easier.
2015-06-20Revert "hotplug: support for interval commands"Felix Fietkau
This reverts commit 9562ce477476a27851ec90cfbf971b8cb41c81a6. Revert requested by John, will be re-implemented in a different way.
2015-06-18fix /dev/shm permissions, this time for realDaniel Gimpelevich
Previous patch did not account for umask, now adding that. Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
2015-06-17fix /dev/shm permissionsDaniel Gimpelevich
On my Ubuntu system, the permissions are 1777. They are incorrect in procd, leading to this: https://forum.openwrt.org/viewtopic.php?id=57073 This in intended for both CC and DD. Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
2015-06-14hotplug: support for interval commandsRafał Miłecki
This allows executing code with a given interval. As every command, it can be assign to any uevent. Intervals may be useful for counting elapsed time since some action. It allows e.g. indicating that button has been pressed for some time. This is useful to let user know he can already release the button. Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
2015-06-14service: reorder function to avoid forward declarationFelix Fietkau
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2015-06-14service: close instance pipe fd on restart.Yousong Zhou
Otherwise we hit max number of fd limit (1024) and instances fail to start with the following errors in syslog Sun Jun 14 01:27:38 2015 daemon.warn procd: pipe() failed: 24 (Too many open files) Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2015-06-14service: allow get_data of specifc instance.Yousong Zhou
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2015-06-14service: remove unused struct watch_subscribe definition.Yousong Zhou
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2015-06-14service: dump respawn params in the same order as when passed in.Yousong Zhou
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2015-06-14service: optimize relaying stdio output of daemons a bit.Yousong Zhou
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2015-06-04trigger: make trigger_match() bool and make return value less confusingFelix Fietkau
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2015-06-02allow multiple identical events to be queuedJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-05-23remove ->John Crispin
[ 1.240000] init: failed to symlink /tmp -> /var Signed-off-by: John Crispin <blogic@openwrt.org>
2015-05-14jail: respect byte order when setting AUDIT_ARCHDaniel Golle
AUDIT_ARCH on ARM and MIPS differs depending on the byte order. Thus set AUDIT_ARCH to the respective endian-specific variants. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2015-05-14jail: add support for ARM architectureDaniel Golle
SECCOMP_FILTER isn't supported on ARM OABI. Thus enable seccomp support in jail only for EABI. thumb might work as well as it apparently implies EABI, but yet doesn't set __ARM_EABI__. The REG_SYSCALL macro seems to be an unused left-over. However, it's defined for other architectures as well. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2015-05-14trace: add support for ARM architectureDaniel Golle
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2015-05-05instance: handle setgid() before setuid()Jo-Philipp Wich
When attempting to run a service with an unprivileged user and group id procd, the following error might occur: procd: failed to set uid:1000, gid:1000 This is due to the fact that procd first performs the setuid(), then the setgid() call. Usually there no sufficient permissions after a setuid() anymore to change the effective group id of the process. Refactor the code to: * Swap the invocations (first gid, then uid) * Don't set user or group id if it is 0 * Handle errors independently and make them more verbose Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
2015-04-19instance: avoid dumping invalid service instances - prevents a potential crashFelix Fietkau
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2015-04-10fix include orderJohn Crispin
this broke x86_64 builds on uclibc Signed-off-by: John Crispin <blogic@openwrt.org>
2015-03-28properly handle return codesJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-03-27make it optional to remount the tmpfs as roJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-03-26make jail build optionalJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-03-23procd can now start jailed processesJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-03-23add initial version of ujail and utraceJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-03-18check for empty parameters in askfirstZefir Kurtisi
Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2015-03-12switch to _DEFAULT_SOURCE for modern glibc compatJohn Crispin
Signed-off-by: Jeff Waugh <jdub@bethesignal.org>
2015-03-06json 0.12 fixesJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-02-27service: rename variables / struct members called stdout, stderr to avoid ↵Felix Fietkau
conflicts with system defines Signed-off-by: Felix Fietkau <nbd@openwrt.org>
2015-02-26service: don't use stdio log channelJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
2015-02-26procd: support relayoing daemon stdout/stderr to syslogJo-Philipp Wich
This commit adds support to procd for relaying stdout and stderr streams to the system log. That is mainly useful for services not using syslog, e.g. uhttpd. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
2015-02-25Convert log calls to ulog() apiJo-Philipp Wich
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>