| Age | Commit message (Collapse) | Author |
|---|
|
We now always run as init itself, so there's no need for option parsing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
otherwise LOG_USER/LOG_EMERG is used
Signed-off-by: Ulrich Weber <uw@ocedo.com>
|
|
Replace hard-coded installation directories with cmake-provided
variables, which gives more flexibility on where to install
final binaries. Great simplification for usage with e.g. BitBake recipes.
Signed-off-by: Sergiy Kibrik <sakib@meta.ua>
|
|
glibc sets __attribute_warn_unused_result__ on symlink(3) if
FORTIFY_SOURCE is set. This breaks procd which deliberately ignores
the result of the symlink(3) call early during init as there wouldn't
be anything better to do in that case other than ignoring the error and
trying to survive.
Introduce libc-compat.h to work-around libc anomalities.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
this completes fafbf7338ec8304f2a0ec0ba76048fba2c01c07e
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
building a generic jail can be hard,
choosing to drop some capabilities can be easier.
This commit permit to use namespaces, capabilities
and seccomp combined as you like.
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
If there is one or more capabilities in cap.keep,
drop all capabilities not in cap.keep.
Always drop all capabalities in cap.drop
exemple json syntax:
{
"cap.keep": [
"cap_net_raw"
],
"cap.drop": []
}
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
These options aren't mandatory, but can prevent some future
bugs from being exploited. Good reading:
http://lwn.net/Articles/647757/
Value chosen by looking at fedora 22 / ubuntu 14.04
Not tested yet (away from my tests routers)
Not touching jail/jail.c as this conflict with
my pending patch serie
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
watchdog_fd() is returning a char* and not a int. checking against < 0 could
lead in undefined behaviour.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
|
|
-use EXIT_SUCCESS/EXIT_FAILURE (not -1)
-parse every option in main, put them in opts struct
-add CLONE_NEWIPC to the clone() call (it's already compiled in openwrt kernel)
-return the exit status of the jailed process, or the num of the signal that killed it
-add missing options to usage()
-add a warning in usage() about ujail security
-debug option can now take an int as parameter (~debug level),
with -d2 you now activate "LD_DEBUG=all" for exemple
-do not depend on libpreload-seccomp.so if -S is not present
-there is now only one ujail process instead of two
jail creation is now as follow:
1) create jail root dir (mkdir)
2) create new namespace (clone)
(in the parent wait for the child with uloop)
3) build the jail root fs (mount bind all the libs/bins ...),
pivot_root and mount special fs (procfs, sysfs) (build_jail_fs())
4) build envp (LD_PRELOAD the seccomp helper or ...)
5) drop capabilities (next patch)
6) execve the jailed bin
7) remove jail root dir (once child is dead)
there is no need to umount anything because we are already in a namespace
Todo:
-allow signals from the parent to the child
Feature request:
-when we add a file or dir, detect if it's an exec and add it's dependencies
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN
see
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
(perload-jail -> preload-seccomp)
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
we can now build preload-seccomp, ujail, utrace separately
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
Since the /dev filesystem is tiny, /dev/shm needs to live somewhere
else.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
|
|
If no S or K rc scripts provided we still should
be able to go on to next state, or we won't boot
properly and would not be able to reboot/shutdown later.
Signed-off-by: Sergiy Kibrik <sakib@meta.ua>
|
|
as done in pressed and released actions
Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
|
|
Sometimes the syscall number is not defined with a number but with an
offset to an other syscall and then make_syscall_h.sh created some
broken header file.
For example the bit/syscall.h from musl for i386 has this:
#define __NR_timer_create 259
#define __NR_timer_settime (__NR_timer_create+1)
With this patch the resulting array looks like this:
[259] = "timer_create",
[(__NR_timer_create+1)] = "timer_settime",
This fixes this bug from OpenWrt:
https://dev.openwrt.org/ticket/20195
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
We need a+x rights on the path to the root of the jails
so we can use users other than root (like nobody)
This partly fixes jailed dnsmasq
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
Using pipe automatically switches service to block buffering which kind
of breaks our logging. We won't get anything from stdout FD until the
buffer gets filled fully or the service exits. This makes log messages
appear with an unwanted delay.
This change adds a tiny libsetlbf.so switching stdout to line buffering
and uses this lib for every logging-enabled service started by procd.
We don't need any extra change for stderr as it's unbuffered by default.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Modified to use no buffering to align with stderr. Several cleanups.
Signed-off-by: Steven Barth <steven@midlink.org>
|
|
These should probably not happen in practice, but having an explicit
error message may make debugging out-of-memory situations easier.
|
|
This reverts commit 9562ce477476a27851ec90cfbf971b8cb41c81a6.
Revert requested by John, will be re-implemented in a different way.
|
|
Previous patch did not account for umask, now adding that.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
|
|
On my Ubuntu system, the permissions are 1777. They are incorrect in
procd, leading to this:
https://forum.openwrt.org/viewtopic.php?id=57073
This in intended for both CC and DD.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
|
|
This allows executing code with a given interval. As every command, it
can be assign to any uevent.
Intervals may be useful for counting elapsed time since some action. It
allows e.g. indicating that button has been pressed for some time. This
is useful to let user know he can already release the button.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
Otherwise we hit max number of fd limit (1024) and instances fail to
start with the following errors in syslog
Sun Jun 14 01:27:38 2015 daemon.warn procd: pipe() failed: 24 (Too many open files)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
|
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
[ 1.240000] init: failed to symlink /tmp -> /var
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
AUDIT_ARCH on ARM and MIPS differs depending on the byte order.
Thus set AUDIT_ARCH to the respective endian-specific variants.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
SECCOMP_FILTER isn't supported on ARM OABI.
Thus enable seccomp support in jail only for EABI.
thumb might work as well as it apparently implies EABI, but
yet doesn't set __ARM_EABI__.
The REG_SYSCALL macro seems to be an unused left-over.
However, it's defined for other architectures as well.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
When attempting to run a service with an unprivileged user and group
id procd, the following error might occur:
procd: failed to set uid:1000, gid:1000
This is due to the fact that procd first performs the setuid(), then
the setgid() call.
Usually there no sufficient permissions after a setuid() anymore to
change the effective group id of the process.
Refactor the code to:
* Swap the invocations (first gid, then uid)
* Don't set user or group id if it is 0
* Handle errors independently and make them more verbose
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
|
