aboutsummaryrefslogtreecommitdiffstats
path: root/package/system/procd
Commit message (Collapse)AuthorAgeFilesLines
* procd: remove duplicate confguration menuDaniel Golle2020-08-131-2/+0
| | | | | Fixes: 962e73c1a4 ("procd: add selinux variant") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: add selinux variantPaul Spooren2020-08-131-7/+31
| | | | | | | | This commit adds a `selinux` variant to `procd` allowing to load an SELinux policy at boot. Signed-off-by: Paul Spooren <mail@aparcar.org> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: add SELinux supportThomas Petazzoni2020-08-101-5/+6
| | | | | | | | | | | | | | | | | | This commit adds a patch to procd to support loading the SELinux policy early at boot time, and adjusts the procd package to use this SELinux support when libselinux is enabled. The procd patch has been submitted separately [1]: obviously the intent is to have it merged in the procd Git repository rather than have it in OpenWrt itself. [1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025791.html Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [rebase, add commit message] Signed-off-by: W. Michael Petullo <mike@flyn.org> [split commit into openwrt.git and procd.git] Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-08-061-3/+3
| | | | | | | | | | | | | 47a9f0d service: add method to query available container features afbaba9 initd: attempt to mount cgroup2 ead60fe jail: use pidns semantics also for timens 759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits 83053b6 instance: add instances into unified cgroup hierarchy 16159bb jail: parse OCI cgroups resources 282ff0c jail: only free cgroups if they were allocated ab55357 jail: fix freeing cgroups avl Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "procd: update to git HEAD"Daniel Golle2020-08-061-3/+3
| | | | | | This reverts commit e0e607f0d000e62c6af8d822d7c3f57c2a582136. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-08-061-3/+3
| | | | | | | | | | | 47a9f0d service: add method to query available container features afbaba9 initd: attempt to mount cgroup2 ead60fe jail: use pidns semantics also for timens 759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits 83053b6 instance: add instances into unified cgroup hierarchy 16159bb jail: parse OCI cgroups resources Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-301-3/+3
| | | | | | | 28be011 instance: make sure values are not inherited from previous runs 2ae5cbc uxc: remove debugging left-over Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-291-3/+3
| | | | | | | | | | | c3ca99f jail: serialize hook execution 8ff8970 jail: add some remaining OCI features 9d5fa0a uxc: behave more like a compliant OCI run-time 1274033 uxc: fix create operation 2d811a4 jail: add 'kill' method to container.%s object 08133b8 uxc: use new container.%s kill ubus API Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: fix build on glibc and uclibcDaniel Golle2020-07-251-3/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-251-3/+3
| | | | | | | | 48777de rcS: cast format string to int64_t a4df90f jail: fix wrong format for 32-bit c482c5d jail: add support for referencing existing namespaces Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEAD once againDaniel Golle2020-07-201-3/+3
| | | | | | | | | | | Further complete OCI container support in ujail: f5f305e jail: move /tmp/resolv.conf.d to /dev/resolv.conf.d 6f078ae jail: add support for defining devices 686cf7a jail: actually apply filesystem-specific mount options f91009a jail: refactor default mounts into new structure 66ae2d9 jail: re-implement /proc/sys/net read-write in netns hack Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-191-3/+3
| | | | | | | | | | | 9eddf0f jail: fix hooks 1b1286b jail: parse and apply OCI sysctl values c049047 jail: implement OCI user additionalGIDs 0e1920c jail: read and apply umask from OCI if defined 1c46cc3 jail: parse and apply POSIX rlimits 76adac5 jail: /proc/$pid/oom_score_adj to OCI defined oomScoreAdj Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEADDaniel Golle2020-07-171-4/+4
| | | | | | | | | | 8d5208f jail: fix false return in case of nofail mount b41f76b procd: fix compile if procd-ujail is not selected 86a5105 jail: fs: fix build on uClibc-ng bfce7d1 jail: fix some more mount options 268126a jail: add support for maskedPaths and readonlyPaths Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: allow optional watchdog instance parameterDaniel Bailey2020-07-141-2/+2
| | | | | | | | | | | | | | Optional instance watchdog timeout and watchdog mode can be set by adding: procd_set_param $mode $timeout $mode is an integer [0-1] representing instance watchdog mode of operation: 0 = disabled 1 = passive mode, client must periodically poke watchdog via ubus $timeout is an integer representing how often, in seconds, the watchdog must be poked. Signed-off-by: Daniel Bailey <danielb@meshplusplus.com>
* procd: update to git HEADDaniel Golle2020-07-141-3/+3
| | | | | | | 639df57 uxc: fix build with uClibc-ng b2230e4 procd: add service instance watchdog Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-131-3/+3
| | | | | | | | | | | | | | aed7fb3 procd: fix compilation with uClibc-ng 9d0f831 jail: fix segfault with len(uidmap/gidmap) > 1 42a6217 jail: consider PATH for argv in OCI container 83f4b72 jail: actually chdir into OCI defined CWD fc9f614 jail: parse and run OCI hooks 02eec92 jail: memory allocation fixes 71e75f4 jail: refactor mount support to cover OCI spec b586e7d jail: don't make mount source read-only dacab12 uxc: fix 'stop' command Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: fix yet another build issue, this time with capabilitiesDaniel Golle2020-07-111-3/+3
| | | | | | | 3034eaf jail: use linux/capability.h instead of sys/capability.h Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: fix another seccomp-related build issueDaniel Golle2020-07-111-3/+3
| | | | | | | 3473671 ujail: add dependency on syscall-names-h Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: fix build on platforms without seccomp supportDaniel Golle2020-07-111-3/+3
| | | | | Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-102-3/+41
| | | | | | | ea7a790 jail: add support for running OCI bundle bb4a446 uxc: add container management CLI tool Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-05-281-3/+3
| | | | | | | b84a329 jail: use sane termios settings for console pts b9b39e2 jail: handle containers seperately Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: fix segfault and add console featureDaniel Golle2020-05-152-3/+17
| | | | | | | | 2e73848 jail: SIGSEGV must not be forwarded to the child process 7e150f6 jail: unnamed jails can not have netns (fix segfault) 1ab539b jail: add option to provide /dev/console to containers Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: replace backticks by $(...)Adrian Schmutzler2020-05-132-3/+3
| | | | | | This replaces deprecated backticks by more versatile $(...) syntax. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* procd: extend requirejail attribute handlingDaniel Golle2020-04-251-3/+3
| | | | | | | | e2ed964 jail: don't fail unless requirejail is set 17e7ae7 jail: don't load libpreload-seccomp.so if it doesn't exist Fixes openwrt/packages#11913 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: fix jail when running on glibcDaniel Golle2020-04-191-3/+3
| | | | | | d200b70 jail: include /etc/nsswitch.conf in jail for glibc. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail fixes and improvementsDaniel Golle2020-04-141-3/+3
| | | | | | | | | | | 32c717e jail: only mess with rootfs if CLONE_NEWNS was set b275a62 instance: harmonize instance API 511fd97 jail: make /proc more secure 4953b7c jail: mount /sys read-only a4d6442 jail: replace /etc/resolv.conf with symlink in extroot+overlay a4cc165 jail: always mount /dev as additional tmpfs Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to latest HEADDaniel Golle2020-04-092-4/+7
| | | | | | | | | | | | 2188d81 jail: add support for launching extroot containers 6f3dbd2 jail: add support for userns and cgroupsns 28a06e5 jail: add support for (ram-)overlayfs Add handling for extroot, overlaydir and tmpoverlaysize as well as jail flags for userns and cgroupsns to OpenWrt's shell script to allow their use in init scripts. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to latest git HEADDaniel Golle2020-03-131-4/+4
| | | | | | 77a6782 jail: mount-bind /etc/resolv.conf for non-netns jails Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: actually wire-up netns supportDaniel Golle2020-03-122-1/+2
| | | | | | | | When support for network namespaces was added to procd, adding the corresponding jail flag in procd.sh was ommitted. Add it now. Fixes: 97a03a4760 ("procd: update to latest git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: seccomp: fix resource leakKevin Darbyshire-Bryant2020-02-111-3/+3
| | | | | | | | Bump to latest commit: c30b23e seccomp: fix resource leak Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* procd: update to latest git HEADHans Dedecker2020-02-091-2/+2
| | | | | | | | Fixes c0c988e179a75d33c82ed0621d954fc0ac2c0c14 bcb8655 instance: add 'requirejail' attribute Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: support 'requirejail' attributeKevin Darbyshire-Bryant2020-02-042-2/+3
| | | | | | | | | | | | | | | | Bump procd package to reduce log spam related to missing jail binaries in a non-jail capable system. bcb8655 instance: add 'requirejail' attribute An additional jail attribute 'requirejail' can now be used to indicate mandatory use of a jailed environment and hence prevent process startup in the event that the jail subsystem is unavailable. Procd will now only log errors if jail is unavailable and 1) is a mandatory requirement or 2) a procd debug level of at least 2 is in use. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* procd: update to version 2020-01-24Petr Štetiar2020-01-241-3/+3
| | | | | | | | 00aafc4f439e procd: show process's exit code 856b5f8be046 state: fix reboot causing shutdown inside LXC container b44417c20c7f instance: provide error feedback if ujail binary is missing Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to latest git HEADDaniel Golle2020-01-211-4/+4
| | | | | | | | | | | | | 58c12f7 jail: add basic support for network namespaces ba69639 jail: create resolv.conf symlink for netns jails 81b88b1 jail: more strict mount options for /tmp/resolv.conf.d/ Add new 'netns' flag for procd_add_jail to make ujail setup a new network namespace for the jailed service. See previous netifd commit for example configuration for netns jailed service. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: activate PIE ASLR by defaultPetr Štetiar2020-01-141-0/+1
| | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. Size increase on x86/64: procd Installed-Size: 44931 -> 47362 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to version 2020-01-04Petr Štetiar2020-01-051-3/+3
| | | | | | | | | | | a5af33ce9a16 instance: strdup string attributes d2e8bf6ef7cf system: watchdog_set: fix misleading indentation 9814807bd71c system: sysupgrade: fix possibly misleading error c7a2db3c1eb6 system: sysupgrade: rework firmware validation ea45c4a0f07c system: fix failing image validation due to EINTR 4fde95506243 cmake: fix lookup of external libraries Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: fix running jailed non-root processDaniel Golle2019-12-301-4/+4
| | | | | | | | | Setting user and group for a jailed process caused the jail not to come up. Fix this by passing user and group to ujail and change user only once the jail has been setup. This allows jailing services which refuse to run as root user. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to latest git HEADHans Dedecker2019-11-261-3/+3
| | | | | | 3aa051b system: sysupgrade: close input side of pipe before reading Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: start additional consoles during hotpluggingMichael Heimpold2019-11-092-1/+5
| | | | | | | | Now that 'start-console' procd command has reached the main repo, we can add a rule to start consoles on serial devices which are created when USB gadget driver reports creation with hotplugging. Signed-off-by: Michael Heimpold <mhei@heimpold.de>
* procd: Update to version 2019-11-02Hauke Mehrtens2019-11-031-3/+3
| | | | | | | | | | | | | | f47622e instance: Warn about unexpected number of parameters 564ecdf instance: ujail: Fix allocated size for no_new_privs parameter 7fb2e1d procd: simplify code in procd_inittab_run 4a127c3 procd: replace exit(-1) with exit(EXIT_FAILURE) bc0a73e procd: add upgraded binary to .gitignore ba4c4db procd: add start-console support 3e39fe5 procd: shift arguments for askfirst only once 5d62829 procd: skip respawn in case device disappeared d27949f procd: guard fork_worker calls Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* procd: update to latest git HEADHans Dedecker2019-10-221-3/+3
| | | | | | 258aa04 procd: Add cached and available to memory table Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: allow usage of * as procd_running() instance parameterAlin Nastac2019-10-182-4/+4
| | | | | | | | | | | service_running() implementation in /etc/rc.common use it. It is preferable to use wildcard than assuming the instance name is the default one. jsonfilter returns all matches when wildcards are used, hence the -l 1 argument used to limit output to only one value. Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
* procd: update to the latest git HEADHauke Mehrtens2019-09-211-3/+3
| | | | | | | 8e9fb51 procd: Switch to nanosleep c844ace system: Fix possible integer overflows Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* procd: fix invalid JSON filter expression in procd_running()Jo-Philipp Wich2019-09-192-2/+2
| | | | | | | | | Since service and instance names may contain characters which are not allowed in JSON path labels, such as dashes or spaces, change the filter expression to array square bracket notation to properly match these cases as well. Fixes: 2c3dd70741 ("procd: add procd_running() helper for checking running state") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* procd: update to the latest git HEADRafał Miłecki2019-09-181-3/+3
| | | | | | | 62dc8c0 system: sysupgrade: send reply on error 2710c65 system: refuse sysupgrade with backup if it's unsupported Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* base-files,procd: add generic service statusLuiz Angelo Daros de Luca2019-09-151-0/+25
| | | | | | | | | | | | | | Adds a default status action for init.d scripts. procd "service status" will return: 0) for loaded services (even if disabled by conf or dead) 3) for inactive services 4) when filtering a non-existing instance Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> [rebased, cleaned up] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to the latest git HEADRafał Miłecki2019-09-111-3/+3
| | | | | | | | | b8238df sysupgrade: support "backup" attribute This update requires "sysupgrade" method callers to pass "backup" attribute if $UPGRADE_BACKUP is used in the project. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* procd: update to the latest git HEADRafał Miłecki2019-09-051-3/+3
| | | | | | | | | | 0f3c136 sysupgrade: set UPGRADE_BACKUP env variable 0bcbbbf system: fix uninitialized variables in firmware validation code This update includes a fix for uninitialized variable usage. Fixes: 7290963d0992 ("procd: update to the latest git HEAD") Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* procd: update to the latest git HEADRafał Miłecki2019-09-041-3/+3
| | | | | | | | | | | | 34ac88c system: reject sysupgrade of invalid firmware images by default f55c235 system: reject sysupgrade of broken firmware images e990e21 system: add "validate_firmware_image" ubus method This update changes "sysupgrade" ubus method API. It's now required to pass "force" attribute whenever invalid firmware is meant to be installed. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* procd: fix compile issue with glibc (FS#2469)Hans Dedecker2019-08-281-3/+3
| | | | | | 0430252 sysupgrade: add missing _GNU_SOURCE define (FS#2469) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>