aboutsummaryrefslogtreecommitdiffstats
path: root/package/system/procd
Commit message (Collapse)AuthorAgeFilesLines
* procd: add hotplug-call dispatcher ubus objectsDaniel Golle2021-02-081-3/+3
| | | | | | Add per-subsystem ubus objects exposing hotplug-call. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2021-02-021-4/+4
| | | | | | | | | | 0aee1c3 hotplug.c: set nl_pid to zero d6dda31 procd: fix compiler warning 92c8e8f jail: remove duplicate check for hook file permissions 0a74c06 jail: only output BPF instr. table header if debugging fd18379 jail: cgroups: fix uninitialized variabl Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-12-121-3/+3
| | | | | | | 111416d jail: remove unreachable code 7f12c89 treewide: replace local mkdir_p implementations Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: also depend on jshnSven Roederer2020-12-051-2/+2
| | | | | | fixes "file no found" error on stripped down images, caused by prod.sh:43. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* procd: output warning if user 'ubus' doesn't existDaniel Golle2020-12-041-3/+3
| | | | | | 6acc48c early: fall-back to run ubus as root if user can't be found Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-11-301-3/+3
| | | | | | | | f3c3563 jail: improve seccomp BPF generator f67a66f jail: always call cgroups_free() 4625350 jail: seccomp: improve code readability Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-11-271-3/+3
| | | | | | | | | | | | | | | | 3019f50 jail: leak less memory 7e01453 jail: fix segfault on missing name and refactor 5abee8f jail: fix and simplify userns uid/gid maps from OCI 4ba72ec jail: relax /etc/resolv.conf creation db5ef86 jail: don't use NULL arguments for mount syscall 19ac9df jail: don't fail if can't mount-bind /etc/resolv.conf acf36f2 jail: seteuid before clone(CLONE_NEWUSER) e40828f jail: fix typo in usage output b87984b jail: don't attempt to mount /sys with noatime b275b11 jail: enter existing cgroups namespace if given 31e0a46 jail: properly initialize timens_fd Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-11-231-3/+3
| | | | | | | d4d78db uxc: also delete procd runtime state on 'delete' e935c0c jail: add 'debug' extern variable to preload_seccomp Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-11-221-3/+3
| | | | | | | | | 04a2edd uxc: make force-delete kill container process be6da62 seccomp: silence 'unknown syscall' warnings b22e625 jail: cgroup hack: rewrite cgroup -> cgroup2 df7fa7b uxc: fix incomplete commit Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: drop legacy seccomp support, switch to OCI parsersDaniel Golle2020-11-171-3/+3
| | | | | | | | d8f36f5 seccomp: specifying architectures is optional d352e6e seccomp: switch to new OCI compliant parser c110405 trace: switch to OCI seccomp JSON output Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEADDaniel Golle2020-11-071-3/+3
| | | | | | b0de894 jail: fix capabilities Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEADDaniel Golle2020-11-051-3/+3
| | | | | | | | | | | | 2f381fe jail: guard boolean blobmsg attributes 602b8fa jail: add option for pidfile bba6de7 jail: handle mount propagation flags 6963d50 jail: relax seccomp unknown syscall handling e1fcfdc jail: add support for absolute root path in OCI spec 257f29b jail: don't fail if maskedPath cannot be found 75f2374 uxc: mimic runc cmdline by using getopt_long Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: ujail fixesDaniel Golle2020-10-251-3/+3
| | | | | | | ec461ff jail: mount more stuff read-only 33b799b ujail: elf: work around GCC bug on MIPS64 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: clean up capability handling and non-root ubusdDaniel Golle2020-10-211-3/+3
| | | | | | | | | | | | | | | Unify capability handling to only use OCI spec parsers even for ujail slim containers which previously supposedly used their own format. 80c9516 cgroups: restrict allowed keys in 'unified' section 5ade567 cgroups: memory controller fixes 3121467 early: run ubusd non-root as user ubus, group ubus 12a5b97 jail: adapt to new ubus socket path 788d144 instance: actually wire up capabilities filename ebc5a7f jail: nuke old capabilities code in favour of reusing OCI code 6c5233a jail: capabilities: apply in two phases Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: remove duplicate confguration menuDaniel Golle2020-08-131-2/+0
| | | | | Fixes: 962e73c1a4 ("procd: add selinux variant") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: add selinux variantPaul Spooren2020-08-131-7/+31
| | | | | | | | This commit adds a `selinux` variant to `procd` allowing to load an SELinux policy at boot. Signed-off-by: Paul Spooren <mail@aparcar.org> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: add SELinux supportThomas Petazzoni2020-08-101-5/+6
| | | | | | | | | | | | | | | | | | This commit adds a patch to procd to support loading the SELinux policy early at boot time, and adjusts the procd package to use this SELinux support when libselinux is enabled. The procd patch has been submitted separately [1]: obviously the intent is to have it merged in the procd Git repository rather than have it in OpenWrt itself. [1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025791.html Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [rebase, add commit message] Signed-off-by: W. Michael Petullo <mike@flyn.org> [split commit into openwrt.git and procd.git] Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-08-061-3/+3
| | | | | | | | | | | | | 47a9f0d service: add method to query available container features afbaba9 initd: attempt to mount cgroup2 ead60fe jail: use pidns semantics also for timens 759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits 83053b6 instance: add instances into unified cgroup hierarchy 16159bb jail: parse OCI cgroups resources 282ff0c jail: only free cgroups if they were allocated ab55357 jail: fix freeing cgroups avl Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "procd: update to git HEAD"Daniel Golle2020-08-061-3/+3
| | | | | | This reverts commit e0e607f0d000e62c6af8d822d7c3f57c2a582136. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-08-061-3/+3
| | | | | | | | | | | 47a9f0d service: add method to query available container features afbaba9 initd: attempt to mount cgroup2 ead60fe jail: use pidns semantics also for timens 759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits 83053b6 instance: add instances into unified cgroup hierarchy 16159bb jail: parse OCI cgroups resources Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-301-3/+3
| | | | | | | 28be011 instance: make sure values are not inherited from previous runs 2ae5cbc uxc: remove debugging left-over Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-291-3/+3
| | | | | | | | | | | c3ca99f jail: serialize hook execution 8ff8970 jail: add some remaining OCI features 9d5fa0a uxc: behave more like a compliant OCI run-time 1274033 uxc: fix create operation 2d811a4 jail: add 'kill' method to container.%s object 08133b8 uxc: use new container.%s kill ubus API Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: fix build on glibc and uclibcDaniel Golle2020-07-251-3/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-251-3/+3
| | | | | | | | 48777de rcS: cast format string to int64_t a4df90f jail: fix wrong format for 32-bit c482c5d jail: add support for referencing existing namespaces Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEAD once againDaniel Golle2020-07-201-3/+3
| | | | | | | | | | | Further complete OCI container support in ujail: f5f305e jail: move /tmp/resolv.conf.d to /dev/resolv.conf.d 6f078ae jail: add support for defining devices 686cf7a jail: actually apply filesystem-specific mount options f91009a jail: refactor default mounts into new structure 66ae2d9 jail: re-implement /proc/sys/net read-write in netns hack Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-191-3/+3
| | | | | | | | | | | 9eddf0f jail: fix hooks 1b1286b jail: parse and apply OCI sysctl values c049047 jail: implement OCI user additionalGIDs 0e1920c jail: read and apply umask from OCI if defined 1c46cc3 jail: parse and apply POSIX rlimits 76adac5 jail: /proc/$pid/oom_score_adj to OCI defined oomScoreAdj Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to git HEADDaniel Golle2020-07-171-4/+4
| | | | | | | | | | 8d5208f jail: fix false return in case of nofail mount b41f76b procd: fix compile if procd-ujail is not selected 86a5105 jail: fs: fix build on uClibc-ng bfce7d1 jail: fix some more mount options 268126a jail: add support for maskedPaths and readonlyPaths Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: allow optional watchdog instance parameterDaniel Bailey2020-07-141-2/+2
| | | | | | | | | | | | | | Optional instance watchdog timeout and watchdog mode can be set by adding: procd_set_param $mode $timeout $mode is an integer [0-1] representing instance watchdog mode of operation: 0 = disabled 1 = passive mode, client must periodically poke watchdog via ubus $timeout is an integer representing how often, in seconds, the watchdog must be poked. Signed-off-by: Daniel Bailey <danielb@meshplusplus.com>
* procd: update to git HEADDaniel Golle2020-07-141-3/+3
| | | | | | | 639df57 uxc: fix build with uClibc-ng b2230e4 procd: add service instance watchdog Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-131-3/+3
| | | | | | | | | | | | | | aed7fb3 procd: fix compilation with uClibc-ng 9d0f831 jail: fix segfault with len(uidmap/gidmap) > 1 42a6217 jail: consider PATH for argv in OCI container 83f4b72 jail: actually chdir into OCI defined CWD fc9f614 jail: parse and run OCI hooks 02eec92 jail: memory allocation fixes 71e75f4 jail: refactor mount support to cover OCI spec b586e7d jail: don't make mount source read-only dacab12 uxc: fix 'stop' command Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: fix yet another build issue, this time with capabilitiesDaniel Golle2020-07-111-3/+3
| | | | | | | 3034eaf jail: use linux/capability.h instead of sys/capability.h Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: fix another seccomp-related build issueDaniel Golle2020-07-111-3/+3
| | | | | | | 3473671 ujail: add dependency on syscall-names-h Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: fix build on platforms without seccomp supportDaniel Golle2020-07-111-3/+3
| | | | | Fixes: b6e440a0f5 ("procd: update to git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-07-102-3/+41
| | | | | | | ea7a790 jail: add support for running OCI bundle bb4a446 uxc: add container management CLI tool Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to git HEADDaniel Golle2020-05-281-3/+3
| | | | | | | b84a329 jail: use sane termios settings for console pts b9b39e2 jail: handle containers seperately Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail: fix segfault and add console featureDaniel Golle2020-05-152-3/+17
| | | | | | | | 2e73848 jail: SIGSEGV must not be forwarded to the child process 7e150f6 jail: unnamed jails can not have netns (fix segfault) 1ab539b jail: add option to provide /dev/console to containers Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: replace backticks by $(...)Adrian Schmutzler2020-05-132-3/+3
| | | | | | This replaces deprecated backticks by more versatile $(...) syntax. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* procd: extend requirejail attribute handlingDaniel Golle2020-04-251-3/+3
| | | | | | | | e2ed964 jail: don't fail unless requirejail is set 17e7ae7 jail: don't load libpreload-seccomp.so if it doesn't exist Fixes openwrt/packages#11913 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: fix jail when running on glibcDaniel Golle2020-04-191-3/+3
| | | | | | d200b70 jail: include /etc/nsswitch.conf in jail for glibc. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: jail fixes and improvementsDaniel Golle2020-04-141-3/+3
| | | | | | | | | | | 32c717e jail: only mess with rootfs if CLONE_NEWNS was set b275a62 instance: harmonize instance API 511fd97 jail: make /proc more secure 4953b7c jail: mount /sys read-only a4d6442 jail: replace /etc/resolv.conf with symlink in extroot+overlay a4cc165 jail: always mount /dev as additional tmpfs Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: bump to latest HEADDaniel Golle2020-04-092-4/+7
| | | | | | | | | | | | 2188d81 jail: add support for launching extroot containers 6f3dbd2 jail: add support for userns and cgroupsns 28a06e5 jail: add support for (ram-)overlayfs Add handling for extroot, overlaydir and tmpoverlaysize as well as jail flags for userns and cgroupsns to OpenWrt's shell script to allow their use in init scripts. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: update to latest git HEADDaniel Golle2020-03-131-4/+4
| | | | | | 77a6782 jail: mount-bind /etc/resolv.conf for non-netns jails Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: actually wire-up netns supportDaniel Golle2020-03-122-1/+2
| | | | | | | | When support for network namespaces was added to procd, adding the corresponding jail flag in procd.sh was ommitted. Add it now. Fixes: 97a03a4760 ("procd: update to latest git HEAD") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: seccomp: fix resource leakKevin Darbyshire-Bryant2020-02-111-3/+3
| | | | | | | | Bump to latest commit: c30b23e seccomp: fix resource leak Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* procd: update to latest git HEADHans Dedecker2020-02-091-2/+2
| | | | | | | | Fixes c0c988e179a75d33c82ed0621d954fc0ac2c0c14 bcb8655 instance: add 'requirejail' attribute Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: support 'requirejail' attributeKevin Darbyshire-Bryant2020-02-042-2/+3
| | | | | | | | | | | | | | | | Bump procd package to reduce log spam related to missing jail binaries in a non-jail capable system. bcb8655 instance: add 'requirejail' attribute An additional jail attribute 'requirejail' can now be used to indicate mandatory use of a jailed environment and hence prevent process startup in the event that the jail subsystem is unavailable. Procd will now only log errors if jail is unavailable and 1) is a mandatory requirement or 2) a procd debug level of at least 2 is in use. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* procd: update to version 2020-01-24Petr Štetiar2020-01-241-3/+3
| | | | | | | | 00aafc4f439e procd: show process's exit code 856b5f8be046 state: fix reboot causing shutdown inside LXC container b44417c20c7f instance: provide error feedback if ujail binary is missing Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to latest git HEADDaniel Golle2020-01-211-4/+4
| | | | | | | | | | | | | 58c12f7 jail: add basic support for network namespaces ba69639 jail: create resolv.conf symlink for netns jails 81b88b1 jail: more strict mount options for /tmp/resolv.conf.d/ Add new 'netns' flag for procd_add_jail to make ujail setup a new network namespace for the jailed service. See previous netifd commit for example configuration for netns jailed service. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* procd: activate PIE ASLR by defaultPetr Štetiar2020-01-141-0/+1
| | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. Size increase on x86/64: procd Installed-Size: 44931 -> 47362 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to version 2020-01-04Petr Štetiar2020-01-051-3/+3
| | | | | | | | | | | a5af33ce9a16 instance: strdup string attributes d2e8bf6ef7cf system: watchdog_set: fix misleading indentation 9814807bd71c system: sysupgrade: fix possibly misleading error c7a2db3c1eb6 system: sysupgrade: rework firmware validation ea45c4a0f07c system: fix failing image validation due to EINTR 4fde95506243 cmake: fix lookup of external libraries Signed-off-by: Petr Štetiar <ynezz@true.cz>