Daniel Golle [Fri, 3 Jan 2020 10:29:17 +0000 (12:29 +0200)]
jail: create resolv.conf symlink for netns jails
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle [Wed, 4 Dec 2019 13:06:06 +0000 (14:06 +0100)]
jail: add basic support for network namespaces
Add new 'netns' flag for procd_add_jail to make ujail setup a new
network namespace for the jailed service.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle [Sun, 19 Jan 2020 07:42:37 +0000 (09:42 +0200)]
instance: Fix instance_config_move_strdup() function
instance_config_move_strdup() previously returned too early in case of
a value being previously unassigned.
Fixes:
153820c ("instance: fix pidfile and seccomp attributes double free")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Petr Štetiar [Fri, 10 Jan 2020 21:56:31 +0000 (22:56 +0100)]
instance: fix typo in error message
Fixes `removed` to proper `remove` in "Failed to removed pidfile".
Fixes:
b12bb150ed38 ("procd: service: Support writing pidfiles")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Fri, 17 Jan 2020 17:22:37 +0000 (18:22 +0100)]
instance: fix pidfile and seccomp attributes double free
Commit
a5af33ce9a16 ("instance: strdup string attributes") has
introduced duplication of various string attributes in order to fix
use-after-free, but missed handling of `pidfile` and `seccomp` attribute
cases in instance_config_move() where the new value of `pidfile` or
`seccomp` is being copied/assigned. Source of this values is then
free()d in subsequent call to instance_free() and then again for 2nd
time during the service stop command handling, leading to double free
crash:
#0 unmap_chunk at src/malloc/malloc.c:515
#1 free at src/malloc/malloc.c:526
#2 instance_free (in=0xd5e300) at instance.c:1100
#3 instance_delete (in=0xd5e300) at instance.c:559
#4 instance_stop (in=0xd5e300, halt=true) at instance.c:611
While at it, add missing handling of jail.name and jail.hostname
attributes as well.
Ref: FS#2723
Fixes:
a5af33ce9a16 ("instance: strdup string attributes")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Daniel Golle [Sat, 4 Jan 2020 14:16:12 +0000 (16:16 +0200)]
instance: strdup string attributes
Previously string attributes were set to pointers returned by
blobmsg_get_string() which caused use-after-free problems.
Use strdup() to have copies of all stored strings and free them
during cleanup.
Reviewed-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Petr Štetiar [Sun, 5 Jan 2020 10:48:35 +0000 (11:48 +0100)]
system: watchdog_set: fix misleading indentation
Fixes error reported by clang version 10.0.0-+
20200102091410:
system.c:367:4: error: misleading indentation; statement is not part of the previous 'if' [-Werror,-Wmisleading-indentation]
watchdog_timeout(timeout);
^
system.c:365:3: note: previous statement is here
if (timeout <= frequency)
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Fri, 3 Jan 2020 00:26:50 +0000 (01:26 +0100)]
system: sysupgrade: fix possibly misleading error
Fix possibly misleading error "Firmware image is broken and cannot be
installed" which could be produced by JSON without expected validation
variables, where "Validation script provided invalid input" error message
makes more sense.
Cc: Rafał Miłecki <rafal@milecki.pl>
Tested-by: Kuan-Yi Li <kyli@abysm.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Mon, 30 Dec 2019 21:34:50 +0000 (22:34 +0100)]
system: sysupgrade: rework firmware validation
Fixes following deficiencies:
* unhandled read() errors
* everything bundled in one long function, which is hard to follow and
reason about
* JSON parser errors are being ignored, anything else then
json_tokener_continue is fatal error
* JSON parser errors are being output to stderr, thus invisible via SSH
* validate_firmware_image_call can fail at a lot of places, but we just
get one generic "Firmware image couldn't be validated" so it's hard
to debug
Cc: Rafał Miłecki <rafal@milecki.pl>
Tested-by: Kuan-Yi Li <kyli@abysm.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sun, 29 Dec 2019 20:25:33 +0000 (21:25 +0100)]
system: fix failing image validation due to EINTR
It was quite common to see following error during sysupgrade on serial
console:
Failed to parse JSON: 4
This is happening due to the fact, that validate_firmware_image_call
fork()s then waits in blocking read() for the input from the child
process, but child finishes its tasks and exits, thus emitting SIGCHLD
signal which then leads to the interruption of the blocking read() in
the parent process with EINTR error.
It seems like the recent fixes in the libubox library, particulary in
the jshn sub-component (which empowers json_dump used in the shell
script executed by the child process) made the execution somehow faster,
thus exposing this racy behaviour in the validate_firmware_image_call at
least on RPi-4 (Cortex-A72) target.
So this patch fixes this issue by checking the read() return value and
retrying the read() if interrupted due to the EINTR error.
Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-January/020994.html
Fixes:
e990e215e8a3 ("system: add "validate_firmware_image" ubus method")
Cc: Rafał Miłecki <rafal@milecki.pl>
Tested-by: Kuan-Yi Li <kyli@abysm.org>
Tested-by: Petr Novák <petrn@me.com>
Reported-by: Petr Novák <petrn@me.com>
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Sun, 29 Dec 2019 14:56:43 +0000 (15:56 +0100)]
cmake: fix lookup of external libraries
In order to make it compile properly in more environments.
Tested-by: Petr Novák <petrn@me.com>
Tested-by: Kuan-Yi Li <kyli@abysm.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Daniel Golle [Mon, 30 Dec 2019 18:22:45 +0000 (20:22 +0200)]
jail: remove accidentally added lines
The previous commit accidentally added unrelated lines which broke
build. Remove them.
Fixes: 2c5c19 ("jail: set user and group inside jail")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle [Sun, 29 Dec 2019 14:23:34 +0000 (16:23 +0200)]
jail: set user and group inside jail
This allows jailed services to run as users other than root, simply
because some services refuse to be run as UID 0.
Previously, setting the the process UID and GID before launching the
jail wrapper prevented the jail from starting.
Rather than setting them in procd/service.c, pass user and group
parameters to ujail and set them inside ujail just before executing the
service.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Dustin Lundquist [Mon, 28 Oct 2019 16:52:06 +0000 (16:52 +0000)]
system: sysupgrade: close input side of pipe before reading
When /usr/libexec/validate_firmware_image is not present on the system
procd will hang indefinitely on the read() since the input side of the
pipe is still open.
Also fix pipe file descriptor leak when fork() fails.
Signed-off-by: Dustin Lundquist <d.lundquist@temperednetworks.com>
Acked-by: Rafał Miłecki <rafal@milecki.pl>
Hauke Mehrtens [Fri, 1 Nov 2019 16:16:39 +0000 (17:16 +0100)]
instance: Warn about unexpected number of parameters
Warn when the number of allocated parameters for the jail argv does not
match the number of used parameters. This normally leads to a buffer
overflow.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Fri, 1 Nov 2019 16:16:38 +0000 (17:16 +0100)]
instance: ujail: Fix allocated size for no_new_privs parameter
When the no_new_privs parameter is given, thei size of the array which
contains the argv pointers is not increased in instance_jail_parse()
which causes a buffer overflow. Fix this by requesting one more entry in
instance_jail_parse() for the allocation.
Fixes:
dfd5816bcbef ("instance, ujail: wire no_new_privs (-c) option")
Cc: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Michael Heimpold [Tue, 1 Jan 2019 23:44:53 +0000 (00:44 +0100)]
procd: simplify code in procd_inittab_run
This is a trial to make it more obvious what the historically
grown code is actually doing.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Michael Heimpold [Tue, 1 Jan 2019 23:44:59 +0000 (00:44 +0100)]
procd: replace exit(-1) with exit(EXIT_FAILURE)
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Michael Heimpold [Tue, 1 Jan 2019 23:44:58 +0000 (00:44 +0100)]
procd: add upgraded binary to .gitignore
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Michael Heimpold [Tue, 1 Jan 2019 23:44:57 +0000 (00:44 +0100)]
procd: add start-console support
This adds a hotplug function to (re-)start inittab entries with askfirst or respawn.
At the moment the devices used with these actions must be present during boot
otherwise such lines are skipped.
However, this prevents having inittab entries with consoles for e.g. USB gadget
devices which only appear after kernel module loading and after configuring them
with configfs.
While it was possible to only scan the inittab for the desired item to start,
I assume the inittab to be short and re-running the whole list will be negligible.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Michael Heimpold [Tue, 1 Jan 2019 23:44:56 +0000 (00:44 +0100)]
procd: shift arguments for askfirst only once
In case we want to process an inittab item multiple times (e.g. in case
of hotplugging) we must not shift the arguments for askfirst multiple
times. So check whether we already did it.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Michael Heimpold [Tue, 1 Jan 2019 23:44:55 +0000 (00:44 +0100)]
procd: skip respawn in case device disappeared
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Michael Heimpold [Tue, 1 Jan 2019 23:44:54 +0000 (00:44 +0100)]
procd: guard fork_worker calls
Usually respawn(), askfirst(), askconsole() and rcrespawn() are run only
one time to start a worker child for the given inittab entry.
In case we want to allow calling these functions several times, we need
to ensure that we do not start multiple workers at the same time for the
same inittab item.
For this, we can re-use the remembered pid of the worker child,
however, we need to reset this pid to allow a new instance in case the
previous child exited.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Zachary Cook [Tue, 8 Oct 2019 05:02:50 +0000 (01:02 -0400)]
procd: Add cached and available to memory table
Provides a better measure of actual system memory usage for Luci/users.
"cached" will be used to add a new progress bar, "available" is the
kernel's estimate of memory that is actually useable, and is more
accurate than (memory.free + memory.buffered) that Luci currently uses
to calculate available memory.
Signed-off-by: Zachary Cook <zachcook1991@gmail.com>
Rosen Penev [Sun, 1 Sep 2019 20:26:43 +0000 (13:26 -0700)]
procd: Switch to nanosleep
usleep has been deprecated by POSIX.1-2001 and removed in POSIX.1-2008.
Fixes compilation when libc does not include usleep (optional with
uClibc-ng).
nanosleep also has the advantage of being more accurate.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Hauke Mehrtens [Fri, 13 Sep 2019 20:04:03 +0000 (22:04 +0200)]
system: Fix possible integer overflows
This multiplication was done on 32 bit integers before, explicitly cast
them to 64 bit values before to make sure the multiplication is done on
64 bit numbers.
Coverity: #
1412417, #
1412410, #
1412409, #
1412411, #
1412424, #
1412407
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Rafał Miłecki [Wed, 11 Sep 2019 09:21:59 +0000 (11:21 +0200)]
system: sysupgrade: send reply on error
This provides some meaningful info on why sysupgrade has failed.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Rafał Miłecki [Wed, 11 Sep 2019 08:34:41 +0000 (10:34 +0200)]
system: refuse sysupgrade with backup if it's unsupported
Don't allow it if validation methods marked firmware as not supporting a
backup.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Wed, 11 Sep 2019 06:58:15 +0000 (08:58 +0200)]
sysupgrade: support "backup" attribute
This new attribute allows passing path of the backup archive. It
provides much more flexibility than hardcoding /tmp/sysupgrade.tgz. It
may help avoiding some cp/mv for user-provided backup archive.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Thu, 5 Sep 2019 07:20:13 +0000 (09:20 +0200)]
sysupgrade: set UPGRADE_BACKUP env variable
It points to the backup file to use duing sysupgrace process. Right now
it's hardcoded to the /tmp/sysupgrade.tgz. Once all cleanups are in
place "sysupgrade" ubus method should be extended to allow passing any
custom path.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Thu, 5 Sep 2019 21:07:21 +0000 (23:07 +0200)]
system: fix uninitialized variables in firmware validation code
This fixes:
system.c: In function 'validate_firmware_image':
system.c:403:6: error: 'fd' may be used uninitialized in this function [-Werror=maybe-uninitialized]
if (fd >= 0) {
^
system.c:446:4: error: 'jsobj' may be used uninitialized in this function [-Werror=maybe-uninitialized]
blobmsg_add_object(&b, jsobj);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes:
e990e215e8a3 ("system: add "validate_firmware_image" ubus method")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Wed, 4 Sep 2019 09:06:52 +0000 (11:06 +0200)]
system: reject sysupgrade of invalid firmware images by default
This validation step can be bypassed by passing "force" argument. This
is very similar to the /sbin/sysupgrade behavior and --force.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Fri, 30 Aug 2019 15:46:07 +0000 (17:46 +0200)]
system: reject sysupgrade of broken firmware images
This uses recently added "validate_firmware_image" to validate passed
firmware. If it happens to be invalid and marked as impossible to force
then sysupgrade simply exits with an error.
This change is needed to avoid bricking devices with some totally broken
images.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Fri, 30 Aug 2019 07:28:34 +0000 (09:28 +0200)]
system: add "validate_firmware_image" ubus method
This new method allows validating firmware image (stored on a device)
using ubus. It uses new executable helper that provides detailed info
about firmware image.
The point of this method is to allow user interfaces provide various
info before starting actual upgrade process.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rosen Penev [Mon, 26 Aug 2019 22:22:15 +0000 (15:22 -0700)]
sysupgrade: add missing _GNU_SOURCE define (FS#2469)
Fixes compilation problems:
error: implicit declaration of function 'asprintf'; did you mean 'vsprintf'?
[-Werror=implicit-function-declaration]
57 | if (asprintf(&name, "%s%s", prefix, blobmsg_name(option)) <= 0)
| ^~~~~~~~
| vsprintf
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Rafał Miłecki [Fri, 16 Aug 2019 14:14:27 +0000 (16:14 +0200)]
system: support passing "options" to the "sysupgrade" ubus method
Object passed as "options" gets translated into environment variables
UPGRADE_OPT_*. E.g.
"options": { "foo": 5 }
will result in setting UPGRADE_OPT_FOO=5.
This allows stage2 sysupgrade to get options explicitly. So far it was
guessing what to do by checking for existence of some files (e.g.
sysupgrade.tgz).
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Paul Spooren [Mon, 5 Aug 2019 16:07:45 +0000 (18:07 +0200)]
state: fix shutdown when running in a container (FS#2425)
Applies patch from @mikma [0] to fix Docker shutdown. Added detection to
state.c if running in a container or not.
Tested with a x86/64 Docker image.
Fixes FS#2425
CC: Mikael Magnusson <mikma@users.sourceforge.net>
CC: Petr Štetiar <ynezz@true.cz>
[0]: https://github.com/mikma/lxd-openwrt/blob/master/patches/procd-master/0003-docker-fix-problem-stopping-container.patch
Signed-off-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [coding style aligment]
Justinas Grauslis [Mon, 8 Jul 2019 08:01:09 +0000 (11:01 +0300)]
procd: check strchr() result before using it
Subtracting some address from NULL does not necessary
results in negative value. It's lower level dependent.
In our case (IPQ4019 + Yocto + meta-openwrt) subtracting
token address from NULL strchr() return value results in
large positive number which causes out-of-boundary memory
access and eventually a segfault.
Signed-off-by: Justinas Grauslis <justinas@8devices.com>
Petr Štetiar [Thu, 30 May 2019 05:53:26 +0000 (07:53 +0200)]
container: fix .dockerenv stat check
applied check wasn't evaluating the existence of the file properly.
Fixes:
7f0f6b2a73f8 ("procd: add docker support")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar [Fri, 24 May 2019 11:04:41 +0000 (13:04 +0200)]
hotplug: improve error message during group ownership change
procd currently outputs following error messages:
procd: cannot set group dialout for /dev/ttyw8
procd: cannot set group dialout for /dev/ttyq1
procd: cannot set group dialout for /dev/ttywf
from which it's not clear where the problem is, if it's either getgrnam
or chown failing and why it's failing so this patch adds name of failed
function and its errno.
Ref: https://github.com/openwrt/openwrt/pull/1773#issuecomment-
495555284
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Paul Spooren [Mon, 27 May 2019 09:33:29 +0000 (11:33 +0200)]
procd: add docker support
detects if running in a docker container, which then requires special
treatment of mounts. OpenWrt within Docker is useful for CI testing.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Hans Dedecker [Thu, 9 May 2019 16:01:46 +0000 (18:01 +0200)]
container: include stdbool.h
Fixes following compile issue :
container.h:18:15: error: unknown type name 'bool'
static inline bool is_container() {
^~~~
make[5]: *** [CMakeFiles/init.dir/build.make:154: CMakeFiles/init.dir/initd/zram.c.o] Error 1
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Paul Spooren [Sun, 5 May 2019 16:31:41 +0000 (18:31 +0200)]
procd: detect lxc container and behave accordingly
meaning to not mount some specific parts witch cause trouble.
The patch is based on previous work of @mikma to combine OpenWrt with
lxd[0]. This patch however adds a detection copied from *virt-what* to
check /proc/1/environment for the string "container".
Thanks to @dangowrt for the cleanup.
[0]: https://github.com/containercraft/openwrt-lxd/blob/master/patches/procd-openwrt-18.06/001_lxd_no_mounts.patch
Signed-off-by: Paul Spooren <mail@aparcar.org>
Hans Dedecker [Tue, 30 Apr 2019 19:49:26 +0000 (21:49 +0200)]
instance: dump user and group as well
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Michael Heimpold [Thu, 11 Apr 2019 19:01:07 +0000 (21:01 +0200)]
service: allow setting a dedicated group id
Sometimes is desirable to run a process with a specific group id
instead of the default one which is derived from passwd entry.
However, we still want to initialize supplementary group ids
(including the default one), thus we have to store the specific
one in a dedicated structure element.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Michael Heimpold [Thu, 11 Apr 2019 19:01:06 +0000 (21:01 +0200)]
instance: add support for customizable syslog facilities
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Paul Spooren [Fri, 26 Apr 2019 15:32:45 +0000 (17:32 +0200)]
procd: add SIGPWR as signal
to use procd in LXC containers they have to support SIGPWR to shutdown.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Yashavanth Chowrikoppalu [Wed, 17 Apr 2019 13:21:18 +0000 (15:21 +0200)]
procd: copy the respawn property of new instance
On updating an existing instance, the respawn property is reset
in instance_stop(). Subsequent instance_update() call does not copy
the respawn property from new instance in instance_config_move(). As
a result, the respawning does not happen, if the process is killed
externally.
Signed-off-by: Yashavanth Chowrikoppalu <Yashavanth.hsn@gmail.com>
Kristian Evensen [Sat, 6 Apr 2019 12:28:30 +0000 (14:28 +0200)]
procd: instance: Support deleting stopped instances
procd currently does not support deleting a stopped instance. The reason
is that we return in instance_stop(), if pending is set to false. This
patch adds a new function, instance_delete(), which does the necessary
clean-up of an instance. instance_delete() is called before we return in
instance_stop(), as well as when a process that should not be restarted
has exited in instance_exit().
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Wojciech Dubowik [Fri, 8 Mar 2019 08:36:12 +0000 (09:36 +0100)]
procd: trace: Define syscall registers for powerpc platform
According to manpage the syscall nr is stored in r0
and return value in r3 for powerpc. Define it so we
can use seccomp and utrace on powerpc.
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@neratec.com>
Hauke Mehrtens [Wed, 19 Dec 2018 09:51:57 +0000 (10:51 +0100)]
hotplug.c: Make sure hotplug buffer is NULL terminated
Sets the final byte explicitly to NULL because we later do string
operations on this buffer.
Fixes Coverity issue
1430926 String not null terminated
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hans Dedecker [Fri, 23 Nov 2018 11:02:45 +0000 (12:02 +0100)]
early: set /tmp permissions explicitly
In case ramfs is used as tmpfs it creates /tmp with permissions 755
which are the the default permissions.
Therefore when mounting tmp set permissions explicitly to 1777
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: John Crispin <john@phrozen.org>
Hans Dedecker [Sun, 4 Nov 2018 10:14:31 +0000 (11:14 +0100)]
watchdog: improve seting watchdog timeout and frequency
Due to the watchdog file descriptor check in both watchdog_timeout and
watchdog_frequency it's impossible to set the timeout/frequency via ubus
in case the watchdog was stopped.
Fix this by removing the watchdog file descriptor check in both functions
and by caching locally the set watchdog driver timeout value. The latter
will be used to set the watchdog driver timeout value in case the
watchdog is active or when the watchdog is started.
In addition when parsing the watchdog ubus call check if timeout
attribute is set so the correct value is used when doing the frequency
sanity check.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Chris Blake [Fri, 14 Sep 2018 01:37:45 +0000 (20:37 -0500)]
procd: Add cpu string to board detection
This patch is in relation to
https://github.com/openwrt/openwrt/pull/1307 to help fix architecture
detection in LuCI which was added in
https://github.com/openwrt/luci/commit/
b8f32b6da7accc672c5887e894a861de3f806cf5
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Michal Sojka [Mon, 30 Jul 2018 07:32:19 +0000 (09:32 +0200)]
Allow disabling seccomp or changing the whitelist
Without this change, once a service is started with seccomp, it is
impossible to restart it without seccomp or change the whitelist file
name. This commit fixes that. Disabling seccomp is as easy as
commenting out the "procd_set_param seccomp" line in init.d script.
Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
Michal Sojka [Mon, 30 Jul 2018 07:31:09 +0000 (09:31 +0200)]
trace: Use properly sized type for PTRACE_GETEVENTMSG
Without this, on 64-bit systems, ptrace call corrupts memory because
it stores 64bit value to 32bit pid_t variable.
Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
John Crispin [Tue, 13 Feb 2018 15:33:48 +0000 (16:33 +0100)]
procd: fix ustream deadlock when there are 0 bytes or no newlines
Signed-off-by: John Crispin <john@phrozen.org>
Felix Fietkau [Thu, 5 Jul 2018 09:13:31 +0000 (11:13 +0200)]
procd: increase watchdog fd_buf storage size to fix gcc8 build error
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Yousong Zhou [Sun, 11 Feb 2018 09:19:11 +0000 (17:19 +0800)]
service: initialize supplementary group ids
We currently only call setgid() with user's primary group id for service
instance processes. In the case of a user belong to multiple groups,
it's natural to also explicitly initialize their supplementary group ids
Fixes FS#988
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Yousong Zhou [Sun, 11 Feb 2018 09:17:08 +0000 (17:17 +0800)]
service: add func for string config change check
To also prepare for following commits introducing more string value
change detection
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Rosen Penev [Tue, 23 Jan 2018 20:30:52 +0000 (12:30 -0800)]
procd: get rid of putenv usage.
setenv is prefered according to POSIX. Also allows staticly allocated strings.
Saves 200 bytes when stripped. 432 without.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Hans Dedecker [Mon, 22 Jan 2018 17:51:23 +0000 (18:51 +0100)]
trace: check asprintf() return value
Check asprintf() return value; fixes ignoring return value warnings:
warning: ignoring return value of 'asprintf', declared with attribute
warn_unused_result [-Wunused-result]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Hans Dedecker [Mon, 22 Jan 2018 17:51:22 +0000 (18:51 +0100)]
trace: add missing limits.h include
Fixes compile issue when using glibc as INT_MAX is reported as
undeclared.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Karl Vogel [Wed, 17 Jan 2018 11:13:15 +0000 (12:13 +0100)]
procd: add timing to start/stop logging
Shows how long an initd task took, for example:
procd: stop /etc/init.d/dropbear running - took 0.088824s
procd: Update service dnsmasq
procd: Update instance dnsmasq::dnsmasq
procd: running /etc/init.d/dnsmasq running
procd: start /etc/init.d/dnsmasq running
procd: stop /etc/init.d/dnsmasq running - took 0.092586s
v2: rename variables, correct time unit
v3: use CLOCK_MONOTONIC_RAW to prevent issues with NTP and adjtime
Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
Rosen Penev [Mon, 25 Dec 2017 22:14:46 +0000 (14:14 -0800)]
procd: Add %m to several functions that return errno.
Might help with debugging. No size impact.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Rosen Penev [Mon, 25 Dec 2017 22:14:45 +0000 (14:14 -0800)]
procd: Remove redundant errno variable in several printf functions.
%m, aka strerror(errno) is already used. No need to repeat it. Saves 280 bytes.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Rosen Penev [Mon, 25 Dec 2017 22:14:44 +0000 (14:14 -0800)]
procd: Replace strerror(errno) with %m.
Saves 1496 bytes from compiled size under glibc. No functional difference.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Rosen Penev [Mon, 25 Dec 2017 22:52:20 +0000 (14:52 -0800)]
procd: Fix minor null pointer dereference.
Null pointer check was placed after assigning values to c.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Nathan Hintz [Fri, 29 Dec 2017 04:48:26 +0000 (04:48 +0000)]
procd: initd: fix path allocation in early_insmod
Noticed that /tmp was not being created on /dev/zram0. This was on
ixp4xx (nslu2) using GCC 6.3 and musl.
The allocation should be using the length of the passed string
(module path), not the size of the pointer to the string.
Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>
Rosen Penev [Tue, 7 Nov 2017 20:05:12 +0000 (12:05 -0800)]
procd: Remove unnecessary memset calls.
Changes allocation to calloc and {} as needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Pierre Lebleu [Fri, 10 Nov 2017 10:04:47 +0000 (11:04 +0100)]
service: add data within the service itself
It gives the ability to create firewall data within the
service itself.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
Pierre Lebleu [Fri, 10 Nov 2017 09:59:35 +0000 (10:59 +0100)]
service: fix calls to blobmsg_parse()
We should use blobmsg_data() rather than blob_data() and
blobmsg_data_len() rather than blob_len().
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
John Crispin [Mon, 6 Nov 2017 07:39:09 +0000 (08:39 +0100)]
procd: lower the logging threshold
Signed-off-by: John Crispin <john@phrozen.org>
Michal Sojka [Fri, 3 Nov 2017 21:31:41 +0000 (22:31 +0100)]
service: Start services normally when seccomp is disabled
When service init file declares seccomp support (procd_set_param seccomp),
but procd is compiled without seccomp support, the service should be
started normally, because seccomp-trace and utrace are not available.
Older procd versions decided about whether to start a service in
seccomp sandbox or not based on existence of seccomp whitelist in the
filesystem. This was recently removed (
c8faedc "Do not disable seccomp
when configuration is not found", 2017-09-12) because it could be easy
for attackers to disable seccomp support. This changes is a follow-up
to the mentioned commit. With it, procd decides about whether to use
seccomp sandbox based only on compile-time configuration.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Tested-by: Hans Dedecker <dedeckeh@gmail.com>
John Crispin [Thu, 26 Oct 2017 07:39:52 +0000 (09:39 +0200)]
procd: add missing new lines inside debug code
Signed-off-by: John Crispin <john@phrozen.org>
Pierre Lebleu [Wed, 25 Oct 2017 15:43:16 +0000 (17:43 +0200)]
service: fix service_handle_event array
The array concerning the "config.change" is __VALIDATE_MAX length,
not __DATA_MAX length.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
pme.lebleu@gmail.com [Wed, 4 Oct 2017 11:14:16 +0000 (13:14 +0200)]
service: fix SERVICE_ATTR_NAME usage in service_handle_set
The SERVICE_SET_NAME belongs to enum SERVICE_SET_XXXX, not SERVICE_ATTR_NAME.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
Karl Palsson [Mon, 25 Sep 2017 12:28:16 +0000 (12:28 +0000)]
instance: properly compare and reload respawn config
respawn configuration variables were not checked for changes, and were
not copied to new instances.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Michal Sojka [Wed, 27 Sep 2017 08:59:54 +0000 (10:59 +0200)]
utrace: Start the tracee only after uloop initialization
Without this, early ptrace stops can be missed because they can happen
before the call to uloop_init().
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:49 +0000 (13:12 +0200)]
utrace: Switch all logging to ulog
This unifies all logs messages produced by utrace and removes
duplicated functionality.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Sun, 24 Sep 2017 14:38:21 +0000 (16:38 +0200)]
utrace: Support non-contiguous syscall numbers
ARM architecture does not have its system call numbers contiguous. So
far, utrace ignored the non-contiguous system calls, but it makes it
difficult to setup seccomp whitelists. This patch adds support for
these extra out-of-range syscalls.
It extends the generated file syscall_names.h to include a few
functions. Now, for ARM this file looks like:
#include <asm/unistd.h>
static const char *__syscall_names[] = {
[280] = "waitid",
[148] = "fdatasync",
...
[252] = "epoll_wait",
[74] = "sethostname",
};
static inline const char *syscall_name(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return __syscall_names[i];
switch (i) {
case 0x0f0001: return "breakpoint";
case 0x0f0003: return "usr26";
case 0x0f0004: return "usr32";
case 0x0f0005: return "set_tls";
case 0x0f0002: return "cacheflush";
default: return (void*)0;
}
}
static inline int syscall_index(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
case 0x0f0001: return ARRAY_SIZE(__syscall_names) + 0;
case 0x0f0003: return ARRAY_SIZE(__syscall_names) + 1;
case 0x0f0004: return ARRAY_SIZE(__syscall_names) + 2;
case 0x0f0005: return ARRAY_SIZE(__syscall_names) + 3;
case 0x0f0002: return ARRAY_SIZE(__syscall_names) + 4;
default: return -1;
}
}
static inline int syscall_index_to_number(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
case ARRAY_SIZE(__syscall_names) + 0: return 0x0f0001;
case ARRAY_SIZE(__syscall_names) + 1: return 0x0f0003;
case ARRAY_SIZE(__syscall_names) + 2: return 0x0f0004;
case ARRAY_SIZE(__syscall_names) + 3: return 0x0f0005;
case ARRAY_SIZE(__syscall_names) + 4: return 0x0f0002;
default: return -1;
}
}
#define SYSCALL_COUNT (ARRAY_SIZE(__syscall_names) + 5)
For x86, which does not have extra syscalls, the file looks this way:
#include <asm/unistd.h>
static const char *__syscall_names[] = {
[247] = "waitid",
[75] = "fdatasync",
...
[232] = "epoll_wait",
[170] = "sethostname",
};
static inline const char *syscall_name(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return __syscall_names[i];
switch (i) {
default: return (void*)0;
}
}
static inline int syscall_index(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
default: return -1;
}
}
static inline int syscall_index_to_number(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
default: return -1;
}
}
#define SYSCALL_COUNT (ARRAY_SIZE(__syscall_names) + 0)
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:47 +0000 (13:12 +0200)]
utrace: Forward SIGTERM to the traced process
When a service is started with "/etc/init.d/<service> trace" or when
it has seccomp enabled (i.e. runs under seccomp-trace), stopping the
service with "/etc/init.d/<service> stop" stops only the tracer. The
service itself continue executing. This patch ensures that the service
is terminated as well.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:46 +0000 (13:12 +0200)]
utrace: Report ptrace errors
Michal Sojka [Tue, 12 Sep 2017 11:12:45 +0000 (13:12 +0200)]
seccomp: Improve error message
Print "SECCOMP_FILE not specified" instead of "failed to load (null)".
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:44 +0000 (13:12 +0200)]
preload-seccomp: Use proper log level for error messages
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:43 +0000 (13:12 +0200)]
Start seccomp-enabled services via seccomp-trace
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Sun, 24 Sep 2017 22:56:33 +0000 (00:56 +0200)]
seccomp: Log seccomp violations with utrace
Older kernel version shipped by LEDE/OpenWrt contained patch
target/linux/generic/patches-3.18/999-seccomp_log.patch that logged
seccomp violations. For some reason, newer kernels do not have this
patch. Without this kind of logging, it is very hard to setup seccomp
whitelist properly, so this commit modifies utrace to serve as a
logger for seccomp violations.
With this patch, when utrace is executed via seccomp-trace symlink, it
does not trace normal syscalls but only seccomp violations and logs
them to syslog. For example:
seccomp-trace: uci[3955] tried to call non-whitelisted syscall: ftruncate64 (see /etc/seccomp/myservice.json)
Compared to the kernel-based logging, this approach gives users more
information - which json whitelist needs to be extended. This is
especially useful for services, which fork many diverse children such
as shell scripts.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:41 +0000 (13:12 +0200)]
utrace: Use PTHREAD_SEIZE instead of PTHREAD_TRACEME
This makes it easier to handle initial ptrace-stops (after
fork/clone/...), because we don't need to distinguish whether SIGSTOP
is from user or from ptrace. Also execve() does not deliver an extra
SIGTRAP, which we would have to handle.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:40 +0000 (13:12 +0200)]
utrace: Deliver signals to traced processes
Without this change, traced processes do not receive any signal,
because all the signals are "eaten" by the tracer.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:39 +0000 (13:12 +0200)]
utrace: Support tracing multi-threaded processes and vfork
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:38 +0000 (13:12 +0200)]
utrace: Trace processes across forks
Without this change, utrace can trace only a single process. When the
process forks, syscalls of its children do not appear in utrace
output. This is a problem, because seccomp filters are inherited by
children and therefore filters generated by utrace may lack legitimate
syscalls.
This commit enables utrace to trace processes across forks. The
functionality can be demonstrated by the following examples:
utrace /bin/touch /tmp/xxx
produces:
{
"whitelist": [
"rt_sigaction",
"rt_sigreturn",
"exit",
"getuid",
"exit_group",
"utimensat"
],
"policy": 1
}
The command:
utrace /bin/sh -c 'touch /tmp/xxx'
without this commit produces:
{
"whitelist": [
"stat",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"getpid",
"fork",
"exit",
"wait4",
"uname",
"getcwd",
"getuid",
"getppid",
"exit_group"
],
"policy": 1
}
but with this commit, the output is the following:
{
"whitelist": [
"read",
"open",
"close",
"stat",
"fstat",
"mmap",
"mprotect",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"getpid",
"fork",
"execve",
"exit",
"wait4",
"uname",
"fcntl",
"getcwd",
"getuid",
"getppid",
"arch_prctl",
"gettid",
"set_tid_address",
"exit_group",
"utimensat"
],
"policy": 1
}
Note that in addition to utimensat syscall from touch, this output
contains more syscalls than what is in the union of single-process sh
and touch traces. The reason is that single-process traces do not
include syscalls from dynamic linker (due to preload trick), but the
trace of forked processes includes the dynamic linker syscalls. This
is unavoidable, because dynamic linker of the forked processes will be
subject to seccomp filters of the parent process.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:37 +0000 (13:12 +0200)]
utrace: Sort syscalls by number of invocations
seccomp and service jailing announce email [1] mentioned that "utrace
tool will sort the syscalls by the number of invocations". The code
did not do that until this commit.
[1] https://lists.openwrt.org/pipermail/openwrt-devel/2015-March/032197.html
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:36 +0000 (13:12 +0200)]
Update trace attribute
When a service is started for the first time without trace
attribute (e.g. during boot), then it was impossible to restart it in
tracing mode (/etc/init.d/service trace). This is fixed here.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:35 +0000 (13:12 +0200)]
Do not disable seccomp when configuration is not found
Previously, when seccomp configuration file for a service was not
found, the service was started without seccomp. I consider this
potential attack vector.
With this change, procd starts the service as if the configuration
existed but the service fails in libpreload-seccomp.so, because the
configuration cannot be loaded. This is announced in the syslog.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:34 +0000 (13:12 +0200)]
utrace: Fix off-by-one errors
This fixes two errors:
1) memcpy() copies envc elements starting from index 1, so the number
of elements in target array should be envc + 1. But only envc was
allocated.
2) If original environment envp is empty, i.e. it contains only a NULL
element, the while loop misses it.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:33 +0000 (13:12 +0200)]
utrace: Fix environment initialization
We want to copy the existing environment instead of the new one to
itself. Other bugs in this code are fixed in the next commit.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
John Crispin [Tue, 22 Aug 2017 14:43:54 +0000 (16:43 +0200)]
procd: send ubus notify when a config file has changed
Signed-off-by: John Crispin <john@phrozen.org>
Hans Dedecker [Tue, 8 Aug 2017 07:49:26 +0000 (09:49 +0200)]
watchdog: fix inline watchdog_get_magicclose function prototype
Fix procd compilation issue which occurs when DISABLE_INIT is set as the
inline watchdog_get_magicclose function prototype was wrong.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Michal Sojka [Thu, 6 Jul 2017 20:25:16 +0000 (22:25 +0200)]
procd: Do not leak pipe file descriptors to children
Without this change, a process started by procd can have access to
stdout/err of processes started by procd before.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Matthias Schiffer [Thu, 20 Jul 2017 19:35:14 +0000 (21:35 +0200)]
system: return ubus error when sysupgrade_exec_upgraded() has failed
When sysupgrade_exec_upgraded() is successful, it will replace procd with
upgraded, so it won't ever return (making the ubus call hang forever, which
is fine as stage2 will kill all processes anyways).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>