11 months agojail: handle containers seperately master
Daniel Golle [Wed, 20 May 2020 14:26:08 +0000 (15:26 +0100)]
jail: handle containers seperately

To make the API more clean and running containers less of a hidden
feature offer new object ubus 'containers' to handle container
operations similar to how services are handled.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
11 months agojail: use sane termios settings for console pts
Daniel Golle [Wed, 20 May 2020 13:57:21 +0000 (14:57 +0100)]
jail: use sane termios settings for console pts

The previously used expression (inpired by LXC) didn't actually make
a lot of sense. Replace it with something inspired by a more recent
version of LXC...

Reported-by: Oldřich Jedlička <oldium.pro@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
12 months agojail: add option to provide /dev/console to containers
Daniel Golle [Sun, 12 Apr 2020 21:35:25 +0000 (22:35 +0100)]
jail: add option to provide /dev/console to containers

Create UNIX/98 PTY, pass master fd to procd and setup mount-bind of
slave PTS device on /dev/console inside jail.
Allow attaching to an instance's console by using the newly introduced
ujail-console command (no multiplexing for now).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
12 months agojail: unnamed jails can not have netns (fix segfault)
Leonardo Mörlein [Fri, 8 May 2020 00:58:25 +0000 (02:58 +0200)]
jail: unnamed jails can not have netns (fix segfault)

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
12 months agojail: SIGSEGV must not be forwarded to the child process
Leonardo Mörlein [Fri, 8 May 2020 00:58:24 +0000 (02:58 +0200)]
jail: SIGSEGV must not be forwarded to the child process

A segfault in ujail caused ujail to hang with no chance to abort.
Raising the debug level revealed that SIGSEGV was delivered to
the child process instead of handled directly by ujail. The
corresponding debug message was triggered infinitely again and

forwarding signal 11 to the jailed process
forwarding signal 11 to the jailed process
forwarding signal 11 to the jailed process
forwarding signal 11 to the jailed process
forwarding signal 11 to the jailed process
forwarding signal 11 to the jailed process
forwarding signal 11 to the jailed process

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
12 months agojail: don't load libpreload-seccomp.so if it doesn't exist
Daniel Golle [Sat, 25 Apr 2020 09:24:35 +0000 (10:24 +0100)]
jail: don't load libpreload-seccomp.so if it doesn't exist

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
12 months agojail: don't fail unless requirejail is set
Daniel Golle [Sat, 25 Apr 2020 08:48:46 +0000 (09:48 +0100)]
jail: don't fail unless requirejail is set

Pass requirejail attribute to ujail and only fail to start a service
which has seccomp policy defined on a system which doesn't have
procd-seccomp installed in case requirejail is set.

Fixes: bcb8655 ("instance: add 'requirejail' attribute")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
12 months agojail: include /etc/nsswitch.conf in jail for glibc.
Daniel Golle [Sun, 19 Apr 2020 22:06:51 +0000 (23:06 +0100)]
jail: include /etc/nsswitch.conf in jail for glibc.

/etc/nsswitch.conf is needed to resolve usernames and groups from
/etc/passwd and /etc/groups, name resoultion and a bunch of other
things when using glibc.
Mount /etc/nsswitch.conf in jail when building against glibc.

Reported-by: Tobias Waldvogel <tobias.waldvogel@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agojail: always mount /dev as additional tmpfs
Daniel Golle [Tue, 14 Apr 2020 14:46:03 +0000 (15:46 +0100)]
jail: always mount /dev as additional tmpfs

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agojail: replace /etc/resolv.conf with symlink in extroot+overlay
Daniel Golle [Mon, 13 Apr 2020 01:03:53 +0000 (02:03 +0100)]
jail: replace /etc/resolv.conf with symlink in extroot+overlay

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agojail: mount /sys read-only
Daniel Golle [Sun, 12 Apr 2020 20:39:05 +0000 (21:39 +0100)]
jail: mount /sys read-only

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agojail: make /proc more secure
Daniel Golle [Sun, 12 Apr 2020 20:12:20 +0000 (21:12 +0100)]
jail: make /proc more secure

Make sure /proc/sys is read-only while keeping read-write access to
/proc/sys/net if spawning a new network namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agoinstance: harmonize instance API
Daniel Golle [Sun, 12 Apr 2020 18:31:36 +0000 (19:31 +0100)]
instance: harmonize instance API

Move attributes in generated output to match their place in the
expected input.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agojail: only mess with rootfs if CLONE_NEWNS was set
Daniel Golle [Sun, 12 Apr 2020 14:51:49 +0000 (15:51 +0100)]
jail: only mess with rootfs if CLONE_NEWNS was set

Avoid messing up rootfs of the parent/only mount namespace for the
unusual case of a jailed process which does use namespaces, but
doesn't make use of mount namespaces.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agojail: add support for (ram-)overlayfs
Daniel Golle [Fri, 20 Mar 2020 18:21:43 +0000 (18:21 +0000)]
jail: add support for (ram-)overlayfs

Add support for running service with a read/write filesystem overlay.
This can either be a user-defined directory for persistency or reside
on a tmpfs with fixed size in the RAM.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agojail: add support for userns and cgroupsns
Daniel Golle [Fri, 20 Mar 2020 18:20:51 +0000 (18:20 +0000)]
jail: add support for userns and cgroupsns

Add options to have jailed process inside new user namespace and
cgroups namespace.
Currently only the root user inside the container is mapped.
Also, mounting /proc currently still fails in the new user namespace
with permission denied for unknown reasons.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
13 months agojail: add support for launching extroot containers
Daniel Golle [Fri, 20 Mar 2020 18:19:53 +0000 (18:19 +0000)]
jail: add support for launching extroot containers

Add option to ujail to use an existing rootfs when launching a
containerized service. Later on this option will also be used to
launch full-system containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
14 months agojail: mount-bind /etc/resolv.conf for non-netns jails
Daniel Golle [Thu, 12 Mar 2020 21:54:19 +0000 (22:54 +0100)]
jail: mount-bind /etc/resolv.conf for non-netns jails

Many applications won't work without name resolution and expect
/etc/resolv.conf in place. While this is already handled for
netns-jails, simply mount-bind /etc/resolv.conf for non-netns-jails.

Signed-off-by: Daniel Golle <daniel@makrotoia.org>
15 months agoseccomp: fix resource leak
Kevin Darbyshire-Bryant [Tue, 11 Feb 2020 09:07:00 +0000 (09:07 +0000)]
seccomp: fix resource leak

Fix coverity reported resource leaks:

CID 1446217:    (RESOURCE_LEAK)
   Variable "filter" going out of scope leaks the storage it points to.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
15 months agoinstance: add 'requirejail' attribute
Kevin Darbyshire-Bryant [Thu, 30 Jan 2020 17:35:06 +0000 (17:35 +0000)]
instance: add 'requirejail' attribute

Since commit b44417c instance: provide error feedback if ujail binary is
missing, worrying log spam of the form "unable to find /sbin/jail ..."
may be encountered.

On systems not configured with jail capabilities the lack of jail binary
is not an error, whilst on systems with jail capabilities the warning
will be issued and the process is started outside of a jail.

This commit adds a new procd jail parameter 'mustjail' which if set
issues an error and does NOT start the process outside of a jailed

The original 'unable to find jail binary' warning is output in DEBUG
mode, thus processes started in a 'may jail' but non-jail capable
environment do not spam the log.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
15 months agoprocd: show process's exit code
Ondřej Votava [Thu, 23 Jan 2020 14:31:31 +0000 (15:31 +0100)]
procd: show process's exit code

Adds feature to show exit code of processes launched by procd.
The exit code is shown for finished process when ubus's
service list method is called.

The exit code value is computed according to waitpid(2)
and http://tldp.org/LDP/abs/html/exitcodes.html

Signed-off-by: Ondřej Votava <ondrej.votava@cvut.cz>
15 months agostate: fix reboot causing shutdown inside LXC container
Petr Štetiar [Wed, 15 Jan 2020 19:28:38 +0000 (20:28 +0100)]
state: fix reboot causing shutdown inside LXC container

Executing `reboot` command in OpenWrt system runing inside LXC container
results in a shutdown of the container instead of rebooting the

This appears to have been caused by commit 832369078d81 ("state: fix
shutdown when running in a container (FS#2425)"), which exits the pid
einz instead of the reboot().

While at it, refactor the halting code into separate function to shorten
the switch/case block and make it clearer, decrease the indentation
level by reversing the container if condition, replace magic 0 with
EXIT_SUCCESS constant in exit() and make it wait 1s for reboot message
delivery in both container/host cases as well.

Ref: FS#2666
Cc: Paul Spooren <mail@aparcar.org>
Fixes: 832369078d81 ("state: fix shutdown when running in a container (FS#2425)")
Tested-by: Baptiste Jonglez <lede@bitsofnetworks.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
15 months agoinstance: provide error feedback if ujail binary is missing
Petr Štetiar [Fri, 17 Jan 2020 15:21:51 +0000 (16:21 +0100)]
instance: provide error feedback if ujail binary is missing

Otherwise it's quite hard to track such issues.  While at it, be DRY and
use UJAIL_BIN_PATH constant for ujail binary.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
15 months agojail: more strict mount options for /tmp/resolv.conf.d/
Daniel Golle [Fri, 3 Jan 2020 13:54:57 +0000 (15:54 +0200)]
jail: more strict mount options for /tmp/resolv.conf.d/

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
15 months agojail: create resolv.conf symlink for netns jails
Daniel Golle [Fri, 3 Jan 2020 10:29:17 +0000 (12:29 +0200)]
jail: create resolv.conf symlink for netns jails

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
15 months agojail: add basic support for network namespaces
Daniel Golle [Wed, 4 Dec 2019 13:06:06 +0000 (14:06 +0100)]
jail: add basic support for network namespaces

Add new 'netns' flag for procd_add_jail to make ujail setup a new
network namespace for the jailed service.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
15 months agoinstance: Fix instance_config_move_strdup() function
Daniel Golle [Sun, 19 Jan 2020 07:42:37 +0000 (09:42 +0200)]
instance: Fix instance_config_move_strdup() function

instance_config_move_strdup() previously returned too early in case of
a value being previously unassigned.

Fixes: 153820c ("instance: fix pidfile and seccomp attributes double free")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
15 months agoinstance: fix typo in error message
Petr Štetiar [Fri, 10 Jan 2020 21:56:31 +0000 (22:56 +0100)]
instance: fix typo in error message

Fixes `removed` to proper `remove` in "Failed to removed pidfile".

Fixes: b12bb150ed38 ("procd: service: Support writing pidfiles")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
15 months agoinstance: fix pidfile and seccomp attributes double free
Petr Štetiar [Fri, 17 Jan 2020 17:22:37 +0000 (18:22 +0100)]
instance: fix pidfile and seccomp attributes double free

Commit a5af33ce9a16 ("instance: strdup string attributes") has
introduced duplication of various string attributes in order to fix
use-after-free, but missed handling of `pidfile` and `seccomp` attribute
cases in instance_config_move() where the new value of `pidfile` or
`seccomp` is being copied/assigned. Source of this values is then
free()d in subsequent call to instance_free() and then again for 2nd
time during the service stop command handling, leading to double free

 #0  unmap_chunk at src/malloc/malloc.c:515
 #1  free at src/malloc/malloc.c:526
 #2  instance_free (in=0xd5e300) at instance.c:1100
 #3  instance_delete (in=0xd5e300) at instance.c:559
 #4  instance_stop (in=0xd5e300, halt=true) at instance.c:611

While at it, add missing handling of jail.name and jail.hostname
attributes as well.

Ref: FS#2723
Fixes: a5af33ce9a16 ("instance: strdup string attributes")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
16 months agoinstance: strdup string attributes
Daniel Golle [Sat, 4 Jan 2020 14:16:12 +0000 (16:16 +0200)]
instance: strdup string attributes

Previously string attributes were set to pointers returned by
blobmsg_get_string() which caused use-after-free problems.
Use strdup() to have copies of all stored strings and free them
during cleanup.

Reviewed-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
16 months agosystem: watchdog_set: fix misleading indentation
Petr Štetiar [Sun, 5 Jan 2020 10:48:35 +0000 (11:48 +0100)]
system: watchdog_set: fix misleading indentation

Fixes error reported by clang version 10.0.0-+20200102091410:

 system.c:367:4: error: misleading indentation; statement is not part of the previous 'if' [-Werror,-Wmisleading-indentation]
 system.c:365:3: note: previous statement is here
                 if (timeout <= frequency)

Signed-off-by: Petr Štetiar <ynezz@true.cz>
16 months agosystem: sysupgrade: fix possibly misleading error
Petr Štetiar [Fri, 3 Jan 2020 00:26:50 +0000 (01:26 +0100)]
system: sysupgrade: fix possibly misleading error

Fix possibly misleading error "Firmware image is broken and cannot be
installed" which could be produced by JSON without expected validation
variables, where "Validation script provided invalid input" error message
makes more sense.

Cc: Rafał Miłecki <rafal@milecki.pl>
Tested-by: Kuan-Yi Li <kyli@abysm.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
16 months agosystem: sysupgrade: rework firmware validation
Petr Štetiar [Mon, 30 Dec 2019 21:34:50 +0000 (22:34 +0100)]
system: sysupgrade: rework firmware validation

Fixes following deficiencies:

 * unhandled read() errors
 * everything bundled in one long function, which is hard to follow and
   reason about
 * JSON parser errors are being ignored, anything else then
   json_tokener_continue is fatal error
 * JSON parser errors are being output to stderr, thus invisible via SSH
 * validate_firmware_image_call can fail at a lot of places, but we just
   get one generic "Firmware image couldn't be validated" so it's hard
   to debug

Cc: Rafał Miłecki <rafal@milecki.pl>
Tested-by: Kuan-Yi Li <kyli@abysm.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
16 months agosystem: fix failing image validation due to EINTR
Petr Štetiar [Sun, 29 Dec 2019 20:25:33 +0000 (21:25 +0100)]
system: fix failing image validation due to EINTR

It was quite common to see following error during sysupgrade on serial

 Failed to parse JSON: 4

This is happening due to the fact, that validate_firmware_image_call
fork()s then waits in blocking read() for the input from the child
process, but child finishes its tasks and exits, thus emitting SIGCHLD
signal which then leads to the interruption of the blocking read() in
the parent process with EINTR error.

It seems like the recent fixes in the libubox library, particulary in
the jshn sub-component (which empowers json_dump used in the shell
script executed by the child process) made the execution somehow faster,
thus exposing this racy behaviour in the validate_firmware_image_call at
least on RPi-4 (Cortex-A72) target.

So this patch fixes this issue by checking the read() return value and
retrying the read() if interrupted due to the EINTR error.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2020-January/020994.html
Fixes: e990e215e8a3 ("system: add "validate_firmware_image" ubus method")
Cc: Rafał Miłecki <rafal@milecki.pl>
Tested-by: Kuan-Yi Li <kyli@abysm.org>
Tested-by: Petr Novák <petrn@me.com>
Reported-by: Petr Novák <petrn@me.com>
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
16 months agocmake: fix lookup of external libraries
Petr Štetiar [Sun, 29 Dec 2019 14:56:43 +0000 (15:56 +0100)]
cmake: fix lookup of external libraries

In order to make it compile properly in more environments.

Tested-by: Petr Novák <petrn@me.com>
Tested-by: Kuan-Yi Li <kyli@abysm.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
16 months agojail: remove accidentally added lines
Daniel Golle [Mon, 30 Dec 2019 18:22:45 +0000 (20:22 +0200)]
jail: remove accidentally added lines

The previous commit accidentally added unrelated lines which broke
build. Remove them.

Fixes: 2c5c19 ("jail: set user and group inside jail")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
16 months agojail: set user and group inside jail
Daniel Golle [Sun, 29 Dec 2019 14:23:34 +0000 (16:23 +0200)]
jail: set user and group inside jail

This allows jailed services to run as users other than root, simply
because some services refuse to be run as UID 0.
Previously, setting the the process UID and GID before launching the
jail wrapper prevented the jail from starting.
Rather than setting them in procd/service.c, pass user and group
parameters to ujail and set them inside ujail just before executing the

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
18 months agosystem: sysupgrade: close input side of pipe before reading
Dustin Lundquist [Mon, 28 Oct 2019 16:52:06 +0000 (16:52 +0000)]
system: sysupgrade: close input side of pipe before reading

When /usr/libexec/validate_firmware_image is not present on the system
procd will hang indefinitely on the read() since the input side of the
pipe is still open.

Also fix pipe file descriptor leak when fork() fails.

Signed-off-by: Dustin Lundquist <d.lundquist@temperednetworks.com>
Acked-by: Rafał Miłecki <rafal@milecki.pl>
18 months agoinstance: Warn about unexpected number of parameters
Hauke Mehrtens [Fri, 1 Nov 2019 16:16:39 +0000 (17:16 +0100)]
instance: Warn about unexpected number of parameters

Warn when the number of allocated parameters for the jail argv does not
match the number of used parameters. This normally leads to a buffer

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
18 months agoinstance: ujail: Fix allocated size for no_new_privs parameter
Hauke Mehrtens [Fri, 1 Nov 2019 16:16:38 +0000 (17:16 +0100)]
instance: ujail: Fix allocated size for no_new_privs parameter

When the no_new_privs parameter is given, thei size of the  array which
contains the argv pointers is not increased in instance_jail_parse()
which causes a buffer overflow. Fix this by requesting one more entry in
instance_jail_parse() for the allocation.

Fixes: dfd5816bcbef ("instance, ujail: wire no_new_privs (-c) option")
Cc: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
18 months agoprocd: simplify code in procd_inittab_run
Michael Heimpold [Tue, 1 Jan 2019 23:44:53 +0000 (00:44 +0100)]
procd: simplify code in procd_inittab_run

This is a trial to make it more obvious what the historically
grown code is actually doing.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
18 months agoprocd: replace exit(-1) with exit(EXIT_FAILURE)
Michael Heimpold [Tue, 1 Jan 2019 23:44:59 +0000 (00:44 +0100)]
procd: replace exit(-1) with exit(EXIT_FAILURE)

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
18 months agoprocd: add upgraded binary to .gitignore
Michael Heimpold [Tue, 1 Jan 2019 23:44:58 +0000 (00:44 +0100)]
procd: add upgraded binary to .gitignore

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
18 months agoprocd: add start-console support
Michael Heimpold [Tue, 1 Jan 2019 23:44:57 +0000 (00:44 +0100)]
procd: add start-console support

This adds a hotplug function to (re-)start inittab entries with askfirst or respawn.

At the moment the devices used with these actions must be present during boot
otherwise such lines are skipped.

However, this prevents having inittab entries with consoles for e.g. USB gadget
devices which only appear after kernel module loading and after configuring them
with configfs.

While it was possible to only scan the inittab for the desired item to start,
I assume the inittab to be short and re-running the whole list will be negligible.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
18 months agoprocd: shift arguments for askfirst only once
Michael Heimpold [Tue, 1 Jan 2019 23:44:56 +0000 (00:44 +0100)]
procd: shift arguments for askfirst only once

In case we want to process an inittab item multiple times (e.g. in case
of hotplugging) we must not shift the arguments for askfirst multiple
times. So check whether we already did it.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
18 months agoprocd: skip respawn in case device disappeared
Michael Heimpold [Tue, 1 Jan 2019 23:44:55 +0000 (00:44 +0100)]
procd: skip respawn in case device disappeared

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
18 months agoprocd: guard fork_worker calls
Michael Heimpold [Tue, 1 Jan 2019 23:44:54 +0000 (00:44 +0100)]
procd: guard fork_worker calls

Usually respawn(), askfirst(), askconsole() and rcrespawn() are run only
one time to start a worker child for the given inittab entry.

In case we want to allow calling these functions several times, we need
to ensure that we do not start multiple workers at the same time for the
same inittab item.

For this, we can re-use the remembered pid of the worker child,
however, we need to reset this pid to allow a new instance in case the
previous child exited.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
18 months agoprocd: Add cached and available to memory table
Zachary Cook [Tue, 8 Oct 2019 05:02:50 +0000 (01:02 -0400)]
procd: Add cached and available to memory table

Provides a better measure of actual system memory usage for Luci/users.
"cached" will be used to add a new progress bar, "available" is the
kernel's estimate of memory that is actually useable, and is more
accurate than (memory.free + memory.buffered) that Luci currently uses
to calculate available memory.

Signed-off-by: Zachary Cook <zachcook1991@gmail.com>
19 months agoprocd: Switch to nanosleep
Rosen Penev [Sun, 1 Sep 2019 20:26:43 +0000 (13:26 -0700)]
procd: Switch to nanosleep

usleep has been deprecated by POSIX.1-2001 and removed in POSIX.1-2008.
Fixes compilation when libc does not include usleep (optional with

nanosleep also has the advantage of being more accurate.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
19 months agosystem: Fix possible integer overflows
Hauke Mehrtens [Fri, 13 Sep 2019 20:04:03 +0000 (22:04 +0200)]
system: Fix possible integer overflows

This multiplication was done on 32 bit integers before, explicitly cast
them to 64 bit values before to make sure the multiplication is done on
64 bit numbers.

Coverity: #1412417, #1412410, #1412409, #1412411, #1412424, #1412407
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
19 months agosystem: sysupgrade: send reply on error
Rafał Miłecki [Wed, 11 Sep 2019 09:21:59 +0000 (11:21 +0200)]
system: sysupgrade: send reply on error

This provides some meaningful info on why sysupgrade has failed.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Jo-Philipp Wich <jo@mein.io>
19 months agosystem: refuse sysupgrade with backup if it's unsupported
Rafał Miłecki [Wed, 11 Sep 2019 08:34:41 +0000 (10:34 +0200)]
system: refuse sysupgrade with backup if it's unsupported

Don't allow it if validation methods marked firmware as not supporting a

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
20 months agosysupgrade: support "backup" attribute
Rafał Miłecki [Wed, 11 Sep 2019 06:58:15 +0000 (08:58 +0200)]
sysupgrade: support "backup" attribute

This new attribute allows passing path of the backup archive. It
provides much more flexibility than hardcoding /tmp/sysupgrade.tgz. It
may help avoiding some cp/mv for user-provided backup archive.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
20 months agosysupgrade: set UPGRADE_BACKUP env variable
Rafał Miłecki [Thu, 5 Sep 2019 07:20:13 +0000 (09:20 +0200)]
sysupgrade: set UPGRADE_BACKUP env variable

It points to the backup file to use duing sysupgrace process. Right now
it's hardcoded to the /tmp/sysupgrade.tgz. Once all cleanups are in
place "sysupgrade" ubus method should be extended to allow passing any
custom path.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
20 months agosystem: fix uninitialized variables in firmware validation code
Rafał Miłecki [Thu, 5 Sep 2019 21:07:21 +0000 (23:07 +0200)]
system: fix uninitialized variables in firmware validation code

This fixes:
system.c: In function 'validate_firmware_image':
system.c:403:6: error: 'fd' may be used uninitialized in this function [-Werror=maybe-uninitialized]
   if (fd >= 0) {
system.c:446:4: error: 'jsobj' may be used uninitialized in this function [-Werror=maybe-uninitialized]
    blobmsg_add_object(&b, jsobj);

Fixes: e990e215e8a3 ("system: add "validate_firmware_image" ubus method")

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
20 months agosystem: reject sysupgrade of invalid firmware images by default
Rafał Miłecki [Wed, 4 Sep 2019 09:06:52 +0000 (11:06 +0200)]
system: reject sysupgrade of invalid firmware images by default

This validation step can be bypassed by passing "force" argument. This
is very similar to the /sbin/sysupgrade behavior and --force.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
20 months agosystem: reject sysupgrade of broken firmware images
Rafał Miłecki [Fri, 30 Aug 2019 15:46:07 +0000 (17:46 +0200)]
system: reject sysupgrade of broken firmware images

This uses recently added "validate_firmware_image" to validate passed
firmware. If it happens to be invalid and marked as impossible to force
then sysupgrade simply exits with an error.

This change is needed to avoid bricking devices with some totally broken

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
20 months agosystem: add "validate_firmware_image" ubus method
Rafał Miłecki [Fri, 30 Aug 2019 07:28:34 +0000 (09:28 +0200)]
system: add "validate_firmware_image" ubus method

This new method allows validating firmware image (stored on a device)
using ubus. It uses new executable helper that provides detailed info
about firmware image.

The point of this method is to allow user interfaces provide various
info before starting actual upgrade process.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
20 months agosysupgrade: add missing _GNU_SOURCE define (FS#2469)
Rosen Penev [Mon, 26 Aug 2019 22:22:15 +0000 (15:22 -0700)]
sysupgrade: add missing _GNU_SOURCE define (FS#2469)

Fixes compilation problems:

error: implicit declaration of function 'asprintf'; did you mean 'vsprintf'?
   57 |   if (asprintf(&name, "%s%s", prefix, blobmsg_name(option)) <= 0)
      |       ^~~~~~~~
      |       vsprintf

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
20 months agosystem: support passing "options" to the "sysupgrade" ubus method
Rafał Miłecki [Fri, 16 Aug 2019 14:14:27 +0000 (16:14 +0200)]
system: support passing "options" to the "sysupgrade" ubus method

Object passed as "options" gets translated into environment variables
"options": { "foo": 5 }
will result in setting UPGRADE_OPT_FOO=5.

This allows stage2 sysupgrade to get options explicitly. So far it was
guessing what to do by checking for existence of some files (e.g.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
21 months agostate: fix shutdown when running in a container (FS#2425)
Paul Spooren [Mon, 5 Aug 2019 16:07:45 +0000 (18:07 +0200)]
state: fix shutdown when running in a container (FS#2425)

Applies patch from @mikma [0] to fix Docker shutdown. Added detection to
state.c if running in a container or not.

Tested with a x86/64 Docker image.

Fixes FS#2425

CC: Mikael Magnusson <mikma@users.sourceforge.net>
CC: Petr Štetiar <ynezz@true.cz>
[0]: https://github.com/mikma/lxd-openwrt/blob/master/patches/procd-master/0003-docker-fix-problem-stopping-container.patch

Signed-off-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [coding style aligment]
22 months agoprocd: check strchr() result before using it
Justinas Grauslis [Mon, 8 Jul 2019 08:01:09 +0000 (11:01 +0300)]
procd: check strchr() result before using it

Subtracting some address from NULL does not necessary
results in negative value. It's lower level dependent.

In our case (IPQ4019 + Yocto + meta-openwrt) subtracting
token address from NULL strchr() return value results in
large positive number which causes out-of-boundary memory
access and eventually a segfault.

Signed-off-by: Justinas Grauslis <justinas@8devices.com>
23 months agocontainer: fix .dockerenv stat check
Petr Štetiar [Thu, 30 May 2019 05:53:26 +0000 (07:53 +0200)]
container: fix .dockerenv stat check

applied check wasn't evaluating the existence of the file properly.

Fixes: 7f0f6b2a73f8 ("procd: add docker support")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
23 months agohotplug: improve error message during group ownership change
Petr Štetiar [Fri, 24 May 2019 11:04:41 +0000 (13:04 +0200)]
hotplug: improve error message during group ownership change

procd currently outputs following error messages:

 procd: cannot set group dialout for /dev/ttyw8
 procd: cannot set group dialout for /dev/ttyq1
 procd: cannot set group dialout for /dev/ttywf

from which it's not clear where the problem is, if it's either getgrnam
or chown failing and why it's failing so this patch adds name of failed
function and its errno.

Ref: https://github.com/openwrt/openwrt/pull/1773#issuecomment-495555284
Signed-off-by: Petr Štetiar <ynezz@true.cz>
23 months agoprocd: add docker support
Paul Spooren [Mon, 27 May 2019 09:33:29 +0000 (11:33 +0200)]
procd: add docker support

detects if running in a docker container, which then requires special
treatment of mounts. OpenWrt within Docker is useful for CI testing.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2 years agocontainer: include stdbool.h
Hans Dedecker [Thu, 9 May 2019 16:01:46 +0000 (18:01 +0200)]
container: include stdbool.h

Fixes following compile issue :

container.h:18:15: error: unknown type name 'bool'
 static inline bool is_container() {
make[5]: *** [CMakeFiles/init.dir/build.make:154: CMakeFiles/init.dir/initd/zram.c.o] Error 1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2 years agoprocd: detect lxc container and behave accordingly
Paul Spooren [Sun, 5 May 2019 16:31:41 +0000 (18:31 +0200)]
procd: detect lxc container and behave accordingly

meaning to not mount some specific parts witch cause trouble.

The patch is based on previous work of @mikma to combine OpenWrt with
lxd[0]. This patch however adds a detection copied from *virt-what* to
check /proc/1/environment for the string "container".

Thanks to @dangowrt for the cleanup.

[0]: https://github.com/containercraft/openwrt-lxd/blob/master/patches/procd-openwrt-18.06/001_lxd_no_mounts.patch

Signed-off-by: Paul Spooren <mail@aparcar.org>
2 years agoinstance: dump user and group as well
Hans Dedecker [Tue, 30 Apr 2019 19:49:26 +0000 (21:49 +0200)]
instance: dump user and group as well

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2 years agoservice: allow setting a dedicated group id
Michael Heimpold [Thu, 11 Apr 2019 19:01:07 +0000 (21:01 +0200)]
service: allow setting a dedicated group id

Sometimes is desirable to run a process with a specific group id
instead of the default one which is derived from passwd entry.

However, we still want to initialize supplementary group ids
(including the default one), thus we have to store the specific
one in a dedicated structure element.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2 years agoinstance: add support for customizable syslog facilities
Michael Heimpold [Thu, 11 Apr 2019 19:01:06 +0000 (21:01 +0200)]
instance: add support for customizable syslog facilities

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2 years agoprocd: add SIGPWR as signal
Paul Spooren [Fri, 26 Apr 2019 15:32:45 +0000 (17:32 +0200)]
procd: add SIGPWR as signal

to use procd in LXC containers they have to support SIGPWR to shutdown.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2 years agoprocd: copy the respawn property of new instance
Yashavanth Chowrikoppalu [Wed, 17 Apr 2019 13:21:18 +0000 (15:21 +0200)]
procd: copy the respawn property of new instance

On updating an existing instance, the respawn property is reset
in instance_stop(). Subsequent instance_update() call does not copy
the respawn property from new instance in instance_config_move(). As
a result, the respawning does not happen, if the process is killed

Signed-off-by: Yashavanth Chowrikoppalu <Yashavanth.hsn@gmail.com>
2 years agoprocd: instance: Support deleting stopped instances
Kristian Evensen [Sat, 6 Apr 2019 12:28:30 +0000 (14:28 +0200)]
procd: instance: Support deleting stopped instances

procd currently does not support deleting a stopped instance. The reason
is that we return in instance_stop(), if pending is set to false. This
patch adds a new function, instance_delete(), which does the necessary
clean-up of an instance. instance_delete() is called before we return in
instance_stop(), as well as when a process that should not be restarted
has exited in instance_exit().

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
2 years agoprocd: trace: Define syscall registers for powerpc platform
Wojciech Dubowik [Fri, 8 Mar 2019 08:36:12 +0000 (09:36 +0100)]
procd: trace: Define syscall registers for powerpc platform

According to manpage the syscall nr is stored in r0
and return value in r3 for powerpc. Define it so we
can use seccomp and utrace on powerpc.

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@neratec.com>
2 years agohotplug.c: Make sure hotplug buffer is NULL terminated
Hauke Mehrtens [Wed, 19 Dec 2018 09:51:57 +0000 (10:51 +0100)]
hotplug.c: Make sure hotplug buffer is NULL terminated

Sets the final byte explicitly to NULL because we later do string
operations on this buffer.

Fixes Coverity issue 1430926 String not null terminated

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2 years agoearly: set /tmp permissions explicitly
Hans Dedecker [Fri, 23 Nov 2018 11:02:45 +0000 (12:02 +0100)]
early: set /tmp permissions explicitly

In case ramfs is used as tmpfs it creates /tmp with permissions 755
which are the the default permissions.
Therefore when mounting tmp set permissions explicitly to 1777

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: John Crispin <john@phrozen.org>
2 years agowatchdog: improve seting watchdog timeout and frequency
Hans Dedecker [Sun, 4 Nov 2018 10:14:31 +0000 (11:14 +0100)]
watchdog: improve seting watchdog timeout and frequency

Due to the watchdog file descriptor check in both watchdog_timeout and
watchdog_frequency it's impossible to set the timeout/frequency via ubus
in case the watchdog was stopped.
Fix this by removing the watchdog file descriptor check in both functions
and by caching locally the set watchdog driver timeout value. The latter
will be used to set the watchdog driver timeout value in case the
watchdog is active or when the watchdog is started.
In addition when parsing the watchdog ubus call check if timeout
attribute is set so the correct value is used when doing the frequency
sanity check.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2 years agoprocd: Add cpu string to board detection
Chris Blake [Fri, 14 Sep 2018 01:37:45 +0000 (20:37 -0500)]
procd: Add cpu string to board detection

This patch is in relation to
https://github.com/openwrt/openwrt/pull/1307 to help fix architecture
detection in LuCI which was added in

Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
2 years agoAllow disabling seccomp or changing the whitelist
Michal Sojka [Mon, 30 Jul 2018 07:32:19 +0000 (09:32 +0200)]
Allow disabling seccomp or changing the whitelist

Without this change, once a service is started with seccomp, it is
impossible to restart it without seccomp or change the whitelist file
name. This commit fixes that. Disabling seccomp is as easy as
commenting out the "procd_set_param seccomp" line in init.d script.

Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
2 years agotrace: Use properly sized type for PTRACE_GETEVENTMSG
Michal Sojka [Mon, 30 Jul 2018 07:31:09 +0000 (09:31 +0200)]
trace: Use properly sized type for PTRACE_GETEVENTMSG

Without this, on 64-bit systems, ptrace call corrupts memory because
it stores 64bit value to 32bit pid_t variable.

Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
2 years agoprocd: fix ustream deadlock when there are 0 bytes or no newlines
John Crispin [Tue, 13 Feb 2018 15:33:48 +0000 (16:33 +0100)]
procd: fix ustream deadlock when there are 0 bytes or no newlines

Signed-off-by: John Crispin <john@phrozen.org>
2 years agoprocd: increase watchdog fd_buf storage size to fix gcc8 build error
Felix Fietkau [Thu, 5 Jul 2018 09:13:31 +0000 (11:13 +0200)]
procd: increase watchdog fd_buf storage size to fix gcc8 build error

Signed-off-by: Felix Fietkau <nbd@nbd.name>
3 years agoservice: initialize supplementary group ids
Yousong Zhou [Sun, 11 Feb 2018 09:19:11 +0000 (17:19 +0800)]
service: initialize supplementary group ids

We currently only call setgid() with user's primary group id for service
instance processes.  In the case of a user belong to multiple groups,
it's natural to also explicitly initialize their supplementary group ids

Fixes FS#988

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
3 years agoservice: add func for string config change check
Yousong Zhou [Sun, 11 Feb 2018 09:17:08 +0000 (17:17 +0800)]
service: add func for string config change check

To also prepare for following commits introducing more string value
change detection

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
3 years agoprocd: get rid of putenv usage.
Rosen Penev [Tue, 23 Jan 2018 20:30:52 +0000 (12:30 -0800)]
procd: get rid of putenv usage.

setenv is prefered according to POSIX. Also allows staticly allocated strings.

Saves 200 bytes when stripped. 432 without.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years agotrace: check asprintf() return value
Hans Dedecker [Mon, 22 Jan 2018 17:51:23 +0000 (18:51 +0100)]
trace: check asprintf() return value

Check asprintf() return value; fixes ignoring return value warnings:

warning: ignoring return value of 'asprintf', declared with attribute
warn_unused_result [-Wunused-result]

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
3 years agotrace: add missing limits.h include
Hans Dedecker [Mon, 22 Jan 2018 17:51:22 +0000 (18:51 +0100)]
trace: add missing limits.h include

Fixes compile issue when using glibc as INT_MAX is reported as

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
3 years agoprocd: add timing to start/stop logging
Karl Vogel [Wed, 17 Jan 2018 11:13:15 +0000 (12:13 +0100)]
procd: add timing to start/stop logging

Shows how long an initd task took, for example:

 procd: stop /etc/init.d/dropbear running - took 0.088824s
 procd: Update service dnsmasq
 procd: Update instance dnsmasq::dnsmasq
 procd: running /etc/init.d/dnsmasq running
 procd: start /etc/init.d/dnsmasq running
 procd: stop /etc/init.d/dnsmasq running - took 0.092586s

 v2: rename variables, correct time unit
 v3: use CLOCK_MONOTONIC_RAW to prevent issues with NTP and adjtime

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
3 years agoprocd: Add %m to several functions that return errno.
Rosen Penev [Mon, 25 Dec 2017 22:14:46 +0000 (14:14 -0800)]
procd: Add %m to several functions that return errno.

Might help with debugging. No size impact.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years agoprocd: Remove redundant errno variable in several printf functions.
Rosen Penev [Mon, 25 Dec 2017 22:14:45 +0000 (14:14 -0800)]
procd: Remove redundant errno variable in several printf functions.

%m, aka strerror(errno) is already used. No need to repeat it. Saves 280 bytes.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years agoprocd: Replace strerror(errno) with %m.
Rosen Penev [Mon, 25 Dec 2017 22:14:44 +0000 (14:14 -0800)]
procd: Replace strerror(errno) with %m.

Saves 1496 bytes from compiled size under glibc. No functional difference.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years agoprocd: Fix minor null pointer dereference.
Rosen Penev [Mon, 25 Dec 2017 22:52:20 +0000 (14:52 -0800)]
procd: Fix minor null pointer dereference.

Null pointer check was placed after assigning values to c.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years agoprocd: initd: fix path allocation in early_insmod
Nathan Hintz [Fri, 29 Dec 2017 04:48:26 +0000 (04:48 +0000)]
procd: initd: fix path allocation in early_insmod

Noticed that /tmp was not being created on /dev/zram0.  This was on
ixp4xx (nslu2) using GCC 6.3 and musl.

The allocation should be using the length of the passed string
(module path), not the size of the pointer to the string.

Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>
3 years agoprocd: Remove unnecessary memset calls.
Rosen Penev [Tue, 7 Nov 2017 20:05:12 +0000 (12:05 -0800)]
procd: Remove unnecessary memset calls.

Changes allocation to calloc and {} as needed.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years agoservice: add data within the service itself
Pierre Lebleu [Fri, 10 Nov 2017 10:04:47 +0000 (11:04 +0100)]
service: add data within the service itself

It gives the ability to create firewall data within the
service itself.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
3 years agoservice: fix calls to blobmsg_parse()
Pierre Lebleu [Fri, 10 Nov 2017 09:59:35 +0000 (10:59 +0100)]
service: fix calls to blobmsg_parse()

We should use blobmsg_data() rather than blob_data() and
blobmsg_data_len() rather than blob_len().

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
3 years agoprocd: lower the logging threshold
John Crispin [Mon, 6 Nov 2017 07:39:09 +0000 (08:39 +0100)]
procd: lower the logging threshold

Signed-off-by: John Crispin <john@phrozen.org>
3 years agoservice: Start services normally when seccomp is disabled
Michal Sojka [Fri, 3 Nov 2017 21:31:41 +0000 (22:31 +0100)]
service: Start services normally when seccomp is disabled

When service init file declares seccomp support (procd_set_param seccomp),
but procd is compiled without seccomp support, the service should be
started normally, because seccomp-trace and utrace are not available.

Older procd versions decided about whether to start a service in
seccomp sandbox or not based on existence of seccomp whitelist in the
filesystem. This was recently removed (c8faedc "Do not disable seccomp
when configuration is not found", 2017-09-12) because it could be easy
for attackers to disable seccomp support. This changes is a follow-up
to the mentioned commit. With it, procd decides about whether to use
seccomp sandbox based only on compile-time configuration.

Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Tested-by: Hans Dedecker <dedeckeh@gmail.com>
3 years agoprocd: add missing new lines inside debug code
John Crispin [Thu, 26 Oct 2017 07:39:52 +0000 (09:39 +0200)]
procd: add missing new lines inside debug code

Signed-off-by: John Crispin <john@phrozen.org>
3 years agoservice: fix service_handle_event array
Pierre Lebleu [Wed, 25 Oct 2017 15:43:16 +0000 (17:43 +0200)]
service: fix service_handle_event array

The array concerning the "config.change" is __VALIDATE_MAX length,
not __DATA_MAX length.

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>