project/procd.git
3 years agoservice: make sure string read is null terminated
Daniel Golle [Sun, 15 Aug 2021 11:34:05 +0000 (12:34 +0100)]
service: make sure string read is null terminated

Coverity CID: 1490007 String not null terminated
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agosystem: fix issues reported by Coverity
Daniel Golle [Sun, 15 Aug 2021 10:52:20 +0000 (11:52 +0100)]
system: fix issues reported by Coverity

Coverity CID: 1490346 Buffer not null terminated
Coverity CID: 1490345 Dereference null return value

Fixes: 9f233f5 ("system: make rootfs type accessible through board call")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoujail-console: add missing error handling discovered by coverity
Daniel Golle [Fri, 13 Aug 2021 18:14:12 +0000 (19:14 +0100)]
ujail-console: add missing error handling discovered by coverity

Coverity CID: 1490106
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: fix several issues discovered by Coverity
Daniel Golle [Fri, 13 Aug 2021 18:30:34 +0000 (19:30 +0100)]
jail: fix several issues discovered by Coverity

Coverity CID: 1430874 Untrusted pointer read
Coverity CID: 1490028 Resource leak
Coverity CID: 1490029 Resource leak
Coverity CID: 1490057 Uninitialized scalar variable
Coverity CID: 1490069 Resource leak
Coverity CID: 1490074 Resource leak

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agohotplug-dispatch: yet another rare memory leak disovered by Coverity
Daniel Golle [Fri, 13 Aug 2021 18:04:08 +0000 (19:04 +0100)]
hotplug-dispatch: yet another rare memory leak disovered by Coverity

Free newly allocated hotplug context in case of premature return.

Coverity CID: 1490077
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agosystem: make rootfs type accessible through board call
Daniel Golle [Fri, 13 Aug 2021 01:23:03 +0000 (02:23 +0100)]
system: make rootfs type accessible through board call

Knowing the type of the root filesystem can be useful, e.g. for the
attended sysupgrade clients.
As the previously introduced 'initramfs' flag is covered the the new
'rootfs_type' being 'initramfs', remove the old flag which should have
any users yet.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agohotplug-dispatch: fix rare memory leaks in error paths
Daniel Golle [Wed, 4 Aug 2021 20:13:32 +0000 (21:13 +0100)]
hotplug-dispatch: fix rare memory leaks in error paths

Fix remaining memory leaks in error paths.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: cgroups-bpf: fix compile with musl 1.2
Daniel Golle [Wed, 4 Aug 2021 19:55:21 +0000 (20:55 +0100)]
jail: cgroups-bpf: fix compile with musl 1.2

musl 1.2 no longer ships with <sys/cdefs.h>. Use it only on
glibc, musl provides __WORDSIZE macro in <sys/regs.h>.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: don't ignore return value of write()
Daniel Golle [Wed, 4 Aug 2021 15:35:29 +0000 (16:35 +0100)]
jail: don't ignore return value of write()

Check return value of write() call when writing to sysctl.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: cgroups: replace wrongly used assert()
Daniel Golle [Wed, 4 Aug 2021 15:33:11 +0000 (16:33 +0100)]
jail: cgroups: replace wrongly used assert()

In most cases, what we should do is exit(ENOMEM). In some cases like
when checking for filehandlers, handle errors appropriately.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agohotplug-dispatch: replace wrongly used assert()
Daniel Golle [Wed, 4 Aug 2021 15:27:04 +0000 (16:27 +0100)]
hotplug-dispatch: replace wrongly used assert()

Use proper error handling instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: always handle asprintf() return value
Daniel Golle [Wed, 4 Aug 2021 14:55:14 +0000 (15:55 +0100)]
uxc: always handle asprintf() return value

Error out in case asprintf() returns -1.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agohotplug-dispatch: don't ignore asprintf() return value
Daniel Golle [Wed, 4 Aug 2021 14:53:07 +0000 (15:53 +0100)]
hotplug-dispatch: don't ignore asprintf() return value

Properly handle asprintf() return value and error out on -1.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: ignore return value when creating default /dev symlinks
Daniel Golle [Wed, 4 Aug 2021 14:04:59 +0000 (15:04 +0100)]
jail: ignore return value when creating default /dev symlinks

Just to silence compiler warning, as failure to create these symlinks
doesn't indicate an error in all cases, e.g. in case mount is already
defined in place of the symlink.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: don't ignore return value of seteuid()
Daniel Golle [Wed, 4 Aug 2021 14:03:45 +0000 (15:03 +0100)]
jail: don't ignore return value of seteuid()

Error out in case seteuid() fails.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: cgroups-bpf: don't use sys/reg.h when building with glibc
Daniel Golle [Wed, 4 Aug 2021 13:20:12 +0000 (14:20 +0100)]
jail: cgroups-bpf: don't use sys/reg.h when building with glibc

To access __WORDSIZE with glibc sys/cdefs.h is included now.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agowatchdog: Add an info message if the watchdog reset the system
Martin Blumenstingl [Sun, 18 Jul 2021 21:51:12 +0000 (23:51 +0200)]
watchdog: Add an info message if the watchdog reset the system

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Investigating why a device has rebooted can be difficult, especially if
there's no output (for example during a kernel crash) on the serial
console. Some watchdog drivers can tell us if the watchdog has caused
the system to reboot. The corresponding WDIOF_CARDRESET flag is
documented as: "Card previously reset the CPU".

Add an info message if the watchdog supports the WDIOF_CARDRESET flag
and if the boot status indicates that the watchdog has previously reset
the system.

Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
3 years agouxc: resolve volume UUIDs by name of UCI fstab section
Daniel Golle [Sat, 24 Jul 2021 22:51:37 +0000 (23:51 +0100)]
uxc: resolve volume UUIDs by name of UCI fstab section

Allow identifying volumes which are required for a container to start
by their UCI section name in /etc/config/fstab, which is also where
'uvol' puts the volume name.
Using filesystem UUID instead is still possible as well.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: don't restart containers when mount shows up
Daniel Golle [Sat, 24 Jul 2021 00:28:10 +0000 (01:28 +0100)]
uxc: don't restart containers when mount shows up

procd triggers 'uxc boot' every time a new mount shows up which results
in containers to be restarted which had already been run and may have
ended reguarly, crashed or deliberately stopped.
As the intention of 'uxc boot' is to start containers which were still
waiting for volumes to become ready, really do only that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: refactor directory handling for rootfs and overlaydir
Daniel Golle [Sun, 18 Jul 2021 01:10:29 +0000 (02:10 +0100)]
jail: refactor directory handling for rootfs and overlaydir

Resolve symlinks and check if directories exist before clone() call,
it's more clean and allows for more code reuse.
This partially reverts commits 0114c6fc8b ("jail: open() extroot folder
before mounting") as well as 05459054fb ("jail: make use of realpath()
for rootfs and overlaydir") and replaces them with a more generic
solution.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: make use of realpath() for rootfs and overlaydir
Daniel Golle [Sat, 17 Jul 2021 13:06:38 +0000 (14:06 +0100)]
jail: make use of realpath() for rootfs and overlaydir

Use realpath() to resolve rootfs and read/write-overlay as they are
potentially (and likely, as we are going to use blockd with autofs)
symlinks.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: check for required blockd mounts
Daniel Golle [Wed, 14 Jul 2021 22:23:40 +0000 (23:23 +0100)]
uxc: check for required blockd mounts

When calling `uxc boot` it can happen that some required storage
volumes are not yet mounted. Make sure mountpoints exist for all
required volumes before starting a container using `uxc boot`.
(uxc' init-script will take care of calling `uxc boot` every time
a new block mount is added)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: open() extroot folder before mounting
Daniel Golle [Thu, 15 Jul 2021 01:49:23 +0000 (02:49 +0100)]
jail: open() extroot folder before mounting

Use open() to trigger autofs mount and check extroot folder exists
before mount-binding it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: allow rootfs to be a symbolic link
Daniel Golle [Wed, 14 Jul 2021 16:47:22 +0000 (17:47 +0100)]
jail: allow rootfs to be a symbolic link

Follow symbolic link to rootfs so we can use autofs symlinks in /mnt
to reference volumes in config.json.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: increase max additional env records to 64
Daniel Golle [Tue, 13 Jul 2021 00:08:20 +0000 (01:08 +0100)]
jail: increase max additional env records to 64

In the Docker world, people pass a lot of things using env variables
it turns out. Increase to 64 for now as a hot fix, will have to be
created dynamically in future to support unlimited number of env
variables.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: do not hack /etc/resolv.conf on container rootfs
Daniel Golle [Mon, 12 Jul 2021 23:59:32 +0000 (00:59 +0100)]
jail: do not hack /etc/resolv.conf on container rootfs

While useful for slim containers, this violates OCI spec and breaks
containers like pihole.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: implement support for rootfs overlay in containers
Daniel Golle [Mon, 12 Jul 2021 20:22:04 +0000 (21:22 +0100)]
uxc: implement support for rootfs overlay in containers

ujail already supports having a (temporary) overlayfs on top of a
containers rootfs. This is very useful for "dirty" containers which
assume / is writable.
Support this in uxc at the time a container is created and keep the
settings on subsequent re-creates (or reboots).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: add support for cgroup devices as in OCI run-time spec
Daniel Golle [Fri, 28 May 2021 16:17:35 +0000 (18:17 +0200)]
jail: add support for cgroup devices as in OCI run-time spec

Implement eBPF generator to emulate cgroup-v1 devices.{allow,deny}
as we got only cgroup-v2 available while the spec was written having
cgroups-v1 in mind.
Instead of literally emulating the legacy behavior, do like other
runtimes do as well when running on cgroup-v2: simply translate each
device rule into a bunch of eBPF instructions and then execute them
in reverse order, prepended by some default rules covering /dev/null,
/dev/random, /dev/tty, ...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: Use /dev/console for serial console if exists
Gaurav Pathak [Wed, 5 May 2021 11:32:45 +0000 (17:02 +0530)]
procd: Use /dev/console for serial console if exists

inittab.c: Use "/dev/console" if it is present, before trying
"/sys/class/tty/console/active" in case if console kernel command
line is not provided during boot and to allow container environment
to use it as login PTY console.

Signed-off-by: Gaurav Pathak <gaurav.pathak@pantacor.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: Adding support to detect Pantavisor Container Platform
Gaurav Pathak [Sun, 21 Mar 2021 13:14:33 +0000 (18:44 +0530)]
procd: Adding support to detect Pantavisor Container Platform

Modified container.h to detect the pantavisor container platform,
as it runs a custom modified version of LXC. container.h is modified
to check if procd is running in a pantavisor container environment by
detecting the presence of pantavisor directory under /.

Signed-off-by: Gaurav Pathak <gaurav.pathak@pantacor.com>
3 years agotrace: fix build on aarch64
Daniel Golle [Fri, 19 Mar 2021 22:22:44 +0000 (22:22 +0000)]
trace: fix build on aarch64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail/seccomp: add support for aarch64
Daniel Golle [Thu, 28 Jan 2021 20:10:46 +0000 (20:10 +0000)]
jail/seccomp: add support for aarch64

Add support for Aarch64 in utrace and ujail.
Sort and unify architecture-specific definitions in headers.
Use new PTRACE_GET_SYSCALL_INFO call (available since Linux 5.3), for
now only for aarch64, but this may potentially unify things and get
rid of some #ifdef'ery for other platforms as well.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoinittab: detect active console from kernel if no console= specified
Mathew McBride [Fri, 5 Mar 2021 00:54:15 +0000 (00:54 +0000)]
inittab: detect active console from kernel if no console= specified

The default serial console can be set in the device tree
using the linux,stdout-path parameter (or equivalent from ACPI).

This is important for universal booting (EFI/EBBR) on ARM platforms
where the default console can be different (e.g ttyS0 vs ttyAMA0).

Signed-off-by: Mathew McBride <matt@traverse.com.au>
3 years agoutils: fix C style in header file
Daniel Golle [Sun, 7 Mar 2021 23:45:33 +0000 (23:45 +0000)]
utils: fix C style in header file

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: fix compilation with newer musl
Rosen Penev [Tue, 2 Mar 2021 00:05:46 +0000 (16:05 -0800)]
procd: fix compilation with newer musl

An open bracket was missing.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years agosystem: expose if system was booted from initramfs
Daniel Golle [Mon, 15 Feb 2021 07:06:42 +0000 (07:06 +0000)]
system: expose if system was booted from initramfs

It can be good for UI to show to the user that the system was booted
from initramfs ie. no writable permanent storage is available.
I imagine LuCI only serving applications which are explicitely marked
as being shown even in initramfs mode, ie. nothing but status,
network->interfaces, network->wireless, system->upgrade,
system->backup, system->backuprestore tabs.
Also sysupgrade could take into account we are running on initramfs
and perform offline backup/restore of whatever is in the flash.
In that way OpenWrt-generated initramfs-images can serve as recovery
OS on devices with dual-boot in a meaningful way.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agocosmetics: provide compatible system info on Aarch64
Daniel Golle [Sat, 13 Feb 2021 20:56:27 +0000 (20:56 +0000)]
cosmetics: provide compatible system info on Aarch64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: add hotplug-call dispatcher
Daniel Golle [Mon, 21 Dec 2020 21:51:01 +0000 (21:51 +0000)]
procd: add hotplug-call dispatcher

Add hotplug-call dispatcher ubus objects for each subsystem.
This will allow more services to run non-root and without
excessive permissions while still being able to trigger
(asynchronous) hotplug events.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: cgroups: fix uninitialized variable
Daniel Golle [Thu, 28 Jan 2021 23:46:16 +0000 (23:46 +0000)]
jail: cgroups: fix uninitialized variable

Make sure 'limit' is initialized to -1 (==max) when translating
cgroups-1 memory controller spec to cgroups-2.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: only output BPF instr. table header if debugging
Daniel Golle [Mon, 4 Jan 2021 21:52:33 +0000 (21:52 +0000)]
jail: only output BPF instr. table header if debugging

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: remove duplicate check for hook file permissions
Daniel Golle [Mon, 28 Dec 2020 16:22:38 +0000 (16:22 +0000)]
jail: remove duplicate check for hook file permissions

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: fix compiler warning
John Crispin [Tue, 26 Jan 2021 10:19:10 +0000 (11:19 +0100)]
procd: fix compiler warning

[ 37%] Building C object CMakeFiles/procd.dir/state.c.o
/projects/procd/state.c: In function ‘state_enter’:
/projects/procd/state.c:147:4: error: ignoring return value of ‘chown’, declared with attribute warn_unused_result [-Werror=unused-result]
  147 |    chown(p->pw_dir, p->pw_uid, p->pw_gid);
      |    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [CMakeFiles/procd.dir/build.make:89: CMakeFiles/procd.dir/state.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:241: CMakeFiles/procd.dir/all] Error 2
make: *** [Makefile:130: all] Error 2

Signed-off-by: John Crispin <john@phrozen.org>
3 years agohotplug.c: set nl_pid to zero
Stefan Eichenberger [Sun, 24 Jan 2021 22:58:50 +0000 (23:58 +0100)]
hotplug.c: set nl_pid to zero

With the current solution where nl_pid is set through getpid we run into
problems when running procd in a different PID namespace (e.g.
container). The PID number inside the active PID namespace will be set
which doesn't match the global PID. Therefore, procd will never receive
any netlink messages.

By setting nl_pid to zero the kernel will assign the global PID
automatically and fixes the issue.

Signed-off-by: Stefan Eichenberger <eichest@gmail.com>
Acked-by: John Crispin <john@phrozen.org>
3 years agotreewide: replace local mkdir_p implementations
Daniel Golle [Sat, 12 Dec 2020 22:59:54 +0000 (22:59 +0000)]
treewide: replace local mkdir_p implementations

Replace local implementations of mkdir_p in favour of using the
more robust implementation now added to libubox.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: remove unreachable code
Daniel Golle [Wed, 9 Dec 2020 11:10:32 +0000 (11:10 +0000)]
jail: remove unreachable code

Replace unreachable error handling code in function setns_open with
a more appropriate assertion.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoearly: fall-back to run ubus as root if user can't be found
Daniel Golle [Fri, 4 Dec 2020 09:51:34 +0000 (09:51 +0000)]
early: fall-back to run ubus as root if user can't be found

Users have been reporting problems in case the ubus user is missing in
/etc/passwd. Run ubus as root in that case and display warning.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: improve seccomp log output
Daniel Golle [Tue, 1 Dec 2020 22:45:15 +0000 (22:45 +0000)]
jail: improve seccomp log output

Pass loglevel to preloaded seccomp handler, output generated program
along with unresolved syscalls if debugging output is requested.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: seccomp: improve code readability
Daniel Golle [Mon, 30 Nov 2020 00:44:53 +0000 (00:44 +0000)]
jail: seccomp: improve code readability

Break overly long line, add some comments.
No functional changes.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: always call cgroups_free()
Daniel Golle [Sun, 29 Nov 2020 23:21:04 +0000 (23:21 +0000)]
jail: always call cgroups_free()

In commit 3019f50 ("jail: leak less memory") memory handling in cgroups
related code was refactored. That allows to call cgroups_free()
unconditionally and remove the child-branch of in free_opts().

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: improve seccomp BPF generator
Daniel Golle [Sun, 29 Nov 2020 19:12:17 +0000 (19:12 +0000)]
jail: improve seccomp BPF generator

Restructure and add code to process rules based on syscall arguments as
defined in OCI run-tine spec. Generated BPF code became more efficient
as now only one BPF instruction for each syscall is required.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: properly initialize timens_fd
Daniel Golle [Thu, 26 Nov 2020 16:34:38 +0000 (16:34 +0000)]
jail: properly initialize timens_fd

So we are safe for the future.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: enter existing cgroups namespace if given
Daniel Golle [Thu, 26 Nov 2020 16:24:47 +0000 (16:24 +0000)]
jail: enter existing cgroups namespace if given

Call to enter an existing cgroups namespace was missing. Add it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: don't attempt to mount /sys with noatime
Daniel Golle [Thu, 26 Nov 2020 04:49:35 +0000 (04:49 +0000)]
jail: don't attempt to mount /sys with noatime

Because that won't work. Use relatime instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: fix typo in usage output
Daniel Golle [Thu, 26 Nov 2020 03:29:45 +0000 (03:29 +0000)]
jail: fix typo in usage output

'-j' is wrong, it should be '-i' (for _i_mmediately).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: seteuid before clone(CLONE_NEWUSER)
Daniel Golle [Thu, 26 Nov 2020 01:44:50 +0000 (01:44 +0000)]
jail: seteuid before clone(CLONE_NEWUSER)

Resolve the userid in parent namespace mapped to the root user of the
new user namespace. Before clone(), seteuid() to that user in the parent
namespace.
Use SECBIT_NO_SETUID_FIXUP so the parent process can later on switch
back using seteuid(0).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: don't fail if can't mount-bind /etc/resolv.conf
Daniel Golle [Thu, 26 Nov 2020 01:01:14 +0000 (01:01 +0000)]
jail: don't fail if can't mount-bind /etc/resolv.conf

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: don't use NULL arguments for mount syscall
Daniel Golle [Thu, 26 Nov 2020 00:55:20 +0000 (00:55 +0000)]
jail: don't use NULL arguments for mount syscall

Make valgrind more happy

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: relax /etc/resolv.conf creation
Daniel Golle [Thu, 26 Nov 2020 00:26:43 +0000 (00:26 +0000)]
jail: relax /etc/resolv.conf creation

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: fix and simplify userns uid/gid maps from OCI
Daniel Golle [Wed, 25 Nov 2020 23:25:58 +0000 (23:25 +0000)]
jail: fix and simplify userns uid/gid maps from OCI

Pre-calculate allocation length more simple and make sure maps are
properly generated.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: fix segfault on missing name and refactor
Daniel Golle [Wed, 25 Nov 2020 20:00:10 +0000 (20:00 +0000)]
jail: fix segfault on missing name and refactor

Move check for named jail up to main() function, and also add that
condition in case an OCI container is loaded as that would segfault
in case no name was given.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: leak less memory
Daniel Golle [Tue, 24 Nov 2020 21:03:12 +0000 (21:03 +0000)]
jail: leak less memory

Always free everything before exiting, clean up dynamic structures,
add missing free() calls in various places, ...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: add 'debug' extern variable to preload_seccomp
Daniel Golle [Sun, 22 Nov 2020 22:50:22 +0000 (22:50 +0000)]
jail: add 'debug' extern variable to preload_seccomp

ujail's seccomp ld-preload support broke recently with
Error relocating /lib/libpreload-seccomp.so: debug: symbol not found
Fix that by adding a debug variable to seccomp.c.

Fixes: be6da62 ("seccomp: silence 'unknown syscall' warnings")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agouxc: also delete procd runtime state on 'delete'
Daniel Golle [Sun, 22 Nov 2020 04:23:29 +0000 (04:23 +0000)]
uxc: also delete procd runtime state on 'delete'

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agouxc: fix incomplete commit
Daniel Golle [Sun, 22 Nov 2020 03:16:31 +0000 (03:16 +0000)]
uxc: fix incomplete commit

Fixes: 04a2edd ("uxc: make force-delete kill container process")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: cgroup hack: rewrite cgroup -> cgroup2
Daniel Golle [Wed, 28 Oct 2020 13:06:07 +0000 (13:06 +0000)]
jail: cgroup hack: rewrite cgroup -> cgroup2

"I'm sure you said cgroup2"

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoseccomp: silence 'unknown syscall' warnings
Daniel Golle [Fri, 20 Nov 2020 23:56:13 +0000 (23:56 +0000)]
seccomp: silence 'unknown syscall' warnings

Output them as debugging messages instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agouxc: make force-delete kill container process
Daniel Golle [Thu, 19 Nov 2020 17:12:54 +0000 (17:12 +0000)]
uxc: make force-delete kill container process

Don't allow to delete running containers unless '--force' is
specified. If '--force' is specified, send KILL signal to container
process before deleting it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agotrace: switch to OCI seccomp JSON output
Daniel Golle [Sun, 15 Nov 2020 23:58:44 +0000 (23:58 +0000)]
trace: switch to OCI seccomp JSON output

Generate JSON as specified on OCI runtime spec for seccomp syscall
filter instead of our previous OpenWrt-specific format.

[1]: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoseccomp: switch to new OCI compliant parser
Daniel Golle [Sun, 15 Nov 2020 23:22:13 +0000 (23:22 +0000)]
seccomp: switch to new OCI compliant parser

Drop the old OpenWrt-specific seccomp rule parser in favour of reusing
the OCI compliant variant.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoseccomp: specifying architectures is optional
Daniel Golle [Sun, 15 Nov 2020 23:45:38 +0000 (23:45 +0000)]
seccomp: specifying architectures is optional

Specifying the architecture used for system calls is optional in OCI
spec. Make it optional in the parser.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: fix capabilities
Daniel Golle [Fri, 6 Nov 2020 18:42:25 +0000 (18:42 +0000)]
jail: fix capabilities

Allocate enough stack space for capget()/capset() which requires
2*sizeof(struct __user_cap_data_struct), each containing 32-bit fields,
where the 2nd struct contains the bits for high (>32) capabilities.
Failing to do that not only leads to those high capabilities being
inaccessible but also overwrote the stack resulting in ujail hanging
infinitely instead of returning from applyOCIcapabilities().
Also adapt debugging output to 64-bit format.
Apart from that, don't set SECBIT_NO_SETUID_FIXUP when not actually
modifying capabilities explicitely, as that would result in ALL
capabilities retained in the subsequent setuid() call instead of
having them all dropped.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agouxc: mimic runc cmdline by using getopt_long
Daniel Golle [Tue, 27 Oct 2020 16:34:06 +0000 (16:34 +0000)]
uxc: mimic runc cmdline by using getopt_long

Imitate runc (or crun) cmdline parameters. This allows using uxc as
runtime with podman.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: don't fail if maskedPath cannot be found
Daniel Golle [Wed, 28 Oct 2020 13:01:52 +0000 (13:01 +0000)]
jail: don't fail if maskedPath cannot be found

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: add support for absolute root path in OCI spec
Daniel Golle [Wed, 28 Oct 2020 11:59:10 +0000 (11:59 +0000)]
jail: add support for absolute root path in OCI spec

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: relax seccomp unknown syscall handling
Daniel Golle [Wed, 28 Oct 2020 01:39:34 +0000 (01:39 +0000)]
jail: relax seccomp unknown syscall handling

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: handle mount propagation flags
Daniel Golle [Wed, 28 Oct 2020 00:30:03 +0000 (00:30 +0000)]
jail: handle mount propagation flags

Add support for propagation mount options (private, slave, shared,
unbindable, rprivate, rslave, rshared, runbindable).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: add option for pidfile
Daniel Golle [Wed, 28 Oct 2020 00:09:51 +0000 (00:09 +0000)]
jail: add option for pidfile

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: guard boolean blobmsg attributes
Daniel Golle [Tue, 27 Oct 2020 22:15:09 +0000 (22:15 +0000)]
jail: guard boolean blobmsg attributes

ujail tried to parse boolean values in config.json even if they were
not present which lead to segfaults.
Check if booleans are actually present before trying to parse them.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoujail: elf: work around GCC bug on MIPS64
Daniel Golle [Thu, 22 Oct 2020 21:59:14 +0000 (22:59 +0100)]
ujail: elf: work around GCC bug on MIPS64

Work-around gcc bug which leads to segfault parsing ELF on MIPS64.
The codepath added in this commit gets triggered when parsing
/lib/ld-musl-mips64-sf.so.1 (a symlink to /lib/libc.so) on MIPS64
(built with gcc-8.4.0 and musl 1.1.24) in qemu-system-mips64 on the
malta/be64 target.
Include work-around outputting an error message, but preventing
segfault when building for MIPS64.

Tested-by: Roman Kuzmitskii <damex.pp@icloud.com>
[tested on edgerouter 4 and edgerouter lite]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: mount more stuff read-only
Daniel Golle [Thu, 22 Oct 2020 01:44:14 +0000 (02:44 +0100)]
jail: mount more stuff read-only

Mount /etc/resolv.conf, /etc/passwd, /etc/group and /etc/nsswitch.conf
read-only in ujail slim-containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: capabilities: apply in two phases
Daniel Golle [Mon, 19 Oct 2020 18:30:13 +0000 (19:30 +0100)]
jail: capabilities: apply in two phases

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: nuke old capabilities code in favour of reusing OCI code
Daniel Golle [Mon, 19 Oct 2020 16:15:11 +0000 (17:15 +0100)]
jail: nuke old capabilities code in favour of reusing OCI code

Previsously capabilities could be defined for slim-containers using
our own JSON format, only allowing to modify capabilities in the
bouding set. As apparently that was never used by even a single
package, drop that old parser and logic in favour of reusing the now
existing OCI capability handling functions.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoinstance: actually wire up capabilities filename
Daniel Golle [Mon, 19 Oct 2020 16:50:19 +0000 (17:50 +0100)]
instance: actually wire up capabilities filename

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: adapt to new ubus socket path
Daniel Golle [Mon, 19 Oct 2020 16:00:26 +0000 (17:00 +0100)]
jail: adapt to new ubus socket path

The previous commit
3121467 ("early: run ubusd non-root as user ubus, group ubus")
changed the path of the ubus socket from /var/run/ubus.sock to
/var/run/ubus/ubus.sock. Adapt jail to also mount-bind that new
path for jails which include ubus access (eg. dnsmasq).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoearly: run ubusd non-root as user ubus, group ubus
Daniel Golle [Mon, 19 Oct 2020 12:43:23 +0000 (13:43 +0100)]
early: run ubusd non-root as user ubus, group ubus

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agocgroups: memory controller fixes
Daniel Golle [Thu, 13 Aug 2020 00:54:21 +0000 (01:54 +0100)]
cgroups: memory controller fixes

OCI 'swap' value encodes memory+swap, make the best out of that.
Ignore 'kernel' and 'kernelTCP' values rather than returning with
error as kernel memory is accounted in the existing limits in cgroup2.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agocgroups: restrict allowed keys in 'unified' section
Daniel Golle [Thu, 13 Aug 2020 00:22:11 +0000 (01:22 +0100)]
cgroups: restrict allowed keys in 'unified' section

Prevent specifying directories by banning the use of '/' characters
and disallow some internal cgroup.* files as suggested in [1].

[1]: https://github.com/opencontainers/runtime-spec/pull/1040

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoinitd/init: add minimal SELinux policy loading support
Thomas Petazzoni [Mon, 10 Aug 2020 01:15:20 +0000 (15:15 -1000)]
initd/init: add minimal SELinux policy loading support

In order to support SELinux in OpenWrt, this commit introduces minimal
support for loading the SELinux policy in the init code. The logic is
very much inspired from what Busybox is doing: call
selinux_init_load_policy() from libselinux, and then re-execute init
so that it runs with the SELinux policy in place and enforced.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
[fix spelling of OpenWrt]
Signed-off-by: Paul Spooren <mail@aparcar.org>
4 years agojail: fix freeing cgroups avl
Daniel Golle [Thu, 6 Aug 2020 14:34:27 +0000 (15:34 +0100)]
jail: fix freeing cgroups avl

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: only free cgroups if they were allocated
Daniel Golle [Thu, 6 Aug 2020 14:34:27 +0000 (15:34 +0100)]
jail: only free cgroups if they were allocated

Fixes segfault on shutdown with slim containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: parse OCI cgroups resources
Daniel Golle [Wed, 5 Aug 2020 17:37:53 +0000 (18:37 +0100)]
jail: parse OCI cgroups resources

Start pure cgroup2 implementation with emulation of (some) cgroup1
properties.
Initially support converting cpu, memory, blockIO, pids to unified in
addition to directly specifying unified attributes as suggested in
https://github.com/opencontainers/runtime-spec/pull/1040

Support for converting devices and network into BPF programs is
planned.

Now that containers have their representation in the unified cgroup
hierarchy, make sure using cgroup namespaces also produces meaningful
results.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoinstance: add instances into unified cgroup hierarchy
Daniel Golle [Wed, 5 Aug 2020 13:36:44 +0000 (14:36 +0100)]
instance: add instances into unified cgroup hierarchy

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
Daniel Golle [Tue, 4 Aug 2020 00:55:40 +0000 (01:55 +0100)]
jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: use pidns semantics also for timens
Daniel Golle [Sun, 2 Aug 2020 18:25:29 +0000 (19:25 +0100)]
jail: use pidns semantics also for timens

Just like pidns, timens is also only applied to children forked after
the setns() call, so use the same semantics here as well when joining
an existing time namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoinitd: attempt to mount cgroup2
Daniel Golle [Wed, 29 Jul 2020 13:26:51 +0000 (14:26 +0100)]
initd: attempt to mount cgroup2

Prepare for using cgroup2 in procd and ujail.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoservice: add method to query available container features
Daniel Golle [Wed, 29 Jul 2020 12:49:38 +0000 (13:49 +0100)]
service: add method to query available container features

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agouxc: remove debugging left-over
Daniel Golle [Thu, 30 Jul 2020 11:58:42 +0000 (12:58 +0100)]
uxc: remove debugging left-over

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agoinstance: make sure values are not inherited from previous runs
Daniel Golle [Wed, 29 Jul 2020 21:17:05 +0000 (22:17 +0100)]
instance: make sure values are not inherited from previous runs

Code to update and move instance attributes has been neglected when
new instance and jail options were added.
Add the ones which were missing.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agouxc: use new container.%s kill ubus API
Daniel Golle [Tue, 28 Jul 2020 23:41:32 +0000 (00:41 +0100)]
uxc: use new container.%s kill ubus API

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4 years agojail: add 'kill' method to container.%s object
Daniel Golle [Tue, 28 Jul 2020 23:36:19 +0000 (00:36 +0100)]
jail: add 'kill' method to container.%s object

Using the the current container signal method to send a signal to the
jailed process works fine, as signals are being forwarded by the
ujail parent process. However, in case of KILL (==9) signal, both,
parent and jailed process are killed immediately which results in the
'poststop' OCI hook being skipped.
Add new 'kill' method to ujail's container object to allow sending
signals to the jailed process directly instead of having to send
signals to the parent.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>