Nathan Hintz [Fri, 29 Dec 2017 04:48:26 +0000 (04:48 +0000)]
procd: initd: fix path allocation in early_insmod
Noticed that /tmp was not being created on /dev/zram0. This was on
ixp4xx (nslu2) using GCC 6.3 and musl.
The allocation should be using the length of the passed string
(module path), not the size of the pointer to the string.
Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>
Rosen Penev [Tue, 7 Nov 2017 20:05:12 +0000 (12:05 -0800)]
procd: Remove unnecessary memset calls.
Changes allocation to calloc and {} as needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Pierre Lebleu [Fri, 10 Nov 2017 10:04:47 +0000 (11:04 +0100)]
service: add data within the service itself
It gives the ability to create firewall data within the
service itself.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
Pierre Lebleu [Fri, 10 Nov 2017 09:59:35 +0000 (10:59 +0100)]
service: fix calls to blobmsg_parse()
We should use blobmsg_data() rather than blob_data() and
blobmsg_data_len() rather than blob_len().
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
John Crispin [Mon, 6 Nov 2017 07:39:09 +0000 (08:39 +0100)]
procd: lower the logging threshold
Signed-off-by: John Crispin <john@phrozen.org>
Michal Sojka [Fri, 3 Nov 2017 21:31:41 +0000 (22:31 +0100)]
service: Start services normally when seccomp is disabled
When service init file declares seccomp support (procd_set_param seccomp),
but procd is compiled without seccomp support, the service should be
started normally, because seccomp-trace and utrace are not available.
Older procd versions decided about whether to start a service in
seccomp sandbox or not based on existence of seccomp whitelist in the
filesystem. This was recently removed (
c8faedc "Do not disable seccomp
when configuration is not found", 2017-09-12) because it could be easy
for attackers to disable seccomp support. This changes is a follow-up
to the mentioned commit. With it, procd decides about whether to use
seccomp sandbox based only on compile-time configuration.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Tested-by: Hans Dedecker <dedeckeh@gmail.com>
John Crispin [Thu, 26 Oct 2017 07:39:52 +0000 (09:39 +0200)]
procd: add missing new lines inside debug code
Signed-off-by: John Crispin <john@phrozen.org>
Pierre Lebleu [Wed, 25 Oct 2017 15:43:16 +0000 (17:43 +0200)]
service: fix service_handle_event array
The array concerning the "config.change" is __VALIDATE_MAX length,
not __DATA_MAX length.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
pme.lebleu@gmail.com [Wed, 4 Oct 2017 11:14:16 +0000 (13:14 +0200)]
service: fix SERVICE_ATTR_NAME usage in service_handle_set
The SERVICE_SET_NAME belongs to enum SERVICE_SET_XXXX, not SERVICE_ATTR_NAME.
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
Karl Palsson [Mon, 25 Sep 2017 12:28:16 +0000 (12:28 +0000)]
instance: properly compare and reload respawn config
respawn configuration variables were not checked for changes, and were
not copied to new instances.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Michal Sojka [Wed, 27 Sep 2017 08:59:54 +0000 (10:59 +0200)]
utrace: Start the tracee only after uloop initialization
Without this, early ptrace stops can be missed because they can happen
before the call to uloop_init().
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:49 +0000 (13:12 +0200)]
utrace: Switch all logging to ulog
This unifies all logs messages produced by utrace and removes
duplicated functionality.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Sun, 24 Sep 2017 14:38:21 +0000 (16:38 +0200)]
utrace: Support non-contiguous syscall numbers
ARM architecture does not have its system call numbers contiguous. So
far, utrace ignored the non-contiguous system calls, but it makes it
difficult to setup seccomp whitelists. This patch adds support for
these extra out-of-range syscalls.
It extends the generated file syscall_names.h to include a few
functions. Now, for ARM this file looks like:
#include <asm/unistd.h>
static const char *__syscall_names[] = {
[280] = "waitid",
[148] = "fdatasync",
...
[252] = "epoll_wait",
[74] = "sethostname",
};
static inline const char *syscall_name(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return __syscall_names[i];
switch (i) {
case 0x0f0001: return "breakpoint";
case 0x0f0003: return "usr26";
case 0x0f0004: return "usr32";
case 0x0f0005: return "set_tls";
case 0x0f0002: return "cacheflush";
default: return (void*)0;
}
}
static inline int syscall_index(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
case 0x0f0001: return ARRAY_SIZE(__syscall_names) + 0;
case 0x0f0003: return ARRAY_SIZE(__syscall_names) + 1;
case 0x0f0004: return ARRAY_SIZE(__syscall_names) + 2;
case 0x0f0005: return ARRAY_SIZE(__syscall_names) + 3;
case 0x0f0002: return ARRAY_SIZE(__syscall_names) + 4;
default: return -1;
}
}
static inline int syscall_index_to_number(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
case ARRAY_SIZE(__syscall_names) + 0: return 0x0f0001;
case ARRAY_SIZE(__syscall_names) + 1: return 0x0f0003;
case ARRAY_SIZE(__syscall_names) + 2: return 0x0f0004;
case ARRAY_SIZE(__syscall_names) + 3: return 0x0f0005;
case ARRAY_SIZE(__syscall_names) + 4: return 0x0f0002;
default: return -1;
}
}
#define SYSCALL_COUNT (ARRAY_SIZE(__syscall_names) + 5)
For x86, which does not have extra syscalls, the file looks this way:
#include <asm/unistd.h>
static const char *__syscall_names[] = {
[247] = "waitid",
[75] = "fdatasync",
...
[232] = "epoll_wait",
[170] = "sethostname",
};
static inline const char *syscall_name(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return __syscall_names[i];
switch (i) {
default: return (void*)0;
}
}
static inline int syscall_index(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
default: return -1;
}
}
static inline int syscall_index_to_number(unsigned i) {
if (i < ARRAY_SIZE(__syscall_names))
return i;
switch (i) {
default: return -1;
}
}
#define SYSCALL_COUNT (ARRAY_SIZE(__syscall_names) + 0)
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:47 +0000 (13:12 +0200)]
utrace: Forward SIGTERM to the traced process
When a service is started with "/etc/init.d/<service> trace" or when
it has seccomp enabled (i.e. runs under seccomp-trace), stopping the
service with "/etc/init.d/<service> stop" stops only the tracer. The
service itself continue executing. This patch ensures that the service
is terminated as well.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:46 +0000 (13:12 +0200)]
utrace: Report ptrace errors
Michal Sojka [Tue, 12 Sep 2017 11:12:45 +0000 (13:12 +0200)]
seccomp: Improve error message
Print "SECCOMP_FILE not specified" instead of "failed to load (null)".
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:44 +0000 (13:12 +0200)]
preload-seccomp: Use proper log level for error messages
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:43 +0000 (13:12 +0200)]
Start seccomp-enabled services via seccomp-trace
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Sun, 24 Sep 2017 22:56:33 +0000 (00:56 +0200)]
seccomp: Log seccomp violations with utrace
Older kernel version shipped by LEDE/OpenWrt contained patch
target/linux/generic/patches-3.18/999-seccomp_log.patch that logged
seccomp violations. For some reason, newer kernels do not have this
patch. Without this kind of logging, it is very hard to setup seccomp
whitelist properly, so this commit modifies utrace to serve as a
logger for seccomp violations.
With this patch, when utrace is executed via seccomp-trace symlink, it
does not trace normal syscalls but only seccomp violations and logs
them to syslog. For example:
seccomp-trace: uci[3955] tried to call non-whitelisted syscall: ftruncate64 (see /etc/seccomp/myservice.json)
Compared to the kernel-based logging, this approach gives users more
information - which json whitelist needs to be extended. This is
especially useful for services, which fork many diverse children such
as shell scripts.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:41 +0000 (13:12 +0200)]
utrace: Use PTHREAD_SEIZE instead of PTHREAD_TRACEME
This makes it easier to handle initial ptrace-stops (after
fork/clone/...), because we don't need to distinguish whether SIGSTOP
is from user or from ptrace. Also execve() does not deliver an extra
SIGTRAP, which we would have to handle.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:40 +0000 (13:12 +0200)]
utrace: Deliver signals to traced processes
Without this change, traced processes do not receive any signal,
because all the signals are "eaten" by the tracer.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:39 +0000 (13:12 +0200)]
utrace: Support tracing multi-threaded processes and vfork
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:38 +0000 (13:12 +0200)]
utrace: Trace processes across forks
Without this change, utrace can trace only a single process. When the
process forks, syscalls of its children do not appear in utrace
output. This is a problem, because seccomp filters are inherited by
children and therefore filters generated by utrace may lack legitimate
syscalls.
This commit enables utrace to trace processes across forks. The
functionality can be demonstrated by the following examples:
utrace /bin/touch /tmp/xxx
produces:
{
"whitelist": [
"rt_sigaction",
"rt_sigreturn",
"exit",
"getuid",
"exit_group",
"utimensat"
],
"policy": 1
}
The command:
utrace /bin/sh -c 'touch /tmp/xxx'
without this commit produces:
{
"whitelist": [
"stat",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"getpid",
"fork",
"exit",
"wait4",
"uname",
"getcwd",
"getuid",
"getppid",
"exit_group"
],
"policy": 1
}
but with this commit, the output is the following:
{
"whitelist": [
"read",
"open",
"close",
"stat",
"fstat",
"mmap",
"mprotect",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"getpid",
"fork",
"execve",
"exit",
"wait4",
"uname",
"fcntl",
"getcwd",
"getuid",
"getppid",
"arch_prctl",
"gettid",
"set_tid_address",
"exit_group",
"utimensat"
],
"policy": 1
}
Note that in addition to utimensat syscall from touch, this output
contains more syscalls than what is in the union of single-process sh
and touch traces. The reason is that single-process traces do not
include syscalls from dynamic linker (due to preload trick), but the
trace of forked processes includes the dynamic linker syscalls. This
is unavoidable, because dynamic linker of the forked processes will be
subject to seccomp filters of the parent process.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:37 +0000 (13:12 +0200)]
utrace: Sort syscalls by number of invocations
seccomp and service jailing announce email [1] mentioned that "utrace
tool will sort the syscalls by the number of invocations". The code
did not do that until this commit.
[1] https://lists.openwrt.org/pipermail/openwrt-devel/2015-March/032197.html
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:36 +0000 (13:12 +0200)]
Update trace attribute
When a service is started for the first time without trace
attribute (e.g. during boot), then it was impossible to restart it in
tracing mode (/etc/init.d/service trace). This is fixed here.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:35 +0000 (13:12 +0200)]
Do not disable seccomp when configuration is not found
Previously, when seccomp configuration file for a service was not
found, the service was started without seccomp. I consider this
potential attack vector.
With this change, procd starts the service as if the configuration
existed but the service fails in libpreload-seccomp.so, because the
configuration cannot be loaded. This is announced in the syslog.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:34 +0000 (13:12 +0200)]
utrace: Fix off-by-one errors
This fixes two errors:
1) memcpy() copies envc elements starting from index 1, so the number
of elements in target array should be envc + 1. But only envc was
allocated.
2) If original environment envp is empty, i.e. it contains only a NULL
element, the while loop misses it.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Tue, 12 Sep 2017 11:12:33 +0000 (13:12 +0200)]
utrace: Fix environment initialization
We want to copy the existing environment instead of the new one to
itself. Other bugs in this code are fixed in the next commit.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
John Crispin [Tue, 22 Aug 2017 14:43:54 +0000 (16:43 +0200)]
procd: send ubus notify when a config file has changed
Signed-off-by: John Crispin <john@phrozen.org>
Hans Dedecker [Tue, 8 Aug 2017 07:49:26 +0000 (09:49 +0200)]
watchdog: fix inline watchdog_get_magicclose function prototype
Fix procd compilation issue which occurs when DISABLE_INIT is set as the
inline watchdog_get_magicclose function prototype was wrong.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Michal Sojka [Thu, 6 Jul 2017 20:25:16 +0000 (22:25 +0200)]
procd: Do not leak pipe file descriptors to children
Without this change, a process started by procd can have access to
stdout/err of processes started by procd before.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Matthias Schiffer [Thu, 20 Jul 2017 19:35:14 +0000 (21:35 +0200)]
system: return ubus error when sysupgrade_exec_upgraded() has failed
When sysupgrade_exec_upgraded() is successful, it will replace procd with
upgraded, so it won't ever return (making the ubus call hang forever, which
is fine as stage2 will kill all processes anyways).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Florian Fainelli [Sat, 15 Jul 2017 17:59:51 +0000 (10:59 -0700)]
upgraded: Check chroot() return value
Check the chroot() return value, fixes unused return value warnings/errors:
procd-2017-06-22-
e5e99c46/upgraded/upgraded.c:78:8: error: ignoring return
value of 'chroot', declared with attribute warn_unused_result
[-Werror=unused-result] chroot(".");
Fixes: 056d8ddda8d5 ("upgraded: link dynamically, chroot during exec")
Reviewed-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Florian Fainelli [Sat, 15 Jul 2017 17:51:20 +0000 (10:51 -0700)]
init: Check chroot return value in sysupgrade_exec_upgraded()
chroot() can fail and its return value should be checked against, in that case
do an exit() since this is a fatal condition that we cannot recover from.
Fixes: 63789e51ed91 ("init: add support for sysupgrades triggered from preinit")
Reviewed-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Matthias Schiffer [Thu, 13 Jul 2017 11:18:00 +0000 (13:18 +0200)]
upgraded: improve error handling
* exit with code 1 instead of unusual -1 in the parent process
* exit using _exit() when child exec fails
* fix fork/exec error messages
* only uloop_run() after successful child fork (uloop_end() before
uloop_run() doesn't have any effect, so uloop_run() would hang forever)
* minor code cleanup
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Wed, 12 Jul 2017 22:04:49 +0000 (00:04 +0200)]
upgraded: register stage2 process in uloop as intended
Make the process callback effective, so an exit of state2 will trigger a
reboot.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Hans Dedecker [Mon, 19 Jun 2017 09:14:27 +0000 (11:14 +0200)]
watchdog: add support for starting/stopping kernel watchdog
Extend the ubus watchdog cmd with the parameter magicclose; when set and
in case the stopped parameter is enabled the kernel watchdog will be stopped
by first sending the magic character 'V' followed by a close of the watchdog
fd. In case stopped is set to disabled the watchdog fd will be created again.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: John Crispin <john@phrozen.org>
Daniel Golle [Sun, 18 Jun 2017 22:53:00 +0000 (00:53 +0200)]
system: introduce new attribute board_name
Instead of modifying the already defined 'model' attribute rather
introduce a new attribute board_name to return either
/tmp/sysinfo/board_name or /proc/device-tree/compatible.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Hans Dedecker [Fri, 16 Jun 2017 14:09:01 +0000 (16:09 +0200)]
preinit: define _GNU_SOURCE
In uClibc getdelim is only defined if _GNU_SOURCE is defined; fix
compilation issue by defining _GNU_SOURCE
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Florian Fainelli [Wed, 31 May 2017 21:00:34 +0000 (14:00 -0700)]
upgraded: cmake: Find and include uloop.h
Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for
libubox/uloop.h. Some external toolchains which do not include standard
locations would fail to find the header otherwise.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Alexander Couzens [Sun, 11 Jun 2017 09:52:47 +0000 (11:52 +0200)]
hotplug: fix a memory leak in handle_button_complete()
Found-by: Coverity Scan #1412460
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Alexander Couzens [Sun, 11 Jun 2017 09:49:00 +0000 (11:49 +0200)]
service/service_stopped(): fix a use-after-free
Found-by: Coverity Scan #1412548
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Daniel Golle [Thu, 8 Jun 2017 20:21:27 +0000 (22:21 +0200)]
system: return legacy board name
The system board call returns the verbose model string instead of the
board name. Unfortunately we have not yet estabkushed clear convention
regarding device-tree 'compatible' or 'model' property and sysupgrade
image name (same accounts for scraping /proc/cpuinfo on legacy
targets). This is odd as the idea was to return information needed to
identify the right sysupgrade image. On most targets we got a large
shell-script which translates either /proc/cpuinfo or the 'model'
property back into the board name used here. Hence
/tmp/sysinfo/board_name should be returned instead of
/tmp/sysinfo/model for the board ubus call as well.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Matthias Schiffer [Tue, 30 May 2017 05:23:57 +0000 (07:23 +0200)]
upgraded: define __GNU_SOURCE
It is required on non-musl libcs for O_DIRECTORY.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Mon, 29 May 2017 21:39:53 +0000 (23:39 +0200)]
rcS: add missing fcntl.h include
Fixes: d42b21ed9305 "procd/rcS: Use /dev/null as stdin"
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sun, 23 Apr 2017 22:40:27 +0000 (00:40 +0200)]
init: add support for sysupgrades triggered from preinit
This will allow to add support for sysupgrades via upgraded from failsafe
mode.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sun, 23 Apr 2017 17:06:12 +0000 (19:06 +0200)]
Remove code that has become unnecessary after sysupgrade changes
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sun, 23 Apr 2017 17:04:25 +0000 (19:04 +0200)]
upgraded: add support for passing a "command" argument to stage2
This allows us to make use of upgraded in "snapshot convert" as well.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Sun, 23 Apr 2017 00:28:13 +0000 (02:28 +0200)]
upgraded: link dynamically, chroot during exec
The chroot ensures we don't reference anything on the rootfs and is
reverted after the upgraded exec. While we're at it, also improve error
handling a bit.
This change also required changes to sysupgrade, as the dynamically linked
version is expected at a different location, and libraries need to be made
available.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Matthias Schiffer [Fri, 21 Apr 2017 18:06:59 +0000 (20:06 +0200)]
system: always support staged sysupgrade
In preparation for switching all targets to the staged sysupgrade
mechanism, upgraded is always built, and the "nandupgrade" ubus method is
renamed to "sysupgrade".
To make the migration easier, support for the old name "nandupgrade" and
the "upgrade" method that will become unused with the staged sysupgrade is
retained for now.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Michal Sojka [Sun, 30 Apr 2017 07:51:20 +0000 (09:51 +0200)]
procd/rcS: Use /dev/null as stdin
This change ensures that /etc/init.d/* scripts are started with
/dev/null as stdin. This is useful in cases where an init.d script
reads (e.g. by mistake) from stdin, which a user can perceive as if
some characters typed into shell on serial console are "eaten" by
something else (i.e. by the init.d script running on background). This
is very annoying, because each character needs to be pressed several
times before it appears on the screen.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
John Crispin [Wed, 5 Apr 2017 06:58:22 +0000 (08:58 +0200)]
service/instance: add an auto start option
this allows us to register services with procd but not auto start them. An
additional ubus call is required to start the service.
Signed-off-by: John Crispin <john@phrozen.org>
Michal Sojka [Sat, 11 Mar 2017 00:48:16 +0000 (01:48 +0100)]
procd: Log initscript output prefixed with script name
It helps with debugging of initscript problems.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Sun, 12 Mar 2017 01:11:39 +0000 (02:11 +0100)]
procd: Don't use syslog before its initialization
When procd starts a rcS script, it captures its stdout and stderr and
logs them via syslog(). The problem with that is that the rest of
procd code uses ulog rather than syslog() directly and ulog_open()
doesn't call openlog() immediately, but only after something is logged
with ulog(). This lazy calling of openlog() can result in the
following unwanted behavior:
1) When rcS's stdout/err is logged via syslog(), the log identifier is
not set yet (due to openlog() not called) and so the log message
lacks information about source.
2) procd can also log stdout/err from services. When a message from a
service needs to be logged, ulog_open() is called to change the log
identifier to match the service name/PID. After logging the service
messages, ulog_open() is called again the change the identifier
back to "procd". The lazy call to openlog() means that the messages
logged directly with syslog() will be logged with the
identification of the previously logged service and not of the rcS
script that produced the message.
Both problems are fixed by replacing direct call to syslog() with
ULOG_NOTE, which automatically calls openlog() if needed.
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Michal Sojka [Sat, 11 Mar 2017 00:48:14 +0000 (01:48 +0100)]
procd: Add missing \n in debug message
Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
Alin Năstac [Mon, 27 Feb 2017 09:08:34 +0000 (10:08 +0100)]
procd: service gets deleted when its last instance is freed
This fixes the following regression introduced in commit
961dc692aff7457f874bce61f8e766514edcf794:
1) reboot using the following configuration
root@OpenWrt:~# uci show system.ntp
system.ntp=timeserver
system.ntp.enable_server='0'
system.ntp.use_dhcp='1'
system.ntp.dhcp_interface='wan'
root@OpenWrt:~# uci show network.wan
network.wan=interface
network.wan.proto='dhcp'
network.wan.ifname='eth4'
network.wan.reqopts='1 3 6 15 33 42 51 121 249'
2) if obtained DHCP lease has an option 42 sysntpd service will have an
instance
3) run "ifup wan"
4) although the same DHCP lease was obtained, sysntpd would be stopped
Because sysntpd service is deleted when last instance is freed, its triggers
will also be released. Without these triggers in place, sysntpd will not be
reloaded when a new DHCP lease containing option 42 will be received.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Nathan Hintz [Mon, 20 Feb 2017 20:39:11 +0000 (20:39 +0000)]
procd: update modprobe path
Commit
81aeba9b7f619ee1af1a64f355ae8001fa147d03 in LEDE source.git moved
modprobe to the "/sbin" directory. Update procd with the new path.
Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>
Jurgen Van Ham [Fri, 10 Feb 2017 06:55:23 +0000 (07:55 +0100)]
procd: add cancel_timeout on rc scripts when a runtime_timeout is specified
Enable procd to restrict the execution time of a rc scripts during shutdown, even
when a script ignores the SIGTERM signal by insisting after 10s with a SIGKILL.
Signed-off-by: Jurgen Van Ham <juvanham.tc@gmail.com>
Alin Năstac [Thu, 9 Feb 2017 10:02:53 +0000 (11:02 +0100)]
procd: stop service using SIGKILL if SIGTERM failed to do so
SIGKILL is sent if instance process is still running after
<term_timeout> seconds after SIGTERM has been sent. To prevent
another daemon process being launched before old process dies,
the instance is kept until SIGCHLD confirms that service has
been stopped.
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Felix Fietkau [Sat, 11 Feb 2017 14:43:36 +0000 (15:43 +0100)]
add missing includes
Including sys/sysmacros.h is now necessary for makedev() on glibc 2.25.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
John Crispin [Wed, 8 Feb 2017 11:02:10 +0000 (12:02 +0100)]
ujail: fix signal forwarding
Signed-off-by: John Crispin <john@phrozen.org>
Matthias Schiffer [Thu, 26 Jan 2017 11:56:24 +0000 (12:56 +0100)]
init: fix /tmp permissions on zram
mkfs.ext4 will create the filesystem with 755, we need to chmod to 1777
explicitly.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Etienne CHAMPETIER [Fri, 30 Dec 2016 02:08:58 +0000 (18:08 -0800)]
ujail: add basic /dev files
This adds
/dev/full
/dev/null
/dev/urandom
/dev/zero
in every jail (not having them only allow subtle bugs)
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Jo-Philipp Wich [Tue, 13 Dec 2016 16:27:13 +0000 (17:27 +0100)]
service: add reload_signal property
Introduce a new optional property "reload_signal" which - if set - instructs
procd to not terminate and restart supervised processes upon changes, but to
send them a kill() signal instead.
This is useful for services which fully support native config reload upon
receipt of a signal.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 13 Dec 2016 15:26:03 +0000 (16:26 +0100)]
hotplug: fix uninitialized variable
Commit
e999ab7 (hotplug: Check chown return value) introduced a new variable
"ret" which is not explicitely initialized, leading to the following compile
error:
hotplug.c:155:18: error: 'ret' may be used uninitialized in this function [-Werror=maybe-uninitialized]
if (!g || ret < 0)
^
cc1: all warnings being treated as errors
Explicitely initialize it to zero to avoid that problem.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 13 Dec 2016 15:21:29 +0000 (16:21 +0100)]
service: add service.signal ubus call
Add a service.signal call to allow sending kill() signals to a service.
The default signal sent to services is SIGHUP and may be overridden by a
numerical signal value using the signal parameter.
The optional instance argument allows restricting the signal delivery to one
specific instance. If omitted, the signal is sent to all instances.
Acked-by: John Crispin <john@phrozen.org>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Felix Fietkau [Mon, 5 Dec 2016 17:16:47 +0000 (18:16 +0100)]
trace: use the cloned environment pointer
Fixes an issue where it would overwrite the first environment variable
with the preload one
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Rosen Penev [Sun, 4 Dec 2016 04:39:42 +0000 (20:39 -0800)]
procd: Fix memory leaks found by cppcheck
Signed-off by: Rosen Penev <rosenp@gmail.com>
Florian Fainelli [Sat, 3 Dec 2016 17:32:21 +0000 (09:32 -0800)]
hotplug: Check chown return value
Fixes:
plug/hotplug.c:152:10: error: ignoring return value of 'chown', declared with attribute warn_unused_result [-Werror=unused-result]
chown(blobmsg_get_string(tb[0]), 0, g->gr_gid);
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Felix Fietkau [Fri, 2 Dec 2016 12:52:57 +0000 (13:52 +0100)]
ujail: send SIGKILL to jail process if SIGTERM fails
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Wed, 19 Oct 2016 12:09:10 +0000 (14:09 +0200)]
service: do not restart instances if data changes
Drop in->data from instance_config_changed() checks.
So far, procd_open_data is always used in places for passing data to
other services, not for triggering restarts on specific changes.
With this change it is possible to use this behavior more explicitly
while avoiding unnecessary restarts
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Wed, 19 Oct 2016 12:08:03 +0000 (14:08 +0200)]
service: make instance_update() void and unconditionally replace config on update
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Wed, 19 Oct 2016 11:54:51 +0000 (13:54 +0200)]
service: add support for instances without command
This can be useful for maintaining active procd data for use in other
services, even when no helper process is active.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Zefir Kurtisi [Thu, 13 Oct 2016 15:40:38 +0000 (17:40 +0200)]
procd: fix build when DEBUG is set
There is a collision between the DEBUG set in the CMake file as
flag and the macro defined in log.h, resulting in build error:
In file included from ./procd/initd/init.h:19:0,
from ./procd/initd/init.c:33:
./procd/initd/../log.h:20:0: error: "DEBUG" redefined [-Werror]
#define DEBUG(level, fmt, ...) do { \
^
<command-line>:0:0: note: this is the location of the previous definition
cc1: all warnings being treated as errors
This patch fixes the issue by renaming the build flag to
UDEV_DEBUG (since it is only used in udevtrigger).
Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Zefir Kurtisi [Thu, 13 Oct 2016 14:50:56 +0000 (16:50 +0200)]
procd: fire events at instance respawn and failure
In addition to the existing 'start' and 'stop',
this commit adds 'respawn' and 'fail' events
to allow system monitors to detect and handle
unstable processes.
Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
John Crispin [Tue, 27 Sep 2016 16:09:52 +0000 (18:09 +0200)]
add late variant of respawn and askconsole
Signed-off-by: John Crispin <john@phrozen.org>
John Crispin [Tue, 27 Sep 2016 15:19:55 +0000 (17:19 +0200)]
fixes a copy paste error in the service ubus binding
Signed-off-by: John Crispin <john@phrozen.org>
Hans Dedecker [Fri, 12 Aug 2016 08:27:54 +0000 (10:27 +0200)]
procd: uClibc O_PATH backwards compatibility fixes
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Felix Fietkau [Fri, 29 Jul 2016 11:52:38 +0000 (13:52 +0200)]
trigger: rework timeout handling and command queueing
Instead of queueing the full json_script, only queue actual script calls
issued by it. This fixes a long standing issue where trigger events were
dropped, triggered by the following scenario:
- Set up a trigger with timeout and condition check in the script.
- Fire an event that matches the condition.
- Fire another event that does not match the condition.
This series of events will fire the delay timer of the trigger, but the
second event will replace the trigger event data. When the timer
expires, the json_script is run, but no script call is issued
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Fri, 29 Jul 2016 10:03:50 +0000 (12:03 +0200)]
trigger: replace trigger_init() with static runqueue initialization
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Fri, 29 Jul 2016 09:55:01 +0000 (11:55 +0200)]
trigger: remove unnecessary runqueue empty callback
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Fri, 29 Jul 2016 09:04:30 +0000 (11:04 +0200)]
trigger: reduce indentation level in trigger_event()
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Jurgen Van Ham [Fri, 15 Jul 2016 10:34:52 +0000 (12:34 +0200)]
procd: remove instance_removepid call from instance_stop
It is already called from instance_exit when the instance is stopped
Signed-off-by: Jurgen Van Ham <juvanham.tc@gmail.com>
Rafał Miłecki [Wed, 6 Jul 2016 11:55:48 +0000 (13:55 +0200)]
system: add reboot method to system ubus object
Sometimes, for various reasons, user may want to reboot a device. This
is a common task and it makes sense to support it with something common
like a procd.
Right now both: LuCI and LuCI2 implement this feature on their own with
luci-rpc-luci2-system reboot and luci-rpc-sys reboot. This leads to code
duplication and situation may become even worse with more software
controlling system with ubus.
Othen than that procd already has support for rebooting so one may
consider this ubus method even cleaner.
Once we get this patch in place we may consider switching LuCI and LuCI2
to this new method.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Rafał Miłecki [Tue, 5 Jul 2016 13:40:56 +0000 (15:40 +0200)]
system: fix localtime value in ubus info method output
Function mktime respects current time zone and calling it results in
converting time back to the UTC. It means we were never returning a
time for local zone but GMT one.
The easiest solution is to use tm_gmtoff from struct tm. Unfortunately
this isn't part of POSIX but it seems to be the best idea anyway.
Alternative (worse?) solutions:
1) Use timegm that is nonstandard GNU extension
2) Work with TZ env (getenv & (un)setenv) that is not thread-safe
3) Use timegm (next to localtime) and implement function comparing two
struct tm. This is what glibc does internally (tm_diff) when compiled
without HAVE_TM_GMTOFF.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Jurgen Van Ham [Tue, 5 Jul 2016 07:57:18 +0000 (09:57 +0200)]
procd: remove pidfile after unexpected termination without respawn
When procd detects a daemon halts and it is not configured to
be respawned, the pidfile has to be removed.
Signed-off-by: Jurgen Van Ham <juvanham.tc@gmail.com>
Florian Fainelli [Fri, 1 Jul 2016 23:05:52 +0000 (16:05 -0700)]
cmake: Find libubox/uloop.h
Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for
libubox/uloop.h. Some external toolchains which do not include standard
locations would fail to find the header otherwise.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
John Crispin [Thu, 16 Jun 2016 09:49:04 +0000 (11:49 +0200)]
hotplug: makedev should be able to set the group of a device node
Signed-off-by: John Crispin <john@phrozen.org>
Etienne CHAMPETIER [Thu, 16 Jun 2016 08:09:15 +0000 (08:09 +0000)]
make /var/{run, lock, state} not world writable (0755)
since commit
be950c5e56b86509e1e237931d0ac8203372be82 (09/03/2013)
/var/{run,lock,state} are world writable (0777) which is a security issue
before that they were created by /etc/init.d/boot with normal
permissions (0755), so revert to that state
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Wed, 1 Jun 2016 20:54:06 +0000 (20:54 +0000)]
jail: don't always CLONE_NEWUTS
no -h => no CLONE_NEWUTS
-h "" => CLONE_NEWUTS
-h "newjailhostname" => CLONE_NEWUTS + sethostname
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Sun, 29 May 2016 23:39:17 +0000 (23:39 +0000)]
jail: ensure mounts are not MS_SHARED to avoid pivot_root() failure
By default mounts are MS_PRIVATE (kernel default) but systemd
decided to make it MS_SHARED by default since v188
https://github.com/systemd/systemd/commit/
b3ac5f8cb98757416d8660023d6564a7c411f0a0
This patch fixes ujail on systemd distro (useful for development at least).
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Sun, 29 May 2016 23:39:16 +0000 (23:39 +0000)]
jail: improve some logs
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Sun, 29 May 2016 23:39:15 +0000 (23:39 +0000)]
jail: don't include capabilities config (-C) inside the jail
Removing capabilities from the capability bounding set doesn't change
the capability effective set, so we can "drop capabilities" before we
build the jail fs, so we don't need to include the capabilities config
file into the jail.
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Sun, 29 May 2016 23:39:14 +0000 (23:39 +0000)]
jail: call build_envp() just before execve()
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Sun, 29 May 2016 23:39:13 +0000 (23:39 +0000)]
jail: regroup add_path_and_deps() calls
we are already calling add_path_and_deps() while parsing -r/-w options,
so move the 2 remaining calls into main()
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Sun, 29 May 2016 23:39:12 +0000 (23:39 +0000)]
jail: call chdir(/) after pivot_root()
pivot_root(2) man page recommend calling chdir(/), so do it
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Alexey Brodkin [Mon, 23 May 2016 17:57:28 +0000 (20:57 +0300)]
_GNU_SOURCE should be defined for building vs uClibc
In uClibc-ng O_PATH and O_DIRECTORY are only defined if _GNU_SOURCE is
defined.
So explicitly define _GNU_SOURCE in sources that use O_PATH and
O_DIRECTORY.
Without that extra definition that's what happens when building procd.
utils/utils.c:
------------------------->8----------------------
.../openwrt/build_dir/target-arc_arc700_uClibc-1.0.14/procd-2016-05-19/utils/utils.c:
In function 'patch_fd':
.../openwrt/build_dir/target-arc_arc700_uClibc-1.0.14/procd-2016-05-19/utils/utils.c:168:22:
error: 'O_PATH' undeclared (first use in this function)
dfd = open("/dev", O_PATH|O_DIRECTORY);
^
.../openwrt/build_dir/target-arc_arc700_uClibc-1.0.14/procd-2016-05-19/utils/utils.c:168:22:
note: each undeclared identifier is reported only once for each function
it appears in
.../openwrt/build_dir/target-arc_arc700_uClibc-1.0.14/procd-2016-05-19/utils/utils.c:168:29:
error: 'O_DIRECTORY' undeclared (first use in this function)
dfd = open("/dev", O_PATH|O_DIRECTORY);
^
CMakeFiles/init.dir/build.make:182: recipe for target
'CMakeFiles/init.dir/utils/utils.c.o' failed
------------------------->8----------------------
inittab.c:
------------------------->8----------------------
.../openwrt/build_dir/target-arc_arc700_uClibc-1.0.14/procd-2016-05-19/inittab.c:
In function 'dev_exist':
.../openwrt/build_dir/target-arc_arc700_uClibc-1.0.14/procd-2016-05-19/inittab.c:72:21:
error: 'O_PATH' undeclared (first use in this function)
dfd = open("/dev", O_PATH|O_DIRECTORY);
^
.../git/openwrt/build_dir/target-arc_arc700_uClibc-1.0.14/procd-2016-05-19/inittab.c:72:21:
note: each undeclared identifier is reported only once for each function
it appears in
.../git/openwrt/build_dir/target-arc_arc700_uClibc-1.0.14/procd-2016-05-19/inittab.c:72:28:
error: 'O_DIRECTORY' undeclared (first use in this function)
dfd = open("/dev", O_PATH|O_DIRECTORY);
^
CMakeFiles/procd.dir/build.make:134: recipe for target
'CMakeFiles/procd.dir/inittab.c.o' failed
make[6]: *** [CMakeFiles/procd.dir/inittab.c.o] Error 1
------------------------->8----------------------
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: John Crispin <john@phrozen.org>
Cc: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 17 May 2016 15:42:11 +0000 (17:42 +0200)]
utils: use O_PATH when opening /dev
Use the O_PATH and O_DIRECTORY flags when opening the "/dev" path for the
subsequent openat() call to ensure that it is indeed a directory.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 17 May 2016 15:42:10 +0000 (17:42 +0200)]
inittab: use more robust dev_exist() implementation
Rework the dev_exist() function to use openat() in order to resolve the device
file relative to the "/dev" directory. Drop the now unused dev_open() function.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Tue, 17 May 2016 15:00:47 +0000 (17:00 +0200)]
initd: fix descriptor leak
Close the descriptor to /tmp/.preinit returned by creat() in order to avoid
an fd leak in the init process.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>