project/procd.git
2 years agoprocd: clean up /dev/pts mounts
Rui Salvaterra [Sun, 9 Jan 2022 23:27:28 +0000 (23:27 +0000)]
procd: clean up /dev/pts mounts

The default mode is already 600, no need to specify it. Access times are also
irrelevant.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2 years agoprocd: mount /dev with noexec
Rui Salvaterra [Sun, 9 Jan 2022 23:27:27 +0000 (23:27 +0000)]
procd: mount /dev with noexec

/dev is writable. Allowing execution inside it makes it a possible attack
vector. Kees Cook recently sent a kernel patch [1] in order to mount /dev as
noexec and nosuid for systems which rely on CONFIG_DEVTMPFS_MOUNT=y to
create/populate /dev, which isn't our case (it's procd's responsibility).

Add noexec to the /dev mount flags, since we already use nosuid (and keep the
coldplug flags symmetric, while at it). This carries the risk of breaking very
old, pre-KMS graphics drivers [2], but it shouldn't be a problem for systems
built in the last ~15 years. The vast majority of our targets doesn't have a
GPU, anyway. :)

[1] https://lore.kernel.org/all/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64/
[2] https://lore.kernel.org/all/CAPXgP12e5LpN6XVxaXOHhH=u8XXN==2reTaJDCoCk4tP4QduDQ@mail.gmail.com/

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2 years agoprocd: jail/cgroups: correctly enable "rdma" when requested
Roman Azarenko [Tue, 11 Jan 2022 15:45:51 +0000 (16:45 +0100)]
procd: jail/cgroups: correctly enable "rdma" when requested

Fixes a copy-paste error, where "pids" cgroup was enabled instead of "rdma".

Signed-off-by: Roman Azarenko <roman.azarenko@iopsys.eu>
2 years agouxc: fix two minor issues reported by Coverity
Daniel Golle [Sun, 26 Dec 2021 12:06:38 +0000 (12:06 +0000)]
uxc: fix two minor issues reported by Coverity

Fixes CID 1496022 (UNINIT) and CID 1496023 (RESOURCE_LEAK).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agouxc: usage message cosmetics
Daniel Golle [Mon, 20 Dec 2021 02:28:07 +0000 (02:28 +0000)]
uxc: usage message cosmetics

Fix tabs in usage message.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agoremove ujail-console
Daniel Golle [Mon, 20 Dec 2021 01:44:41 +0000 (01:44 +0000)]
remove ujail-console

ujail-console is now integrated in uxc.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agouxc: integrate console into uxc
Daniel Golle [Sun, 19 Dec 2021 22:38:16 +0000 (22:38 +0000)]
uxc: integrate console into uxc

Prepare to get rid of ujail-console by integrating console features
into uxc.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agouxc: consider uvol and etc location for configurations
Daniel Golle [Sun, 19 Dec 2021 19:56:14 +0000 (19:56 +0000)]
uxc: consider uvol and etc location for configurations

Rather than switching to consider only uvol location for configuration
files once that path is existing, consider both locations.
Plus some small style fixes here and there while at it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agojail: make sure jailed process is terminated
Daniel Golle [Fri, 10 Dec 2021 13:48:59 +0000 (13:48 +0000)]
jail: make sure jailed process is terminated

Don't ever send SIGKILL to ujail, as that will kill ujail but not the
jailed process.
Instead, let ujail send SIGKILL in case of SIGTERM not succeeding after
the term_timeout which procd now passes down to ujail.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: service_stop_all: also kill inittab actions
Daniel Golle [Tue, 16 Nov 2021 03:06:36 +0000 (03:06 +0000)]
procd: service_stop_all: also kill inittab actions

Also send SIGKILL to all actions spawned by inittab.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: add full service shutdown prior to sysupgrade
John Crispin [Fri, 12 Nov 2021 18:59:29 +0000 (19:59 +0100)]
procd: add full service shutdown prior to sysupgrade

Currently OpenWrt will use the kill loop in stage2 to stop tasks. This can
fail as seen with wpa_supplicant not properly shutting down with certain
mesh configurations. Trigger the existing service_stop() code path for all
services just before exec'ing to upgraded.

Signed-off-by: John Crispin <john@phrozen.org>
[make use of *_safe function now introduced for that purpose, also stop
container instances]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoservice: move jail parsing to end of instance parser
Daniel Golle [Sat, 20 Nov 2021 16:13:23 +0000 (16:13 +0000)]
service: move jail parsing to end of instance parser

Generating parameters for ujail assumes that other instance attributes
such as 'env' have already been populated.
Move parsing jail to end of the instance parser to make that assumption
hold true.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agosystem: add diskfree infos to ubus
Florian Eckert [Wed, 17 Nov 2021 10:41:17 +0000 (11:41 +0100)]
system: add diskfree infos to ubus

This change adds the missing information about how much space is available
on the root directory and in the temp directory. I took this
implementation from the luci2 repository and adapted it for the procd
service.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
3 years agojail: allow passing environment variable to procd jailed process
Daniel Golle [Thu, 11 Nov 2021 11:53:58 +0000 (11:53 +0000)]
jail: allow passing environment variable to procd jailed process

Introduce new option '-e' to ujail which can be stated multiple times
to import environment variables to the jailed process environment.
Use that option to import selected environment variables defined for
a jailed service instance to its environment.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agotrigger: use uloop_timeout_remaining64
Stijn Tintel [Thu, 4 Nov 2021 10:37:10 +0000 (12:37 +0200)]
trigger: use uloop_timeout_remaining64

The uloop_timeout_remaining function is being deprecated.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
3 years agojail: elf: Remove MIPS 64 warning
Hauke Mehrtens [Mon, 1 Nov 2021 13:52:55 +0000 (14:52 +0100)]
jail: elf: Remove MIPS 64 warning

Revert commit 33b799b ("ujail: elf: work around GCC bug on MIPS64")

The procd jails are working fine on MIPS64 too now.

I saw this error message when add_path_and_deps() was called which calls
elf_load_deps() again under some conditions. This is happening because
gcc_mips64_bug_work_around is stored in the data segment.

We have a call trace like this:
elf_load_deps()
  gcc_mips64_bug_work_around = 1;
  call add_path_and_deps()
    call elf_load_deps()
      gcc_mips64_bug_work_around = 1;
      error if gcc_mips64_bug_work_around =! 1
      gcc_mips64_bug_work_around = 0;
      return;
    return;
  error if gcc_mips64_bug_work_around =! 1
  return;

I got the same error messages on MIPS 32 BE, when I removed the compile
check.

This was tested in qemu on MIPS 64 BE and MIPS64 LE.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agojail: elf: Use 64 bit variables for elf offsets
Hauke Mehrtens [Mon, 1 Nov 2021 13:52:54 +0000 (14:52 +0100)]
jail: elf: Use 64 bit variables for elf offsets

The members p_offset, p_filesz and p_vaddr of the structure Elf64_Phdr
are all uint64_t. This structure is used for 64 bit applications.

Without this change we would convert the 64 bit values into 32 bit
values and an overflow could happen in this conversion.

On MIPS 64 BE the variable load_vaddr has the value 0x120000000 which
sets the 32th bit which will overflow when converted to a 32 bit value.

On 32 bit systems Elf32_Phdr is used with uint32_t, converting this to
64 bit values too should not cause problems as this is not in the hot
path.

Without this fix I am getting error messages like this at bootup on MIPS 64 BE:
[   16.622602] do_page_fault(): sending SIGSEGV to ujail for invalid read access from 00000100f37251e3
[   16.622907] epc = 000000aaab4ed0e0 in ujail[aaab4e0000+18000]
[   16.623237] ra  = 000000aaab4ed694 in ujail[aaab4e0000+18000]

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agojail: Fix build with glibc
Hauke Mehrtens [Fri, 22 Oct 2021 20:53:32 +0000 (22:53 +0200)]
jail: Fix build with glibc

Add missing include for open(). This fixes the build with glibc.

Fixes: 82dd39024f63 ("jail: make use of per-container netifd via ubus")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3 years agouxc: add missing 'break' statement
Daniel Golle [Sun, 17 Oct 2021 16:22:56 +0000 (17:22 +0100)]
uxc: add missing 'break' statement

Without the break statement the next element in the iteration will
overwrite the found attributes.
Stop iterating once entry has been found, so matching attributes will
be used.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: netifd: check target netns fd before using it
Daniel Golle [Sun, 17 Oct 2021 08:34:55 +0000 (09:34 +0100)]
jail: netifd: check target netns fd before using it

Make sure filehandler is non-negative before using it.

Coverity CID: 1492888 Negative returns
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: netifd: fix error handling issue reported by coverity
Daniel Golle [Sat, 16 Oct 2021 23:29:08 +0000 (00:29 +0100)]
jail: netifd: fix error handling issue reported by coverity

Check asprintf return value instead of checking for NULL-pointer.

Coverity CID: 1492158 Unchecked return value
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: netifd: code cosmetics
Daniel Golle [Sat, 16 Oct 2021 23:24:29 +0000 (00:24 +0100)]
jail: netifd: code cosmetics

Make code more readable by renaming ambigous variable name 'ctx' to
'host_ubus_ctx' (global) or 'uci_ctx' (local in gen_jail_uci_network).
Rename 'netifd_ubus_ctx' to 'jail_ubus_ctx' to make the jail vs. host
roles more obvious.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: make use of per-container netifd via ubus
Daniel Golle [Tue, 12 Oct 2021 00:30:38 +0000 (01:30 +0100)]
jail: make use of per-container netifd via ubus

Make ujail expose 'network_reload' function on ubus so we can
reconfigure network interfaces inside containers.
Automatically call that function on network config changes by
subscribing to ubus 'service' object and waiting for 'config.change'
events concerning the network configuration.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: netifd: generate netifd uci config and mount it
Daniel Golle [Mon, 11 Oct 2021 22:04:38 +0000 (23:04 +0100)]
jail: netifd: generate netifd uci config and mount it

Generate /etc/config/network by filtering the host config for
uci sections which are marked for that specific jail.
Feed that configuration to the per-container netifd instance.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: fs: add support for asymmetric mount bind
Daniel Golle [Tue, 5 Oct 2021 20:23:37 +0000 (21:23 +0100)]
jail: fs: add support for asymmetric mount bind

Allow mounting absolute path on host to defined mountpoint inside
container using ':' character in argument of '-r' and '-w' parameters.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: don't free the stack
Daniel Golle [Tue, 12 Oct 2021 22:59:10 +0000 (23:59 +0100)]
uxc: don't free the stack

It's generally a bad idea to free variables which are stored on stack.
Better don't do that ;)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: fix segfault caused by use-after-free
Daniel Golle [Mon, 4 Oct 2021 00:31:39 +0000 (01:31 +0100)]
uxc: fix segfault caused by use-after-free

Don't free blob_buf which was sent via ubus.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: start ubus and netifd instances for container with netns
Daniel Golle [Wed, 8 Sep 2021 01:00:50 +0000 (02:00 +0100)]
jail: start ubus and netifd instances for container with netns

Start per-container instances of ubusd and netifd for containers with
private network namespace. This netifd instance will be used in future
to configure networking inside the container.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoRevert "jail: do not hack /etc/resolv.conf on container rootfs"
Daniel Golle [Wed, 8 Sep 2021 00:39:18 +0000 (01:39 +0100)]
Revert "jail: do not hack /etc/resolv.conf on container rootfs"

This reverts commit b0a8ea1c3fa844d1006764fae3f0d8382351313b.

3 years agoinstance: allow jailed service to join namespace(s)
Daniel Golle [Sat, 4 Sep 2021 21:32:36 +0000 (22:32 +0100)]
instance: allow jailed service to join namespace(s)

Parse new jail attribute 'setns'.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: prepare for adding process to existing namespace
Daniel Golle [Sat, 4 Sep 2021 20:42:43 +0000 (21:42 +0100)]
jail: prepare for adding process to existing namespace

Introduce '-j' option to ujail which allows joining namespaces of
(a) existing process(es). Usage:
ujail -j <pid>:<nstype>[,<nstype>[,...]]

In order to join namespaces of different processes the '-j' option can
be used multiple times.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: add JSON output option for 'list' command
Daniel Golle [Mon, 13 Sep 2021 10:51:12 +0000 (11:51 +0100)]
uxc: add JSON output option for 'list' command

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: fix container deletion
Daniel Golle [Wed, 15 Sep 2021 20:29:23 +0000 (21:29 +0100)]
procd: fix container deletion

Deleting a container could lead to an attempt NULL-pointer dereference
crashing procd and triggering a reboot of the system.
Properly handle service deletion to avoid that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agotrace: don't leak file descriptor in error path
Daniel Golle [Sun, 5 Sep 2021 13:22:33 +0000 (14:22 +0100)]
trace: don't leak file descriptor in error path

Coverity CID: 1491022 Resource leak
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoinitd: fix off-by-one error in mkdev.c
Nick Hainke [Tue, 31 Aug 2021 09:09:19 +0000 (11:09 +0200)]
initd: fix off-by-one error in mkdev.c

Substract 1 from bufsize so len can not be out of bounds. Same
hanling as in "udevtrigger.c" in "sysfs_resolve_link".

Replaces: 8eb1d783
Coverity CID: 1330087 Readlink used insecurely

Signed-off-by: Nick Hainke <vincent@systemli.org>
3 years agoRevert "initd: fix off-by-one error in mkdev.c"
Nick Hainke [Tue, 31 Aug 2021 09:09:18 +0000 (11:09 +0200)]
Revert "initd: fix off-by-one error in mkdev.c"

This reverts commit 8eb1d783cca6e0d501dd3a2f94262ffc36ae6482.

This line reads a symbolic link into the string buffer "buf".
len = readlink(buf2, buf, sizeof(buf));
The commit replaced now
buf[len] = 0;
with
buf[sizeof(buf) - 1] = '\0';

However, that does not work since readlink does not null-terminate
the string written into "buf" and  "buf[len] = 0" was used for that.

What happens if the buffer is to small?
"If the buf argument is not large enough to contain the link content,
the first bufsize bytes shall be placed in buf."
(Source: https://pubs.opengroup.org/onlinepubs/009695399/functions/readlink.htm)

Signed-off-by: Nick Hainke <vincent@systemli.org>
3 years agotrace: preload: avoid NULL-dereference here as well
Daniel Golle [Mon, 30 Aug 2021 23:44:29 +0000 (00:44 +0100)]
trace: preload: avoid NULL-dereference here as well

Fix potential NULL-pointer derefence in trace/preload.c similar to how
it was fixed in jail/preload.c by commit b824a89
("jail: preload: avoid NULL-dereference in case things go wrong").

Coverity CID: 1446096 Dereference after null check
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: actually check calloc return value
Daniel Golle [Mon, 30 Aug 2021 23:39:12 +0000 (00:39 +0100)]
jail: actually check calloc return value

Instead of checking the return value of calloc(), the check intended
for that would rather check if the pointer passed as an argument.
As that doesn't make much sense, rather actually check calloc()
return value.

Coverity CID: 1490071 Dereference before null check
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoutils: don't ignore open() return value
Daniel Golle [Mon, 30 Aug 2021 23:35:53 +0000 (00:35 +0100)]
utils: don't ignore open() return value

In case active console cannot be opened, return NULL early instead
of trying to read from errornous file descriptor.

Coverity CID: 1490087 Argument cannot be negative
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoinitd: fix off-by-one error in mkdev.c
Daniel Golle [Mon, 30 Aug 2021 21:20:30 +0000 (22:20 +0100)]
initd: fix off-by-one error in mkdev.c

Actually make sure buffer is 0-terminated intead of writing the 0-byte
out of bounds.

Coverity CID: 1330087 Readlink used insecurely
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agotrace: fix potential use-after-free occurence
Nick Hainke [Mon, 30 Aug 2021 20:37:10 +0000 (22:37 +0200)]
trace: fix potential use-after-free occurence

char* tmp is used in the fprintf function altough it is already freed.

Fixes: e5b38fd1 ("trace: free memory allocated by blobmsg_format_json_indent()")
Signed-off-by: Nick Hainke <vincent@systemli.org>
3 years agotrace: free memory allocated by blobmsg_format_json_indent()
Daniel Golle [Mon, 30 Aug 2021 19:20:49 +0000 (20:20 +0100)]
trace: free memory allocated by blobmsg_format_json_indent()

Only one out of two occurances have been addressed previously.
Close the other one now.

Coverity CID: 1446205
Fixes: 51f1cd23 ("trace: free string returned by blobmsg_format_json_indent()")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: move mountpoint of persistent config to /var/run/uxc
Daniel Golle [Mon, 30 Aug 2021 19:03:23 +0000 (20:03 +0100)]
uxc: move mountpoint of persistent config to /var/run/uxc

Using /var/state/uxc turns out to be not the smartest thing to do, use
/var/run/uxc instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: protect against strcat buffer overflows
Daniel Golle [Mon, 23 Aug 2021 17:34:32 +0000 (18:34 +0100)]
jail: protect against strcat buffer overflows

Coverity CID: 1490012 Copy into fixed size buffer

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: preload: avoid NULL-dereference in case things go wrong
Daniel Golle [Mon, 23 Aug 2021 17:15:20 +0000 (18:15 +0100)]
jail: preload: avoid NULL-dereference in case things go wrong

Coverity CID: 1446096 Dereference after null check
Coverity CID: 1446070 Dereference after null check

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agotrace: handle open() return value and make sure string is terminated
Daniel Golle [Mon, 23 Aug 2021 17:11:08 +0000 (18:11 +0100)]
trace: handle open() return value and make sure string is terminated

Coverity CID: 1446154 Argument cannot be negative

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agotrace: free string returned by blobmsg_format_json_indent()
Daniel Golle [Mon, 23 Aug 2021 17:07:19 +0000 (18:07 +0100)]
trace: free string returned by blobmsg_format_json_indent()

Coverity CID: 1446205 Resource leak

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: free string returned by blobmsg_format_json_indent()
Daniel Golle [Mon, 23 Aug 2021 17:04:55 +0000 (18:04 +0100)]
uxc: free string returned by blobmsg_format_json_indent()

Coverity ID: 1490068 Resource leak

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoutils: make sure read() string is 0 terminated
Daniel Golle [Mon, 23 Aug 2021 17:01:28 +0000 (18:01 +0100)]
utils: make sure read() string is 0 terminated

Coverity CID: 1490062 String not null terminated

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: use portable sizeof(void *)
Daniel Golle [Mon, 23 Aug 2021 16:49:31 +0000 (17:49 +0100)]
jail: use portable sizeof(void *)

Coverity CID: 1490010 Sizeof not portable

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: check return value when opening console
Daniel Golle [Mon, 23 Aug 2021 16:47:23 +0000 (17:47 +0100)]
jail: check return value when opening console

Coverity CID: 1490048 Argument cannot be negative

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: return to hook callback instead of just calling it
Daniel Golle [Mon, 23 Aug 2021 16:41:57 +0000 (17:41 +0100)]
jail: return to hook callback instead of just calling it

Avoid stack pollution and potentially worse things.

Coverity CID: 1490056 Dereference after null check

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: devices: create parent folder when creating devices
Daniel Golle [Mon, 23 Aug 2021 14:22:31 +0000 (15:22 +0100)]
jail: devices: create parent folder when creating devices

Some device nodes live in subdirectories like /dev/dri.
Create those folders when populating /dev.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc.c: fix coverity resource leak warning
Kevin Darbyshire-Bryant [Sun, 22 Aug 2021 08:46:03 +0000 (09:46 +0100)]
uxc.c: fix coverity resource leak warning

707 blob_buf_free(&req);
708
   CID 1490412:    (RESOURCE_LEAK)
   Handle variable "f" going out of scope leaks the handle.
709 return 0;

Add a close before we return

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
3 years agouxc: support config in uvol
Daniel Golle [Sun, 15 Aug 2021 13:06:39 +0000 (14:06 +0100)]
uxc: support config in uvol

In case '/var/state/uxc' exists and is a directory (or symlink pointing
to a directory), use that instead of '/etc/uxc'.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: fix help output
Daniel Golle [Sun, 15 Aug 2021 11:56:34 +0000 (12:56 +0100)]
uxc: fix help output

CLI option 'mounts' is wrongly called 'volumes' in help output.
Fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: fix a bunch of issues discovered by Coverity
Daniel Golle [Sun, 15 Aug 2021 11:41:34 +0000 (12:41 +0100)]
uxc: fix a bunch of issues discovered by Coverity

Coverity CID: 1490024 Resource leak
Coverity CID: 1490032 Resource leak
Coverity CID: 1490039 Resource leak
Coverity CID: 1490051 Resource leak
Coverity CID: 1490055 Resource leak
Coverity CID: 1490061 Resource leak
Coverity CID: 1490068 Resource leak
Coverity CID: 1490104 Resource leak

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoservice: make sure string read is null terminated
Daniel Golle [Sun, 15 Aug 2021 11:34:05 +0000 (12:34 +0100)]
service: make sure string read is null terminated

Coverity CID: 1490007 String not null terminated
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agosystem: fix issues reported by Coverity
Daniel Golle [Sun, 15 Aug 2021 10:52:20 +0000 (11:52 +0100)]
system: fix issues reported by Coverity

Coverity CID: 1490346 Buffer not null terminated
Coverity CID: 1490345 Dereference null return value

Fixes: 9f233f5 ("system: make rootfs type accessible through board call")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoujail-console: add missing error handling discovered by coverity
Daniel Golle [Fri, 13 Aug 2021 18:14:12 +0000 (19:14 +0100)]
ujail-console: add missing error handling discovered by coverity

Coverity CID: 1490106
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: fix several issues discovered by Coverity
Daniel Golle [Fri, 13 Aug 2021 18:30:34 +0000 (19:30 +0100)]
jail: fix several issues discovered by Coverity

Coverity CID: 1430874 Untrusted pointer read
Coverity CID: 1490028 Resource leak
Coverity CID: 1490029 Resource leak
Coverity CID: 1490057 Uninitialized scalar variable
Coverity CID: 1490069 Resource leak
Coverity CID: 1490074 Resource leak

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agohotplug-dispatch: yet another rare memory leak disovered by Coverity
Daniel Golle [Fri, 13 Aug 2021 18:04:08 +0000 (19:04 +0100)]
hotplug-dispatch: yet another rare memory leak disovered by Coverity

Free newly allocated hotplug context in case of premature return.

Coverity CID: 1490077
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agosystem: make rootfs type accessible through board call
Daniel Golle [Fri, 13 Aug 2021 01:23:03 +0000 (02:23 +0100)]
system: make rootfs type accessible through board call

Knowing the type of the root filesystem can be useful, e.g. for the
attended sysupgrade clients.
As the previously introduced 'initramfs' flag is covered the the new
'rootfs_type' being 'initramfs', remove the old flag which should have
any users yet.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agohotplug-dispatch: fix rare memory leaks in error paths
Daniel Golle [Wed, 4 Aug 2021 20:13:32 +0000 (21:13 +0100)]
hotplug-dispatch: fix rare memory leaks in error paths

Fix remaining memory leaks in error paths.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: cgroups-bpf: fix compile with musl 1.2
Daniel Golle [Wed, 4 Aug 2021 19:55:21 +0000 (20:55 +0100)]
jail: cgroups-bpf: fix compile with musl 1.2

musl 1.2 no longer ships with <sys/cdefs.h>. Use it only on
glibc, musl provides __WORDSIZE macro in <sys/regs.h>.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: don't ignore return value of write()
Daniel Golle [Wed, 4 Aug 2021 15:35:29 +0000 (16:35 +0100)]
jail: don't ignore return value of write()

Check return value of write() call when writing to sysctl.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: cgroups: replace wrongly used assert()
Daniel Golle [Wed, 4 Aug 2021 15:33:11 +0000 (16:33 +0100)]
jail: cgroups: replace wrongly used assert()

In most cases, what we should do is exit(ENOMEM). In some cases like
when checking for filehandlers, handle errors appropriately.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agohotplug-dispatch: replace wrongly used assert()
Daniel Golle [Wed, 4 Aug 2021 15:27:04 +0000 (16:27 +0100)]
hotplug-dispatch: replace wrongly used assert()

Use proper error handling instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: always handle asprintf() return value
Daniel Golle [Wed, 4 Aug 2021 14:55:14 +0000 (15:55 +0100)]
uxc: always handle asprintf() return value

Error out in case asprintf() returns -1.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agohotplug-dispatch: don't ignore asprintf() return value
Daniel Golle [Wed, 4 Aug 2021 14:53:07 +0000 (15:53 +0100)]
hotplug-dispatch: don't ignore asprintf() return value

Properly handle asprintf() return value and error out on -1.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: ignore return value when creating default /dev symlinks
Daniel Golle [Wed, 4 Aug 2021 14:04:59 +0000 (15:04 +0100)]
jail: ignore return value when creating default /dev symlinks

Just to silence compiler warning, as failure to create these symlinks
doesn't indicate an error in all cases, e.g. in case mount is already
defined in place of the symlink.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: don't ignore return value of seteuid()
Daniel Golle [Wed, 4 Aug 2021 14:03:45 +0000 (15:03 +0100)]
jail: don't ignore return value of seteuid()

Error out in case seteuid() fails.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: cgroups-bpf: don't use sys/reg.h when building with glibc
Daniel Golle [Wed, 4 Aug 2021 13:20:12 +0000 (14:20 +0100)]
jail: cgroups-bpf: don't use sys/reg.h when building with glibc

To access __WORDSIZE with glibc sys/cdefs.h is included now.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agowatchdog: Add an info message if the watchdog reset the system
Martin Blumenstingl [Sun, 18 Jul 2021 21:51:12 +0000 (23:51 +0200)]
watchdog: Add an info message if the watchdog reset the system

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Investigating why a device has rebooted can be difficult, especially if
there's no output (for example during a kernel crash) on the serial
console. Some watchdog drivers can tell us if the watchdog has caused
the system to reboot. The corresponding WDIOF_CARDRESET flag is
documented as: "Card previously reset the CPU".

Add an info message if the watchdog supports the WDIOF_CARDRESET flag
and if the boot status indicates that the watchdog has previously reset
the system.

Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
3 years agouxc: resolve volume UUIDs by name of UCI fstab section
Daniel Golle [Sat, 24 Jul 2021 22:51:37 +0000 (23:51 +0100)]
uxc: resolve volume UUIDs by name of UCI fstab section

Allow identifying volumes which are required for a container to start
by their UCI section name in /etc/config/fstab, which is also where
'uvol' puts the volume name.
Using filesystem UUID instead is still possible as well.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: don't restart containers when mount shows up
Daniel Golle [Sat, 24 Jul 2021 00:28:10 +0000 (01:28 +0100)]
uxc: don't restart containers when mount shows up

procd triggers 'uxc boot' every time a new mount shows up which results
in containers to be restarted which had already been run and may have
ended reguarly, crashed or deliberately stopped.
As the intention of 'uxc boot' is to start containers which were still
waiting for volumes to become ready, really do only that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: refactor directory handling for rootfs and overlaydir
Daniel Golle [Sun, 18 Jul 2021 01:10:29 +0000 (02:10 +0100)]
jail: refactor directory handling for rootfs and overlaydir

Resolve symlinks and check if directories exist before clone() call,
it's more clean and allows for more code reuse.
This partially reverts commits 0114c6fc8b ("jail: open() extroot folder
before mounting") as well as 05459054fb ("jail: make use of realpath()
for rootfs and overlaydir") and replaces them with a more generic
solution.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: make use of realpath() for rootfs and overlaydir
Daniel Golle [Sat, 17 Jul 2021 13:06:38 +0000 (14:06 +0100)]
jail: make use of realpath() for rootfs and overlaydir

Use realpath() to resolve rootfs and read/write-overlay as they are
potentially (and likely, as we are going to use blockd with autofs)
symlinks.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: check for required blockd mounts
Daniel Golle [Wed, 14 Jul 2021 22:23:40 +0000 (23:23 +0100)]
uxc: check for required blockd mounts

When calling `uxc boot` it can happen that some required storage
volumes are not yet mounted. Make sure mountpoints exist for all
required volumes before starting a container using `uxc boot`.
(uxc' init-script will take care of calling `uxc boot` every time
a new block mount is added)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: open() extroot folder before mounting
Daniel Golle [Thu, 15 Jul 2021 01:49:23 +0000 (02:49 +0100)]
jail: open() extroot folder before mounting

Use open() to trigger autofs mount and check extroot folder exists
before mount-binding it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: allow rootfs to be a symbolic link
Daniel Golle [Wed, 14 Jul 2021 16:47:22 +0000 (17:47 +0100)]
jail: allow rootfs to be a symbolic link

Follow symbolic link to rootfs so we can use autofs symlinks in /mnt
to reference volumes in config.json.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: increase max additional env records to 64
Daniel Golle [Tue, 13 Jul 2021 00:08:20 +0000 (01:08 +0100)]
jail: increase max additional env records to 64

In the Docker world, people pass a lot of things using env variables
it turns out. Increase to 64 for now as a hot fix, will have to be
created dynamically in future to support unlimited number of env
variables.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: do not hack /etc/resolv.conf on container rootfs
Daniel Golle [Mon, 12 Jul 2021 23:59:32 +0000 (00:59 +0100)]
jail: do not hack /etc/resolv.conf on container rootfs

While useful for slim containers, this violates OCI spec and breaks
containers like pihole.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agouxc: implement support for rootfs overlay in containers
Daniel Golle [Mon, 12 Jul 2021 20:22:04 +0000 (21:22 +0100)]
uxc: implement support for rootfs overlay in containers

ujail already supports having a (temporary) overlayfs on top of a
containers rootfs. This is very useful for "dirty" containers which
assume / is writable.
Support this in uxc at the time a container is created and keep the
settings on subsequent re-creates (or reboots).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: add support for cgroup devices as in OCI run-time spec
Daniel Golle [Fri, 28 May 2021 16:17:35 +0000 (18:17 +0200)]
jail: add support for cgroup devices as in OCI run-time spec

Implement eBPF generator to emulate cgroup-v1 devices.{allow,deny}
as we got only cgroup-v2 available while the spec was written having
cgroups-v1 in mind.
Instead of literally emulating the legacy behavior, do like other
runtimes do as well when running on cgroup-v2: simply translate each
device rule into a bunch of eBPF instructions and then execute them
in reverse order, prepended by some default rules covering /dev/null,
/dev/random, /dev/tty, ...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: Use /dev/console for serial console if exists
Gaurav Pathak [Wed, 5 May 2021 11:32:45 +0000 (17:02 +0530)]
procd: Use /dev/console for serial console if exists

inittab.c: Use "/dev/console" if it is present, before trying
"/sys/class/tty/console/active" in case if console kernel command
line is not provided during boot and to allow container environment
to use it as login PTY console.

Signed-off-by: Gaurav Pathak <gaurav.pathak@pantacor.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: Adding support to detect Pantavisor Container Platform
Gaurav Pathak [Sun, 21 Mar 2021 13:14:33 +0000 (18:44 +0530)]
procd: Adding support to detect Pantavisor Container Platform

Modified container.h to detect the pantavisor container platform,
as it runs a custom modified version of LXC. container.h is modified
to check if procd is running in a pantavisor container environment by
detecting the presence of pantavisor directory under /.

Signed-off-by: Gaurav Pathak <gaurav.pathak@pantacor.com>
3 years agotrace: fix build on aarch64
Daniel Golle [Fri, 19 Mar 2021 22:22:44 +0000 (22:22 +0000)]
trace: fix build on aarch64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail/seccomp: add support for aarch64
Daniel Golle [Thu, 28 Jan 2021 20:10:46 +0000 (20:10 +0000)]
jail/seccomp: add support for aarch64

Add support for Aarch64 in utrace and ujail.
Sort and unify architecture-specific definitions in headers.
Use new PTRACE_GET_SYSCALL_INFO call (available since Linux 5.3), for
now only for aarch64, but this may potentially unify things and get
rid of some #ifdef'ery for other platforms as well.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoinittab: detect active console from kernel if no console= specified
Mathew McBride [Fri, 5 Mar 2021 00:54:15 +0000 (00:54 +0000)]
inittab: detect active console from kernel if no console= specified

The default serial console can be set in the device tree
using the linux,stdout-path parameter (or equivalent from ACPI).

This is important for universal booting (EFI/EBBR) on ARM platforms
where the default console can be different (e.g ttyS0 vs ttyAMA0).

Signed-off-by: Mathew McBride <matt@traverse.com.au>
3 years agoutils: fix C style in header file
Daniel Golle [Sun, 7 Mar 2021 23:45:33 +0000 (23:45 +0000)]
utils: fix C style in header file

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: fix compilation with newer musl
Rosen Penev [Tue, 2 Mar 2021 00:05:46 +0000 (16:05 -0800)]
procd: fix compilation with newer musl

An open bracket was missing.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
3 years agosystem: expose if system was booted from initramfs
Daniel Golle [Mon, 15 Feb 2021 07:06:42 +0000 (07:06 +0000)]
system: expose if system was booted from initramfs

It can be good for UI to show to the user that the system was booted
from initramfs ie. no writable permanent storage is available.
I imagine LuCI only serving applications which are explicitely marked
as being shown even in initramfs mode, ie. nothing but status,
network->interfaces, network->wireless, system->upgrade,
system->backup, system->backuprestore tabs.
Also sysupgrade could take into account we are running on initramfs
and perform offline backup/restore of whatever is in the flash.
In that way OpenWrt-generated initramfs-images can serve as recovery
OS on devices with dual-boot in a meaningful way.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agocosmetics: provide compatible system info on Aarch64
Daniel Golle [Sat, 13 Feb 2021 20:56:27 +0000 (20:56 +0000)]
cosmetics: provide compatible system info on Aarch64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: add hotplug-call dispatcher
Daniel Golle [Mon, 21 Dec 2020 21:51:01 +0000 (21:51 +0000)]
procd: add hotplug-call dispatcher

Add hotplug-call dispatcher ubus objects for each subsystem.
This will allow more services to run non-root and without
excessive permissions while still being able to trigger
(asynchronous) hotplug events.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: cgroups: fix uninitialized variable
Daniel Golle [Thu, 28 Jan 2021 23:46:16 +0000 (23:46 +0000)]
jail: cgroups: fix uninitialized variable

Make sure 'limit' is initialized to -1 (==max) when translating
cgroups-1 memory controller spec to cgroups-2.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: only output BPF instr. table header if debugging
Daniel Golle [Mon, 4 Jan 2021 21:52:33 +0000 (21:52 +0000)]
jail: only output BPF instr. table header if debugging

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agojail: remove duplicate check for hook file permissions
Daniel Golle [Mon, 28 Dec 2020 16:22:38 +0000 (16:22 +0000)]
jail: remove duplicate check for hook file permissions

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
3 years agoprocd: fix compiler warning
John Crispin [Tue, 26 Jan 2021 10:19:10 +0000 (11:19 +0100)]
procd: fix compiler warning

[ 37%] Building C object CMakeFiles/procd.dir/state.c.o
/projects/procd/state.c: In function ‘state_enter’:
/projects/procd/state.c:147:4: error: ignoring return value of ‘chown’, declared with attribute warn_unused_result [-Werror=unused-result]
  147 |    chown(p->pw_dir, p->pw_uid, p->pw_gid);
      |    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [CMakeFiles/procd.dir/build.make:89: CMakeFiles/procd.dir/state.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:241: CMakeFiles/procd.dir/all] Error 2
make: *** [Makefile:130: all] Error 2

Signed-off-by: John Crispin <john@phrozen.org>
3 years agohotplug.c: set nl_pid to zero
Stefan Eichenberger [Sun, 24 Jan 2021 22:58:50 +0000 (23:58 +0100)]
hotplug.c: set nl_pid to zero

With the current solution where nl_pid is set through getpid we run into
problems when running procd in a different PID namespace (e.g.
container). The PID number inside the active PID namespace will be set
which doesn't match the global PID. Therefore, procd will never receive
any netlink messages.

By setting nl_pid to zero the kernel will assign the global PID
automatically and fixes the issue.

Signed-off-by: Stefan Eichenberger <eichest@gmail.com>
Acked-by: John Crispin <john@phrozen.org>