1266d7c ("Allow forcing components to run as root (PPW-185)", 2024-12-18)
a4aa414 ("baf: introduce the baf.yml file", 2024-12-19)
e1d06fd ("ci: use new gitlab-ci templates", 2024-12-19)
922620d ("baf: fix libcap-ng issues on various filesystems", 2024-12-20)
Signed-off-by: Matthias FRANCK <matthias.franck@softathome.com>
Commit 3dc4681f9b ("Integrating libamxp to master_v2.1.1") added
handling of subprocess capabilities via libcap-ng, which on targets
utilizing ext4 filesystem needs EXT4_FS_SECURITY kernel config symbol
enabled for proper support of extended filesystem attributes via
fsetxattr():
amxp_subproc_start()
`-amxp_subproc_vstart()
`-amxp_subproc_exec_child()
`-amxp_subproc_set_capabilities()
`-capng_apply_caps_fd()
`-fsetxattr()
open("/usr/sbin/unbound", O_RDWR|O_LARGEFILE) = 3
...
fsetxattr(3, "security.capability", "\1\0\0\2\0\0\0\0*$\0\200\0\0\0\0\0\0\0", 20, 0) = -1 EOPNOTSUPP (Not supported)
This failure then leads to missing CAP_NET_BIND_SERVICE capability and thus
unbound can't start:
[1726337363] unbound[30984:0] error: can't bind socket: Permission denied for 0.0.0.0 port 53
[1726337363] unbound[30984:0] error: can't bind socket: Permission denied for :: port 53
[1726337363] unbound[30984:0] fatal error: could not open ports
...
tr181-dns: dns - [i]Started Unbound (1 times) - (start_unbound@modunbound_main.c:455)
tr181-dns: dns - [i]wait for wait:done - (start_unbound@modunbound_main.c:457)
tr181-dns: dns - [x]Unbound stopped! - (unbound_stopped@modunbound_main.c:373)
That was fixed in commit 995891f8ca ("libamxrt: fix libcap-ng issues
on ext4 by enabling EXT4_FS_SECURITY").
Lately it was found out, that on some targets, like RPI the same issue
appeared again. It was found out, that it was due to the fact, that RPI
is using f2fs based rootfs_data overlay, because procd/fstools creates
f2fs based rootfs_data overlays if the available storage space is bigger
then 100MiB, in other cases its going to use ext4 filesystem.
So lets fix it for good for all the targets supported by underlying
OpenWrt system, by selecting the corresponding KERNEL_*_FS_SECURITY
config symbols. Unfortunatelly for f2fs we can't use target's specific
USES_F2FS as its not available, but we could probably use mkf2fs for
that purpose as every target seems to include it, so it should work.
Cc: stable-3.1
Fixes: PCF-1456
References: PCF-1411, PPW-74
Fixes: 3dc4681f9b ("Integrating libamxp to master_v2.1.1")
Signed-off-by: Petr Štetiar <petr.stetiar@prplfoundation.org>
This upstep includes following fixes:
- Issue: PPW-65 - [USP][CDRouter][Random] Some datamodel path are
missing in USP hl-api tests
Signed-off-by: Yüce Kürüm <yuce.kurum@mind.be>
Signed-off-by: Yüce Kürüm <yuce.kurum_ext@softathome.com>
This upstep includes following fixes:
- Issue: PPW-65 - [USP][CDRouter][Random] Some datamodel path are
missing in USP hl-api tests
- Issue: NET-6038 Avoid double USP connections to the same sockets
Signed-off-by: Yüce Kürüm <yuce.kurum@mind.be>
Signed-off-by: Yüce Kürüm <yuce.kurum_ext@softathome.com>
Commit 3dc4681f9b ("Integrating libamxp to master_v2.1.1") added
handling of subprocess capabilities via libcap-ng, which on targets
utilizing ext4 filesystem needs EXT4_FS_SECURITY kernel config symbol
enabled for proper support of extended filesystem attributes via
fsetxattr():
amxp_subproc_start()
`-amxp_subproc_vstart()
`-amxp_subproc_exec_child()
`-amxp_subproc_set_capabilities()
`-capng_apply_caps_fd()
`-fsetxattr()
open("/usr/sbin/unbound", O_RDWR|O_LARGEFILE) = 3
...
fsetxattr(3, "security.capability", "\1\0\0\2\0\0\0\0*$\0\200\0\0\0\0\0\0\0", 20, 0) = -1 EOPNOTSUPP (Not supported)
This failure then leads to missing CAP_NET_BIND_SERVICE capability and thus
unbound can't start:
[1726337363] unbound[30984:0] error: can't bind socket: Permission denied for 0.0.0.0 port 53
[1726337363] unbound[30984:0] error: can't bind socket: Permission denied for :: port 53
[1726337363] unbound[30984:0] fatal error: could not open ports
...
tr181-dns: dns - [i]Started Unbound (1 times) - (start_unbound@modunbound_main.c:455)
tr181-dns: dns - [i]wait for wait:done - (start_unbound@modunbound_main.c:457)
tr181-dns: dns - [x]Unbound stopped! - (unbound_stopped@modunbound_main.c:373)
So lets fix it by selecting KERNEL_EXT4_FS_SECURITY config symbol if
either target uses ext4 filesystem or kmod-fs-ext4 package is selected.
Fixes: PPW-74
References: PCF-1411
Fixes: 3dc4681f9b ("Integrating libamxp to master_v2.1.1")
Signed-off-by: Petr Štetiar <petr.stetiar@prplfoundation.org>
GitOrigin-RevId: 85e0e6f92a8112ba9c3e102fc9f39341f17de3ae
(cherry picked from commit 825c023cd8)
Issue: SOFA-435 amxa resolver go into infinite loop if a invalid path is used
Signed-off-by: sahbot <sahbot@softathome.com>
GitOrigin-RevId: 05f478ed2cedfe60595dcecc78674c2aff59bb2a
(cherry picked from commit 1729efedca)
Issue: HOP-7084 amxp: add amxp_subproc_close_fd(amxp_subproc_t* proc, int fd)
Issue: HOP-7091 amxp: fds from amxp_subproc_open_fd() must not be O_NONBLOCK for the child
GitOrigin-RevId: 8ac6cf2d88f67082fc39240e77e5ff3bb079acdd
Issue: HOP-6957 Calculate remaining time of timers before checking and updating the state
Issue: HOP-6962 Disconnect the amxrt_wait_done callback before handling events [fix]
GitOrigin-RevId: d0f10452d3dbddaf443b5a3f9d68d36709909ead
Issue: HOP-6963 [ba-cli]Crash when removing backend with open connections
Issue: HOP-6964 [ba-cli]It must be possible to set protected mode on all open connections
GitOrigin-RevId: 73b5159ce17af5b092856799bfcea2bb58063f0a
Issue: HOP-6917 [AMX] Add function to get backend name from uri [new]
Issue: HOP-6966 [ba-cli] Unable to get protected object when using Device.
Issue: VZ-3176 Subscriptions on non existing objects must fail
GitOrigin-RevId: 39da11c5f43d1f9564a80f687f6d47d4354fcd95
Issue: HOP-6917 [AMX] Add function to get backend name from uri [new]
Issue: VZ-3176 Subscriptions on non existing objects must fail
GitOrigin-RevId: 222ec514c8075b91433624bbbb7a4f66d6d690e1
Issue: HOP-6953 Key parameters without read-only in definition are write-once and must be reported as read-write in gsdm
GitOrigin-RevId: e00e3755ffc5db706c7c4128f32b62279aa89075
Issue: HOP-6917 [AMX] Add function to get backend name from uri [new]
Issue: VZ-3176 Subscriptions on non existing objects must fail
GitOrigin-RevId: 0c41ac62657a524a5631ad7f200b93b62b0bf467
Issue: HOP-5430 Handle events from the amxs signal manager, if available, before other events [fix]
GitOrigin-RevId: dfefde32c7b8cc5a0826332c9767f261da20c4fd
Issue: HOP-5430 DHCPv6Client/DHCPv6Server in misconfigured state
Issue: HOP-6847 amxp: crash in amxp_signal_read() when suspending/resuming a signal manager
GitOrigin-RevId: 90725b60fc31b44a2e1d38ee374e4c1e70b17bfb
Issue: HOP-6760 segfault in libamxc amxc_string_to_upper and to_lower APIs providing an amxc string with a null buffer [fix]
GitOrigin-RevId: 55cd14ddbcdf898874eafd537025b648f2e17180
Issue: HOP-6620 [tr181-device -D][Memory leak] tr181-device -D is consuming 55MB in 4days
Issue: HOP-6690 Make it possible to set backend load priority
GitOrigin-RevId: 09ff31acd791a3f82c326d8a79269c7a9c88852f
Issue: HOP-6677 Make it possible to generate a full xml using all odl files available in a root-fs
GitOrigin-RevId: c9f412a9094eb7931b85e670ddb3da7c5da69af0
Issue: HOP-6677 Make it possible to generate a full xml using all odl files available in a root-fs
GitOrigin-RevId: c2f763183cdfe0441039bbaba3ffef616022e0fc
Issue: HOP-6677 Make it possible to generate a full xml using all odl files available in a root-fs
GitOrigin-RevId: 3c488df76867d770e39ef91d2501f94e9709109c
Issue: HOP-6677 Make it possible to generate a full xml using all odl files available in a root-fs
GitOrigin-RevId: 0a592fbc585557d61df1d7c770bfa77a2348cf5d
Issue: HOP-6677 Make it possible to generate a full xml using all odl files available in a root-fs
GitOrigin-RevId: 6fad07b7a740493a11b456e9b45759a87a28b484
Issue: PCF-1158 libamxrt: boot logs are flooded with Include file not found "extensions/" messages
GitOrigin-RevId: 4c31354c2a4dfc29b6646de0ed3ad6d3d3530ec2
Issue: HOP-6608 - amxd_dm_invoke_action_impl missing test before the callback call (fn) [fix]
GitOrigin-RevId: 5556a87e70a0b3454a64409ad22728914363e582
Issue: HOP-6553 [amxd] amxd_trans_set_param with NULL value makes the amxd_trans_apply failIgnore null variants
GitOrigin-RevId: 5dce778cf4dbee7b649680099034f78f2743750d
Issue: HOP-6102 Add `+=` syntax for appending lists in config sections [new]
Issue: HOP-6487 The amxo parser struct contains unused fields and should be removed
GitOrigin-RevId: 8748a5747c945772f385426ad636d0d0e110a5a0
Issue: HOP-6376 Allow multiple registrations for the same bus context [change]
Issue: NET-5732 [AMX] Config variable not reset when backends are freed [fix]
GitOrigin-RevId: 02d076e21ebe7990997d84a041c96db6e5e76763
Issue: NET-5635 Fix nested list parsed as not-nested list [fix]
Issue: NET-5639 fix string literal with leading/trailing spaces parsed as without [fix]
GitOrigin-RevId: 8904d8ca7a69ead96e399623d37d55e066d3fa6f
@@ -10,11 +10,23 @@ menu "Select libamxrt build options"
config SAH_LIB_AMXRT
bool "Build libamxrt"
default y
select KERNEL_EXT4_FS_SECURITY if USES_EXT4 || PACKAGE_kmod-fs-ext4
select KERNEL_JFFS2_FS_SECURITY if USES_JFFS2 || USES_JFFS2_NAND
select KERNEL_UBIFS_FS_SECURITY if USES_UBIFS
select KERNEL_F2FS_FS_SECURITY if PACKAGE_mkf2fs
config SAH_AMXRT_RWDATAPATH
string "Persistent storage location"
default "/etc/config"
config FORCE_RUNNING_AS_ROOT
bool "INSECURE: This options forces ambiorix components to run as the root user, even if they request to run as a different user"
default y
config REMOVE_CAPS_ODLS
bool "INSECURE: This option removes all the capability ODLs (*_caps.odl) from /etc/amx and subdirectories during first boot. This will also force all components to run as root"
PKG_MAINTAINER:=Soft At Home <support.opensource@softathome.com>
PKG_LICENSE:=BSD-2-Clause-Patent
PKG_LICENSE_FILES:=LICENSE
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
