QEMU x86/64 ubus issues [Was: Re: [PATCH 0/2] enable procd security features by default]

Petr Štetiar ynezz at true.cz
Tue Nov 10 01:43:24 EST 2020 

Daniel Golle <daniel at makrotopia.org> [2020-11-07 14:17:12]:

Hi,

> A while ago we have added some useful kernel features to !SMALL_FLASH
> devices[1]. To make more use of that by default in a way which will
> make exploiting potential vulnerabilities in OpenWrt's services much
> harder, it'd be great to also have procd-ujail as well as procd-seccomp
> installed by default, adding about 38kB to squashfs rootfs.

thanks a lot for your work on this features!

> As it was reverted after it (actually something else) had broken the
> build, I've extensively tested ujail on x86/64, ath79/generic,
> ramips/mt7621, malta/mips64be and armvirt/64.

I've started QEMU x86/64 (4 cores, 512MB RAM) with LAN/WAN interfaces
yesterday in the afternoon and found it in unusable state this morning,
without network and constantly OOMing.

 root at OpenWrt:/# uptime
  05:33:32 up 15:22,  load average: 0.00, 0.00, 0.00

 root at OpenWrt:/# logread
 ^CFailed to connect to ubus

 root at OpenWrt:/# cat /proc/$(pgrep ubusd)/syscall
 44 0x8 0x7fffa9faff58 0x4c 0x0 0x0 0x0 0x7fffa9fafea0 0x7f8fd7b7273a

 (44 is sendto)

The OOMing is happening probably due to 8h DHCP lease time on WAN interface
and following processes stuck on ubus access:

 root at OpenWrt:/# ps w | grep -c "ubus call network.interface notify_proto"
 587

 root at OpenWrt:/# ps w | grep -c "fw3 -q network wan6"
 358

 root at OpenWrt:/# ps w | grep -c "/lib/netifd/dhcpv6.script eth1 rebound"
 640

BTW it is not related to your changes which made ubusd running under ubus user
(it was happening with ubusd running as root also), but certainly caused by
the ujail/seccomp stuff as I don't experience this issues without those
features.

My current config:

CONFIG_TARGET_x86=y
CONFIG_TARGET_x86_64=y
CONFIG_TARGET_x86_64_DEVICE_generic=y
CONFIG_DEVEL=y
CONFIG_DEBUG=y
CONFIG_FEED_luci=y
CONFIG_FEED_packages=y
CONFIG_GRUB_TIMEOUT="1"
CONFIG_JSON_OVERVIEW_IMAGE_INFO=y
CONFIG_KERNEL_PERF_EVENTS=y
CONFIG_PACKAGE_MAC80211_DEBUGFS=y
CONFIG_PACKAGE_MAC80211_MESH=y
CONFIG_PACKAGE_block-mount=y
CONFIG_PACKAGE_hostapd-common=y
CONFIG_PACKAGE_ip-tiny=y
CONFIG_PACKAGE_ipset=y
CONFIG_PACKAGE_ipset-dns=y
CONFIG_PACKAGE_iw=y
CONFIG_PACKAGE_kmod-cfg80211=y
CONFIG_PACKAGE_kmod-ipt-ipset=y
CONFIG_PACKAGE_kmod-mac80211=y
CONFIG_PACKAGE_kmod-nfnetlink=y
CONFIG_PACKAGE_kmod-udptunnel4=y
CONFIG_PACKAGE_kmod-udptunnel6=y
CONFIG_PACKAGE_kmod-wireguard=y
CONFIG_PACKAGE_libbfd=y
CONFIG_PACKAGE_libbz2=y
CONFIG_PACKAGE_libctf=y
CONFIG_PACKAGE_libdw=y
CONFIG_PACKAGE_libelf=y
CONFIG_PACKAGE_libgmp=y
CONFIG_PACKAGE_libipset=y
CONFIG_PACKAGE_libiwinfo=y
CONFIG_PACKAGE_liblua=y
CONFIG_PACKAGE_libmnl=y
CONFIG_PACKAGE_libnettle=y
CONFIG_PACKAGE_libopcodes=y
CONFIG_PACKAGE_libunwind=y
CONFIG_PACKAGE_objdump=y
CONFIG_PACKAGE_perf=y
CONFIG_PACKAGE_procd-seccomp=y
CONFIG_PACKAGE_rpcd=y
CONFIG_PACKAGE_rpcd-mod-file=y
CONFIG_PACKAGE_rpcd-mod-iwinfo=y
CONFIG_PACKAGE_rpcd-mod-luci=y
CONFIG_PACKAGE_rpcd-mod-rpcsys=y
CONFIG_PACKAGE_trace-cmd=y
CONFIG_PACKAGE_trace-cmd-extra=y
CONFIG_PACKAGE_uhttpd=y
CONFIG_PACKAGE_uhttpd-mod-lua=y
CONFIG_PACKAGE_uhttpd-mod-ubus=y
CONFIG_PACKAGE_wireguard=y
CONFIG_PACKAGE_wireguard-tools=y
CONFIG_PACKAGE_wireless-regdb=y
CONFIG_PACKAGE_zlib=y
CONFIG_SRC_TREE_OVERRIDE=y
# CONFIG_TARGET_IMAGES_GZIP is not set
CONFIG_TARGET_INITRAMFS_COMPRESSION_LZMA=y
CONFIG_TARGET_ROOTFS_INITRAMFS=y
CONFIG_uhttpd_lua=y

Cheers,

Petr

More information about the openwrt-devel mailing list