**** BEGIN LOGGING AT Thu Jan 28 03:00:03 2021
Jan 28 03:07:50 <girth> grift: must be pee-pee-id shy, the pressure was all mine :P
Jan 28 04:24:34 <mangix_> oh ffs
Jan 28 04:24:38 <mangix_> i see what happened
Jan 28 04:24:47 <mangix_> docker changed the IP address for quassel
Jan 28 04:30:07 <mangix> cool. back on here. how to see how to set a static IP...
Jan 28 04:30:14 <mangix> *now
Jan 28 07:35:51 <grift> re-opened my router again for today: http://defensec:skit123@openwrt.defensec.nl:7681 please help find bugs and loose ends in the sandbox. yesterday no-one was able to affect operations in any way but i am pretty that people smart enough can find way's and i would like to learn from that to improve it
Jan 28 07:47:19 <jacekowski> grift: so what is that?
Jan 28 07:48:00 <grift> its intergrity protection for openwrt systems
Jan 28 07:48:31 <grift> a sandbox that leverages the selinux mandatory access control in openwrt
Jan 28 07:48:31 <jacekowski> what are you using for web terminal, it doesn't look like shell in a box
Jan 28 07:48:51 <grift> ttyd/tmux
Jan 28 07:49:55 <grift> i am connected to internet through this router, the goal is to affect operations. ie either kick me off the internet of shut it down or escape the sandbox etc
Jan 28 07:51:59 <jacekowski> well, i can come up with one way, download loads of illegal content
Jan 28 07:52:24 <grift> that wont work, try it
Jan 28 07:53:02 <grift> try udp flood
Jan 28 07:53:21 <jacekowski> well, ddosing it from outside might work
Jan 28 07:53:29 <grift> true obviously
Jan 28 07:53:37 <jacekowski> but that is not really the goal here
Jan 28 07:53:38 <grift> but that is not in the  scope of this test
Jan 28 07:53:52 <grift> the test is to verify whether the access control is strong
Jan 28 07:54:00 <grift> resource control is out of scope
Jan 28 07:55:26 <grift> sudo is useless by the way, youre already root
Jan 28 07:57:23 <jacekowski> what does your selinux policy look like?
Jan 28 07:58:09 <grift> https://git.defensec.nl/?p=selinux-policy.git;a=summary
Jan 28 07:58:14 <grift> its all  there
Jan 28 07:58:51 <grift> and this is also the policy that is available in the openwrt build system
Jan 28 07:59:21 <jacekowski> i've managed to break tmux
Jan 28 07:59:24 <jacekowski> if that counts
Jan 28 07:59:28 <jacekowski> ttyd/tmux
Jan 28 07:59:31 <jacekowski> or whatever that was
Jan 28 07:59:32 <grift> let me restart it
Jan 28 07:59:43 <grift> naw suicide doesnt count
Jan 28 07:59:52 <grift> doent affect operations
Jan 28 08:00:05 <grift> its back up
Jan 28 08:02:04 <grift> you didnt break it either , you just exited the last shell
Jan 28 08:02:20 <grift> ie expected behavior
Jan 28 08:03:58 <jacekowski> openwrt does not have a large attack surface out of the box anyway
Jan 28 08:04:13 <grift> true
Jan 28 08:04:37 <jacekowski> and what looks like a rather restrictive selinux policy reduces it even further
Jan 28 08:04:41 <grift> but its is a vital piece in infrastructure
Jan 28 08:05:51 <grift> its actually not that restrictive policy, this is a demonstration of optional sandbox functionality
Jan 28 08:06:34 <grift> the policy by default is pretty lax and targets an audience that doesnt want selinux to be in their way
Jan 28 08:06:56 <grift> to the extent possible without sacrificing too much
Jan 28 08:17:57 <grift> anyway thanks for trying jacekowski
Jan 28 08:21:46 >KGB-0< https://tests.reproducible-builds.org/openwrt/openwrt_sunxi.html has been updated. (0% images and 98.2% packages reproducible in our current test framework.)
Jan 28 12:35:38 <grift> i wanted to create an init script and couldnt figure out how achieve similar results to https://termbin.com/32e1 with PROCD=1
Jan 28 12:36:31 <grift> why dont we leverage cgroups.procs for example to get some MAINPID like variable in procd so that we dont need pid files?
Jan 28 13:00:36 <karlp> most things don't need pid files.
Jan 28 13:00:49 <karlp> I added it to procd just for use with external monitoring tools.
Jan 28 13:01:44 <grift> true bit ive seen things like "killall $NAME" in stop() and that just doesnt seem to scale.
Jan 28 13:01:44 <karlp> if you're using procd, you don't try and collect pids and then kill them all one by one,
Jan 28 13:02:03 <karlp> you just make an instance for whatever you need and procd will kill it ons top for you
Jan 28 13:02:17 <karlp> kilalll in stop wouldn't really be a "procd" init script, no
Jan 28 13:02:44 <grift> ye the issue with PROCD=1 for me was mainly that there was no way to enable pids.max
Jan 28 13:02:57 <karlp> what is pids.max meant to do?
Jan 28 13:03:11 <grift> limits the number of tasks in the service
Jan 28 13:03:18 <grift> ie fork bomb prevention
Jan 28 13:03:33 <karlp> a very common problem, I'm sure.
Jan 28 13:03:54 <karlp> if you want to add a whole bunch of cgroup stuff, sure, we just keep moving procd closer and closer to systemd of course...
Jan 28 13:04:09 <grift> thats not what i am saying
Jan 28 13:04:14 <karlp> but that's quite different to collecting pid files.
Jan 28 13:04:29 <grift> but if you get a pid variable then we can use that
Jan 28 14:23:11 <grift> karlp but yes i think youre probably right. forget i ever started about it.
Jan 28 14:24:35 <grift> i was just annoying by seeing killall NAME and kill $(cat /var/run/NAME.pid) all over the place
Jan 28 14:25:33 <karlp> your cgroup stuff seems only tangentially related.
Jan 28 14:25:45 <grift> it is only that , yes
Jan 28 14:25:58 <karlp> but yes, init scripts writing pidfiles and using killall are not realy using procd "as well as they could be"
Jan 28 14:26:00 <grift> the stop part is related to the pid issue
Jan 28 14:27:15 <grift> for me its good enough that i have an option to write "old-style" init scripts
Jan 28 14:27:19 <grift> that will do the job for me
Jan 28 16:05:59 <grift> well thats a bit complicated to do as its an nfs share
Jan 28 16:06:04 <grift> wrong chan
Jan 28 17:58:40 <Hauke> jow: you said there is a problem with https and wolfssl in master, where can I find some details about this, I think you told me already some time ago, but I forgot. ;-)
Jan 28 19:10:32 <philipp64> jow: does ipset-dns require anything special to work, or can it easily be made to work with Bind?
Jan 28 22:35:33 <Pepe> Hauke: Are you going to take a look at wireguard in openwrt-19.07 which is not compiled since the latest bump of kernel 4.14?
Jan 28 22:46:40 <Untis20> Hello. I'm trying to port the old rb711 patch to 19.07. I can get it to boot, detect nand and wifi, but I can't get it to detect eth. It fails with the following error: ar71xx: invalid PHY interface mode for GE0
Jan 28 22:53:28 <Untis20> Well. I solved my issue.
Jan 28 22:54:45 <Untis20> But now I have no idea if it was setting AR8327_PORT_SPEED_1000 to AR8327_PORT_SPEED_100 or copying if_mode set from rb711gr100.
Jan 28 23:26:44 <Hauke> Pepe: thanks for the info
Jan 29 01:36:25 <philipp64> what's going on?  "opkg" is telling me a package is installed with "list", but not installed with "files"...  https://paste.centos.org/view/63d83155
Jan 29 01:43:50 <russell--> philipp64: maybe it's a meta package and doesn't have any files?
Jan 29 01:45:35 <philipp64> it definitely contains files...
Jan 29 01:45:50 <philipp64> I think /usr/lib/opkg/status got corrupted...
Jan 29 01:53:46 <philipp64> so I hand edit "status", but when I try to reinstall... https://paste.centos.org/view/20ee770f
Jan 29 01:59:40 <philipp64> is there a way to fake an install by hand?  or to force it?
Jan 29 02:16:52 <philipp64> and what args is the postinst script called with?
Jan 29 02:36:32 <dtaht999> nbd: alive?
**** ENDING LOGGING AT Fri Jan 29 03:02:12 2021