use Linux kernel sources associated with openwrt by default

complains if you try to ../../../

devices/belkin-rt3200/default.nix

@@ -55,11 +55,6 @@
       ];
       config = {
     kernel = {
-      src = pkgs.pkgsBuildBuild.fetchurl {
-        name = "linux.tar.gz";
-        url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-        hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-      };
       extraPatchPhase = ''
           ${pkgs.openwrt.applyPatches.mediatek}
       '';

devices/families/qemu.nix

@@ -5,11 +5,6 @@
   ];
   config = {
     kernel = {
-      src = pkgs.pkgsBuildBuild.fetchurl {
-        name = "linux.tar.gz";
-        url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-        hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-      };
       config = {
         MTD = "y";
         MTD_BLOCK = "y";

devices/gl-ar750/default.nix

@@ -157,12 +157,6 @@
         appendDTB = true;
       };
       kernel = {
-        src = pkgs.pkgsBuildBuild.fetchurl {
-          name = "linux.tar.gz";
-          url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-          hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-        };
-
         # Mainline linux 5.19 doesn't have device-tree support for
         # this device or even for the SoC, so we use the extensive
         # OpenWrt kernel patches

devices/gl-mt300a/default.nix

@@ -114,11 +114,6 @@
      };
 
       kernel = {
-        src = pkgs.fetchurl {
-          name = "linux.tar.gz";
-          url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-          hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-        };
         extraPatchPhase = ''
           ${openwrt.applyPatches.ramips}
           ${openwrt.applyPatches.rt2x00}

devices/gl-mt300n-v2/default.nix

@@ -125,11 +125,6 @@
       };
 
       kernel = {
-        src = pkgs.fetchurl {
-          name = "linux.tar.gz";
-          url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-          hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-        };
         extraPatchPhase = ''
           ${openwrt.applyPatches.ramips}
         '';

devices/tp-archer-ax23/default.nix

@@ -50,11 +50,6 @@
       ];
       config = {
         kernel = {
-          src = pkgs.pkgsBuildBuild.fetchurl {
-            name = "linux.tar.gz";
-            url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-            hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-          };
           extraPatchPhase = ''
             ${pkgs.openwrt.applyPatches.ramips}
           '';

devices/zyxel-nwa50ax/default.nix

@@ -250,14 +250,8 @@
       #  IMAGE/ramboot-factory.bin := append-kernel | pad-to $$(KERNEL_SIZE) | append-ubi
 
       kernel = {
-        src = pkgs.fetchurl {
-          name = "linux.tar.gz";
-          url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
-          hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
-        };
         extraPatchPhase = ''
           ${openwrt.applyPatches.ramips}
-
         '';
         config = {
 

modules/kernel/default.nix

@@ -6,7 +6,7 @@
 { lib, pkgs, config, ...}:
 let
   inherit (lib) mkOption types ;
-  inherit (pkgs) liminix;
+  inherit (pkgs) liminix openwrt;
 
   mergeConditionals = conf : conditions :
     # for each key in conditions, if it is present in conf
@@ -21,8 +21,8 @@ let
 in {
   options = {
     kernel = {
-      src = mkOption { type = types.path; } ;
+      src = mkOption { type = types.path; default = openwrt.kernelSrc; } ;
-      version = mkOption { type = types.str; default = "5.15.137";} ;
+      version = mkOption { type = types.str; default = openwrt.kernelVersion;} ;
       modular = mkOption {
         type = types.bool;
         default = true;

modules/ntp/service.nix

@@ -6,6 +6,7 @@
 }:
 params:
 let
+  name = "ntp"; # bad name, needs to be unique
   inherit (liminix.services) longrun;
   inherit (lib) concatStringsSep mapAttrsToList;
   configFile = p:
@@ -23,11 +24,15 @@ let
     ++ (lib.optional (p.bindaddress != null) "bindaddress ${p.bindaddress}")
     ++ (lib.optional (p.binddevice != null) "binddevice ${p.binddevice}")
     ++ (lib.optional (p.dumpdir != null) "dumpdir ${p.dumpdir}")
+    ++ [
+      "bindcmdaddress /" # disable unix socket
+      "pidfile /run/${name}.pid"
+    ]
     ++ [p.extraConfig];
 
   config = writeText "chrony.conf"
     (concatStringsSep "\n" (configFile params));
 in longrun {
-  name = "ntp"; # bad name, needs to be unique
+  inherit name;
   run = "${chrony}/bin/chronyd -f ${config} -d";
 }

modules/ppp/common.nix

@@ -15,25 +15,26 @@ let
   inherit (builtins) toJSON toString typeOf;
 
   ip-up = writeAshScript "ip-up" {} ''
+    exec >&5 2>&5
     . ${serviceFns} 
-    (in_outputs ${name}
+    in_outputs ${name}
     echo $1 > ifname
     echo $2 > tty
     echo $3 > speed
     echo $4 > address
     echo $5 > peer-address
-     echo $DNS1 > ns1
+    set +o nounset
-     echo $DNS2 > ns2
+    if test -n "''${DNS1}" ;then echo ''${DNS1} > ns1 ; fi
-    )
+    if test -n "''${DNS2}" ;then echo ''${DNS2} > ns2 ; fi
-    echo >/proc/self/fd/10
+    test -e ipv6-address && echo >/proc/self/fd/10
   '';
   ip6-up = writeAshScript "ip6-up" {} ''
+    exec >&5 2>&5
     . ${serviceFns} 
-    (in_outputs ${name}
+    in_outputs ${name}
     echo $4 > ipv6-address
     echo $5 > ipv6-peer-address
-    )
+    test -e ifname && echo >/proc/self/fd/10
-    test -e tty && echo >/proc/self/fd/10
   '';
   literal_or_output =
     let v = o: ({
@@ -72,6 +73,7 @@ let
       chmod 0700 /run/${name}
       in_outputs ${name}
       echo ${escapeShellArgs ppp-options'} | ${output-template}/bin/output-template '{{' '}}' > /run/${name}/ppp-options
+      fdmove -c 5 2 \
       ${command}
     '';
     notification-fd = 10;

overlay.nix

@@ -5,7 +5,7 @@ let
   extraPkgs = import ./pkgs/default.nix {
     inherit (final) lib callPackage;
   };
-  inherit (final) fetchpatch;
+  inherit (final) fetchpatch lib;
   luaHost =
     let
       l = prev.lua5_3.overrideAttrs(o: {
@@ -73,14 +73,15 @@ extraPkgs // {
         });
     in chrony'.override {
       gnutls = null;
-      nss = null;
-      nspr = null;
-      readline = null;
       libedit = null;
       libseccomp = null;
       # should texinfo be in nativeBuildInputs instead of
       # buildInputs?
       texinfo = null;
+    } // lib.optionalAttrs (lib.versionOlder lib.version "24.10") {
+      nss = null;
+      nspr = null;
+      readline = null;
     };
 
   # clevis without luks/tpm

pkgs/anoia/assert.fnl

@@ -3,7 +3,6 @@
 
 ;; e.g. (import-macros { : expect= } :anoia.assert)
 
-
 (fn expect [assertion]
   (let [msg (.. "expectation failed: " (view assertion))]
     `(when (not ,assertion)

pkgs/anoia/fs.fnl

@@ -82,7 +82,6 @@
   (let [p (find-executable "yes" (os.getenv "PATH"))]
     (expect (string.match p "coreutils.+bin/yes$"))))
 
-
 {
  : mktree
  : rmtree

pkgs/anoia/init.fnl

@@ -1,8 +1,4 @@
-;; importing assert.fnl macros here would be circular, so we can't use
+(import-macros { :  define-tests : expect : expect= } :anoia.assert)
-;; the full test functionality
-(macro define-tests [& body]
-  (when _G.RUNNING_TESTS
-    `(do ,(unpack body))))
 
 (fn assoc [tbl k v & more]
   (tset tbl k v)
@@ -32,6 +28,18 @@
 (fn dirname [path]
   (string.match path "(.*)/[^/]-$"))
 
+(fn append-path [dirname filename]
+  (let [base (or (string.match dirname "(.*)/$") dirname)
+        result []]
+    (each [component (string.gmatch filename "([^/]+)")]
+      (if (and (= component "..") (> (# result) 0))
+          (table.remove result)
+          (= component "..")
+          (error "path traversal attempt")
+          true
+          (table.insert result component)))
+    (.. base "/" (table.concat result "/"))))
+
 (fn system [s]
   (match (os.execute s)
     res (do (print (.. "Executed \"" s "\", exit code " (tostring res)))  res)
@@ -59,16 +67,26 @@
              (and present (. a k))))))
 
 (define-tests
- (assert (table= {:a 1 :b 2} {:b 2 :a 1}))
+ (expect (table= {:a 1 :b 2} {:b 2 :a 1}))
- (assert (not (table= {:a 1 :b 2 :k :l}  {:b 2 :a 1})))
+ (expect (not (table= {:a 1 :b 2 :k :l}  {:b 2 :a 1})))
- (assert (not (table= {:a 1 :b 2}  {:b 2 :a 1 :k :l})))
+ (expect (not (table= {:a 1 :b 2}  {:b 2 :a 1 :k :l})))
 
- (assert (table= {:a 1 :b {:l 17}} {:b {:l 17} :a 1}))
+ (expect (table= {:a 1 :b {:l 17}} {:b {:l 17} :a 1}))
- (assert (table= {:a [4 5 6 7] } {:a [4 5 6 7]}))
+ (expect (table= {:a [4 5 6 7] } {:a [4 5 6 7]}))
- (assert (not (table= {:a [4 5 6 7] } {:a [4 5 6 7 8]})))
+ (expect (not (table= {:a [4 5 6 7] } {:a [4 5 6 7 8]})))
- (assert (not (table= {:a [4 5 7 6] } {:a [4 5 6 7 ]})))
+ (expect (not (table= {:a [4 5 7 6] } {:a [4 5 6 7 ]})))
 
- (assert (table= {} {}))
+ (expect (table= {} {}))
+
+ (let [traps (fn [b p]
+               (match (pcall append-path b p)
+                 (true f) (error "didn't trap path traversal")
+                 (false err) (expect (string.match err "path traversal"))))]
+   (expect= (append-path "/tmp" "hello") "/tmp/hello")
+   (expect= (append-path "/tmp/" "hello") "/tmp/hello")
+   (traps "/tmp/" "../hello")
+   (expect= (append-path "/tmp/" "hello/../goodbye") "/tmp/goodbye")
+   (traps "/tmp/" "hello/../../goodbye"))
  )
 
 (fn dig [tree path]
@@ -177,17 +195,17 @@
         b64 (base64 :url)]
 
     (let [a (b64:decode "YWxsIHlvdXIgYmFzZQ==")]
-      (assert (= a "all your base") (view a)))
+      (expect= a "all your base"))
     (let [a (b64:decode "ZmVubmVsIHRoaW5n")]
-      (assert (= a "fennel thing")  a))
+      (expect= a "fennel thing"))
     (let [a (b64:decode "TWFueSBoYW5kcyBtYWtlIGxpZ2h0IHdvcms=")]
-      (assert (= a "Many hands make light work") (view  a)))
+      (expect= a "Many hands make light work"))
     (let [a (b64:encode "hello world")]
-      (assert (= a "aGVsbG8gd29ybGQ=") a))
+      (expect= a "aGVsbG8gd29ybGQ="))
 
     (fn check [plain enc]
-      (let [a (b64:encode plain)] (assert (= a enc) (.. "encode " a)))
+      (let [a (b64:encode plain)] (expect (= a enc) (.. "encode " a)))
-      (let [a (b64:decode enc)] (assert (= a plain) (.. "decode " a))))
+      (let [a (b64:decode enc)] (expect (= a plain) (.. "decode " a))))
 
     (check ""  "")
     (check "f"  "Zg==")
@@ -198,12 +216,10 @@
     (check "foobar"  "Zm9vYmFy")
 
     (let [x (b64:decode "REtOdUtNS05BNEJWLXdfcUhtNU9YV2liOUxkX3RTdVJTQWVUR0dkWldBdVEyaURObDZ2b3pSbEJwMzlzOEltdkhWdmpzZmMiLCJ5IjoiQVlDY1QwOGZrNFZWZ2lZSVIxbkU4UlJGaGZOSGdBUEFzckRITmJtRGNfUGtWZmdDR0xTMTIweU5SNncwdjd5RUY4WDN1OGpvazhkU0pqN0hnWjZCZHAzcSJ9LCJraWQiOiJlalVDaXBCUE9BeDRWQ1dQdUtkVGlYNDNadW5XTDNjSWN6V1h1RVZyTVNFIn0")]
-      (assert (string.match x "}$") x))
+      (expect (string.match x "}$") x))
 
     ))
 
-
-
     ;; doesn't work if the padding is missing
     ;; (let [a (from-base64 "TWFueSBoYW5kcyBtYWtlIGxpZ2h0IHdvcms")]
     ;;   (assert (= a "Many hands make light work") (view  a)))
@@ -212,6 +228,7 @@
 
 
 {
+ : append-path
  : assoc
  : base64
  : base64url

pkgs/openwrt/default.nix

@@ -29,6 +29,17 @@ let
   '';
 in {
   inherit src;
+
+  # The kernel sources typically used with this version of openwrt
+  # You can find this in `include/kernel-5.15` or similar in the
+  # openwrt sources
+  kernelSrc = pkgsBuildBuild.fetchurl {
+    name = "linux.tar.gz";
+    url = "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.137.tar.gz";
+    hash = "sha256-PkdzUKZ0IpBiWe/RS70J76JKnBFzRblWcKlaIFNxnHQ=";
+  };
+  kernelVersion = "5.15.137";
+
   applyPatches.ath79 = doPatch "ath79";
   applyPatches.ramips = doPatch "ramips";
   applyPatches.mediatek = doPatch "mediatek"; # aarch64

pkgs/watch-ssh-keys/watch-ssh-keys.fnl

@@ -1,4 +1,4 @@
-(local { : system : assoc : split : dup : table= : dig } (require :anoia))
+(local { : system : assoc : split : dup : table= : dig : append-path } (require :anoia))
 (local svc (require :anoia.svc))
 (import-macros { :  define-tests : expect : expect= } :anoia.assert)
 
@@ -13,14 +13,14 @@
   (when (not (table= old-tree new-tree))
     (io.stderr:write "new ssh keys\n")
     (each [username pubkeys (pairs new-tree)]
-      (with-open [f (assert (io.open (.. path "/" username) :w))]
+      (with-open [f (assert (io.open (append-path path username) :w))]
         ;;  the keys are "1" "2" "3" etc, so pairs not ipairs
         (each [_ k (pairs pubkeys)]
           (f:write k)
           (f:write "\n")))))
   (each [k v (pairs old-tree)]
     (when (not (. new-tree k))
-      (os.remove (.. path "/" k))))
+      (os.remove (append-path path k))))
   new-tree)
 
 (define-tests

tests/inout/script.expect

@@ -1,12 +1,18 @@
-set timeout 10
+set timeout 40
+fconfigure stdout -buffering  none
 
 set when [lindex $argv 0];
 
+send_user "\n\n\n\n#################################\n running $when"
+
+
 spawn socat -,echo=0,icanon=1 unix-connect:vm/monitor
 set monitor_id $spawn_id
+fconfigure $monitor_id -buffering none
 
 spawn socat unix-connect:vm/console -
 set console_id $spawn_id
+fconfigure $console_id -buffering  none
 
 proc chat {instr outstr} {
     expect {
@@ -19,15 +25,21 @@ proc adddevice { } {
     global monitor_id console_id spawn_id
     set spawn_id $monitor_id
 
+    send_user "\n#### inserting usb device"
+    send "\r\n"
     chat "QEMU" "device_add usb-storage,bus=xhci.0,drive=usbstick\n"
-    chat "(qemu)" "version\r"
 
     set spawn_id $console_id
+
     expect {
       "sda: sda1" { }
-      timeout { exit 1 }
+      timeout {
+          puts stderr "timeout waiting for disk"
+          exit 1
       }
     }
+    send_user "done inserting usb device"       
+}
 
 if { $when eq "early" } {
   adddevice
@@ -35,20 +47,25 @@ if { $when eq "early" } {
 
 expect "BusyBox"
 chat "#" "PS1=RE\\ADY_\\ ; stty -echo \r"
+# script needs klogd output to tell when sda1 appears. Then
+# run s6-rc -b  -a list to wait for booting to finish
 chat "READY_"  "tail -f /run/log/current & \rs6-rc -b  -a list\r"
 
-chat "mount" "\r"
-
 if { $when eq "late" } {
   adddevice
 }
 
-send "\r"
+send_user "\n\n\nwaiting for mount to happen"
-set timeout 20
-
-chat "READY_" "sleep 5; grep /srv /proc/mounts && hostname\r"
 
+set FINISHED 0
+set EXIT "1" 
+while { $FINISHED < 10 } {
+  chat "READY_" "grep /srv /proc/mounts\r\n"
   expect {
-  "inout" { }
+    "backup-disk" { set FINISHED 20; set EXIT 0; }
-  timeout { exit 1 }
+    "READY_" { send_user "waiting ...\n" ; send "\r\n"; sleep 6 }
   }
+  set FINISHED [ expr $FINISHED + 1 ]
+}
+
+exit $EXIT

tests/inout/test.nix

@@ -18,13 +18,17 @@ mkfs.ext2 -L backup-disk ./vm/stick.e2fs
 dd if=/dev/zero of=./vm/stick.img bs=1M count=38
 dd if=./vm/stick.e2fs of=./vm/stick.img bs=512 seek=34 conv=notrunc
 parted -s ./vm/stick.img -- mklabel gpt mkpart backup-disk ext2 34s -0M
+sync
+cp  ./vm/stick.img  ./vm/stick.img.orig
 
 {
 
+
 ${img}/run.sh  --background ./vm --flag -device --flag usb-ehci,id=xhci --flag -drive  --flag if=none,id=usbstick,format=raw,file=$(pwd)/vm/stick.img
 expect ${./script.expect} late
 kill $(cat ./vm/pid)
 
+cp  ./vm/stick.img.orig ./vm/stick.img
 ${img}/run.sh  --background ./vm --flag -device --flag usb-ehci,id=xhci --flag -drive  --flag if=none,id=usbstick,format=raw,file=$(pwd)/vm/stick.img
 expect ${./script.expect} early
 

tests/pppoe/test.nix

@@ -17,6 +17,8 @@ serverstatedir=$(mktemp -d -t routeros-XXXXXX)
 # python scapy drags in matplotlib which doesn't enjoy running in
 # a sandbox with no $HOME, hence this environment variable
 export MPLCONFIGDIR=$(mktemp -d -t routeros-XXXXXX)
+export XDG_CONFIG_HOME=/tmp
+export XDG_CACHE_HOME=/tmp
 
 . ${../test-helpers.sh}