Testing showed that additional syscalls are needed on ARMv7.
Add "getegid32", "geteuid32", "getgid32" and "getrandom" as they are
all innocent.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add fadvise64_64 and fchmod syscalls needed on PowerPC platforms to
seccomp rules of transmission-daemon.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
procd-seccomp switched to OCI-compliant seccomp parser instead of our
(legacy, OpenWrt-specific) format. Convert ruleset to new format.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Transmission should stop early on system shutdown to avoid
for example fstab unmount disks when transmission is writing.
Signed-off-by: Francesco G <gfrancesco@users.noreply.github.com>
add missing 'peer_id_ttl_hours' and remove 'scrape_paused_torrents'
which is not exist in transmission wiki.
Signed-off-by: Richard Yu <yurichard3839@gmail.com>
--log-error in the init script was overriding it.
Added several optimizations to the init script for speed and correctness.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Things were done in the wrong order, leading to config_dir not being
chown'ed and subdirectories not being created in case of download_dir
being inside config_dir.
Fixes: 609109fa9 ("transmission: add seccomp filter and improve jail")
Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Some firewalls mandate a minimum size of 4k for SYN packets, which
transmission does not do by default. Upstream issue here:
https://github.com/transmission/transmission/issues/964
Cleanup:
Fixed license info.
Removed two unnecessary patches.
Ran shell script through shellcheck.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Mainly a bugfix for XSS. Patches have been refreshed.
Added an upstream fix for TLS verification. Now enabled by default.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
It was requested as it can be useful under certain circumstances.
Disabled rpc_whitelist by default. Not only is there a firewall, but it denies access when IP address of the device is changed.
Added group support in UCI. Fixes cases where group does not match the user (nobody:nogroup).
Signed-off-by: Rosen Penev <rosenp@gmail.com>
HTTPS verification is totally broken in Transmission. Unclear why. Disabling as a result.
Safari exposes a JavaScript bug that makes it not load. Fixed.
Portcheck was backported to HTTPS for testing initially. Seems like a good idea.
Makefile was also fixed to use the external libnatpmp. Smaller binary.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
libnatpmp was added as a dependancy to avoid built-in version.
Makefile went through a few adjustments to make it simpler.
CMake support is not happening since Travis is using a broken Ubuntu install.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Ran the transmission init script through shellcheck and fixed errors. Also cleaned up a bit.
Removed ionice support. Will reintroduce if procd adds support.
Removed config_overwrite debugging variable. No need for it.
Enabled TLS verify by default. Added a dependancy to ca-bundle as a result. This is a default in current trunk.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
DNS rebinding protection introduced a new option. Use it to disable it as OpenWrt does not need it.
Adjusted Makefile to use the release instead of a git version. Also cleaned up and added LICENSE entries.
Eliminated useless patches. The syslog one actually doesn't log much. No need to mask the os release anymore either.
Added group entry to init script. Otherwise files end up being owned by user:root which is bogus.
v2: Previous maintainer relied on git version of Transmission for mbedtls support. Backport it to the stable instead.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
DNS rebinding protection introduced a new option. Use it to disable it as OpenWrt does not need it.
Adjusted Makefile to use the release instead of a git version. Also cleaned up and added LICENSE entries.
Eliminated useless patches. The syslog one actually doesn't log much. No need to mask the os release anymore either.
Added group entry to init script. Otherwise files end up being owned by user:root which is bogus.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The init script runs transmission with the foreground parameter for procd to control it. However, if transmission is ran in the foreground, nothing is logged to syslog. Added a patch to remove this restriction.
Also added a sysctl file that removes these warnings:
UDP Failed to set receive buffer: requested 4194304, got 262142 (tr-udp.c:75)
UDP Please add the line "net.core.rmem_max = 4194304" to /etc/sysctl.conf (tr-udp.c:80)
UDP Failed to set send buffer: requested 1048576, got 262142 (tr-udp.c:86)
UDP Please add the line "net.core.wmem_max = 1048576" to /etc/sysctl.conf (tr-udp.c:91)
Signed-off-by: Rosen Penev <rosenp@gmail.com>
That allows to restart transmission when it crashes, to limit
the memory used by it, as well as be jailed in the directories
it is supposed to access.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Daniel Golle
Josef Zila
Rosen Penev
Jan Pavlinec
Francesco G
Richard Yu
Andrii Korzh
Hannu Nyman
Maxim Storchak
Nikos Mavrogiannopoulos