From 1454195bb99177fe45a87c3240f9e472b29fc2fc Mon Sep 17 00:00:00 2001
From: Andre Heider <a.heider@gmail.com>
Date: Sun, 12 Apr 2026 17:36:35 +0200
Subject: [PATCH 1/4] jail: mount ucode related bits into netifd jail

netifd gained ucode support, mount the required pieces to fix the
errors:

daemon.crit netifd: Error loading ucode script:
Syntax error: Unable to resolve path for module 'uci' In line 1, byte 27:
    `import * as uci from "uci";`
    Near here ----------------^
Syntax error: Unable to resolve path for module 'uloop' In line 2, byte 31:
    `import * as uloop from "uloop";`
    Near here --------------------^
Syntax error: Unable to resolve path for module 'ubus' In line 3, byte 32:
    `import * as libubus from "ubus";`
    Near here ---------------------^
Syntax error: Unable to resolve path for module 'fs' In line 4, byte 37:
    `import { access, dirname } from "fs";`
    Near here --------------------------^

Signed-off-by: Andre Heider <a.heider@gmail.com>
---
 jail/netifd.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/jail/netifd.c b/jail/netifd.c
index 10d2e65..9d140d6 100644
--- a/jail/netifd.c
+++ b/jail/netifd.c
@@ -275,7 +275,11 @@ static void run_netifd(struct uloop_timeout *t)
 	blobmsg_add_string(&req, "/usr/bin/killall", "0");
 	blobmsg_add_string(&req, "/usr/bin/logger", "0");
 	blobmsg_add_string(&req, "/usr/bin/jshn", "0");
+	blobmsg_add_string(&req, "/usr/bin/ucode", "0");
+	blobmsg_add_string(&req, "/usr/lib/ucode", "0");
 	blobmsg_add_string(&req, "/usr/share/libubox/jshn.sh", "0");
+	blobmsg_add_string(&req, "/usr/share/schema", "0");
+	blobmsg_add_string(&req, "/usr/share/ucode/wifi", "0");
 	blobmsg_add_string(&req, "/sbin/hotplug-call", "0");
 	blobmsg_add_string(&req, "/sbin/udhcpc", "0");
 	blobmsg_close_table(&req, mount);

From 1b1b53571a2bea9da777d6d8fa14192b34a0874f Mon Sep 17 00:00:00 2001
From: Andre Heider <a.heider@gmail.com>
Date: Sun, 12 Apr 2026 18:37:45 +0200
Subject: [PATCH 2/4] instance: disable console logging

This spams the logs with every in- and outcoming byte.

Signed-off-by: Andre Heider <a.heider@gmail.com>
---
 service/instance.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/service/instance.c b/service/instance.c
index 51d85b0..4c64b35 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -759,7 +759,7 @@ instance_console(struct ustream *s, int bytes)
 		if (!buf)
 			break;
 
-		ulog(LOG_INFO, "out: %s\n", buf);
+		DEBUG(LOG_INFO, "out: %s\n", buf);
 
 		/* test if console client is attached */
 		if (in->console_client.fd.fd > -1)
@@ -781,7 +781,7 @@ instance_console_client(struct ustream *s, int bytes)
 		if (!buf)
 			break;
 
-		ulog(LOG_INFO, "in: %s\n", buf);
+		DEBUG(LOG_INFO, "in: %s\n", buf);
 		ustream_write(&in->console.stream, buf, len, false);
 		ustream_consume(s, len);
 	} while (1);

From 87f9a6ce989f70f4308b2caacb8416a0f28d5df4 Mon Sep 17 00:00:00 2001
From: Andre Heider <a.heider@gmail.com>
Date: Mon, 13 Apr 2026 17:01:08 +0200
Subject: [PATCH 3/4] jail: mount tools used by dhcp.sh in the netifd jail

./dhcp.sh: eval: line 33: md5sum: not found
./dhcp.sh: eval: line 33: cut: not found
./dhcp.sh: eval: line 107: /sbin/uci: not found
/bin/ipcalc.sh: line 5: basename: not found
/bin/ipcalc.sh: line 5: basename: not found

Signed-off-by: Andre Heider <a.heider@gmail.com>
---
 jail/netifd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/jail/netifd.c b/jail/netifd.c
index 9d140d6..54a18ab 100644
--- a/jail/netifd.c
+++ b/jail/netifd.c
@@ -272,15 +272,18 @@ static void run_netifd(struct uloop_timeout *t)
 	blobmsg_add_string(&req, "/lib/netifd", "0");
 	blobmsg_add_string(&req, "/lib/network", "0");
 	blobmsg_add_string(&req, "/usr/bin/awk", "0");
+	blobmsg_add_string(&req, "/usr/bin/cut", "0");
+	blobmsg_add_string(&req, "/usr/bin/jshn", "0");
 	blobmsg_add_string(&req, "/usr/bin/killall", "0");
 	blobmsg_add_string(&req, "/usr/bin/logger", "0");
-	blobmsg_add_string(&req, "/usr/bin/jshn", "0");
+	blobmsg_add_string(&req, "/usr/bin/md5sum", "0");
 	blobmsg_add_string(&req, "/usr/bin/ucode", "0");
 	blobmsg_add_string(&req, "/usr/lib/ucode", "0");
 	blobmsg_add_string(&req, "/usr/share/libubox/jshn.sh", "0");
 	blobmsg_add_string(&req, "/usr/share/schema", "0");
 	blobmsg_add_string(&req, "/usr/share/ucode/wifi", "0");
 	blobmsg_add_string(&req, "/sbin/hotplug-call", "0");
+	blobmsg_add_string(&req, "/sbin/uci", "0");
 	blobmsg_add_string(&req, "/sbin/udhcpc", "0");
 	blobmsg_close_table(&req, mount);
 

From bd39eda4536ac8a3001419e5a81eb1055b16a3ac Mon Sep 17 00:00:00 2001
From: Andre Heider <a.heider@gmail.com>
Date: Wed, 15 Apr 2026 11:49:34 +0200
Subject: [PATCH 4/4] jail: fix reading the oci device gid value

Fix the typo to properly set the device group in the container namespace.

Signed-off-by: Andre Heider <a.heider@gmail.com>
---
 jail/jail.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/jail/jail.c b/jail/jail.c
index 2326ce7..8344a04 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2043,7 +2043,7 @@ static const struct blobmsg_policy oci_devices_policy[] = {
 	[OCI_DEVICES_MINOR] = { "minor", BLOBMSG_TYPE_INT32 },
 	[OCI_DEVICES_FILEMODE] = { "fileMode", BLOBMSG_TYPE_INT32 },
 	[OCI_DEVICES_UID] = { "uid", BLOBMSG_TYPE_INT32 },
-	[OCI_DEVICES_GID] = { "uid", BLOBMSG_TYPE_INT32 },
+	[OCI_DEVICES_GID] = { "gid", BLOBMSG_TYPE_INT32 },
 };
 
 static mode_t resolve_devtype(char *tstr)