KumiSystems/openwrtv3
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

procd: add jail support

Browse source 
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45010
This commit is contained in:
John Crispin 2015-03-26 10:58:25 +00:00
parent 4cf7929869
commit e85b93d9b8
2 changed files with 84 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
package/system/procd/Makefile
View file

@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=procd PKG_NAME:=procd
PKG_VERSION:=2015-03-18 PKG_VERSION:=2015-03-25
PKG_RELEASE=$(PKG_SOURCE_VERSION) PKG_RELEASE=$(PKG_SOURCE_VERSION)
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=git://nbd.name/luci2/procd.git PKG_SOURCE_URL:=git://nbd.name/luci2/procd.git
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE_VERSION:=0cf744c720c9ed01c2dae25f338d4e96b9db95e3 PKG_SOURCE_VERSION:=29f139217c71c8753643779c800788783bf43c23
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
CMAKE_INSTALL:=1 CMAKE_INSTALL:=1
@ -24,6 +24,8 @@ PKG_LICENSE_FILES:=
PKG_MAINTAINER:=John Crispin <blogic@openwrt.org> PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
PKG_CONFIG_DEPENDS:=CONFIG_KERNEL_SECCOMP
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk include $(INCLUDE_DIR)/cmake.mk
@ -36,6 +38,14 @@ define Package/procd
TITLE:=OpenWrt system process manager TITLE:=OpenWrt system process manager
endef endef
define Package/procd-jail
SECTION:=base
CATEGORY:=Base system
DEPENDS:=procd +@KERNEL_NAMESPACES +@KERNEL_UTS_NS +@KERNEL_IPC_NS +@KERNEL_PID_NS @mips||mipsel||i386||x86_64
TITLE:=OpenWrt process jail
DEFAULT:=n
endef
define Package/procd-nand define Package/procd-nand
SECTION:=utils SECTION:=utils
CATEGORY:=Utilities CATEGORY:=Utilities
@ -83,16 +93,26 @@ endif
define Package/procd/install define Package/procd/install
$(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions $(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
$(INSTALL_BIN) ./files/reload_config $(1)/sbin/ $(INSTALL_BIN) ./files/reload_config $(1)/sbin/
$(INSTALL_DATA) ./files/hotplug*.json $(1)/etc/ $(INSTALL_DATA) ./files/hotplug*.json $(1)/etc/
$(INSTALL_DATA) ./files/procd.sh $(1)/lib/functions/ $(INSTALL_DATA) ./files/procd.sh $(1)/lib/functions/
ifeq ($(CONFIG_KERNEL_SECCOMP),y)
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-seccomp.so $(1)/lib
endif
endef
define Package/procd-jail/install
$(INSTALL_DIR) $(1)/sbin $(1)/lib
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{utrace,ujail} $(1)/sbin/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-trace.so $(1)/lib
endef endef
define Package/procd-nand/install define Package/procd-nand/install
$(INSTALL_DIR) $(1)/sbin $(1)/lib/upgrade $(INSTALL_DIR) $(1)/sbin $(1)/lib/upgrade
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
$(INSTALL_DATA) ./files/nand.sh $(1)/lib/upgrade/ $(INSTALL_DATA) ./files/nand.sh $(1)/lib/upgrade/
endef endef
@ -103,5 +123,6 @@ define Package/procd-nand-firstboot/install
endef endef
$(eval $(call BuildPackage,procd)) $(eval $(call BuildPackage,procd))
$(eval $(call BuildPackage,procd-jail))
$(eval $(call BuildPackage,procd-nand)) $(eval $(call BuildPackage,procd-nand))
$(eval $(call BuildPackage,procd-nand-firstboot)) $(eval $(call BuildPackage,procd-nand-firstboot))

60
package/system/procd/files/procd.sh
View file

@ -112,6 +112,7 @@ _procd_open_instance() {
_PROCD_INSTANCE_SEQ="$(($_PROCD_INSTANCE_SEQ + 1))" _PROCD_INSTANCE_SEQ="$(($_PROCD_INSTANCE_SEQ + 1))"
name="${name:-instance$_PROCD_INSTANCE_SEQ}" name="${name:-instance$_PROCD_INSTANCE_SEQ}"
json_add_object "$name" json_add_object "$name"
[ -n "$TRACE_SYSCALLS" ] && json_add_boolean trace "1"
} }
_procd_open_trigger() { _procd_open_trigger() {
@ -122,6 +123,60 @@ _procd_open_validate() {
json_add_array "validate" json_add_array "validate"
} }
_procd_add_jail() {
json_add_object "jail"
json_add_string name "$1"
json_add_string root "/tmp/.jail/$1"
shift
for a in $@; do
case $a in
log) json_add_boolean "log" "1";;
ubus) json_add_boolean "ubus" "1";;
procfs) json_add_boolean "procfs" "1";;
sysfs) json_add_boolean "sysfs" "1";;
esac
done
json_add_object "mount"
json_close_object
json_close_object
}
_procd_add_jail_mount() {
local _json_no_warning=1
json_select "jail"
[ $? = 0 ] || return
json_select "mount"
[ $? = 0 ] || {
json_select ..
return
}
for a in $@; do
json_add_string "$a" "0"
done
json_select ..
json_select ..
}
_procd_add_jail_mount_rw() {
local _json_no_warning=1
json_select "jail"
[ $? = 0 ] || return
json_select "mount"
[ $? = 0 ] || {
json_select ..
return
}
for a in $@; do
json_add_string "$a" "1"
done
json_select ..
json_select ..
}
_procd_set_param() { _procd_set_param() {
local type="$1"; shift local type="$1"; shift
@ -140,7 +195,7 @@ _procd_set_param() {
nice) nice)
json_add_int "$type" "$1" json_add_int "$type" "$1"
;; ;;
user) user|seccomp)
json_add_string "$type" "$1" json_add_string "$type" "$1"
;; ;;
stdout|stderr) stdout|stderr)
@ -367,6 +422,9 @@ _procd_wrapper \
procd_close_instance \ procd_close_instance \
procd_open_validate \ procd_open_validate \
procd_close_validate \ procd_close_validate \
procd_add_jail \
procd_add_jail_mount \
procd_add_jail_mount_rw \
procd_set_param \ procd_set_param \
procd_append_param \ procd_append_param \
procd_add_validation \ procd_add_validation \