procd: add jail support

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45010
This commit is contained in:
John Crispin 2015-03-26 10:58:25 +00:00
parent 4cf7929869
commit e85b93d9b8
2 changed files with 84 additions and 5 deletions

View file

@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=procd
PKG_VERSION:=2015-03-18
PKG_VERSION:=2015-03-25
PKG_RELEASE=$(PKG_SOURCE_VERSION)
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=git://nbd.name/luci2/procd.git
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE_VERSION:=0cf744c720c9ed01c2dae25f338d4e96b9db95e3
PKG_SOURCE_VERSION:=29f139217c71c8753643779c800788783bf43c23
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
CMAKE_INSTALL:=1
@ -24,6 +24,8 @@ PKG_LICENSE_FILES:=
PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
PKG_CONFIG_DEPENDS:=CONFIG_KERNEL_SECCOMP
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
@ -36,6 +38,14 @@ define Package/procd
TITLE:=OpenWrt system process manager
endef
define Package/procd-jail
SECTION:=base
CATEGORY:=Base system
DEPENDS:=procd +@KERNEL_NAMESPACES +@KERNEL_UTS_NS +@KERNEL_IPC_NS +@KERNEL_PID_NS @mips||mipsel||i386||x86_64
TITLE:=OpenWrt process jail
DEFAULT:=n
endef
define Package/procd-nand
SECTION:=utils
CATEGORY:=Utilities
@ -83,16 +93,26 @@ endif
define Package/procd/install
$(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
$(INSTALL_BIN) ./files/reload_config $(1)/sbin/
$(INSTALL_DATA) ./files/hotplug*.json $(1)/etc/
$(INSTALL_DATA) ./files/procd.sh $(1)/lib/functions/
ifeq ($(CONFIG_KERNEL_SECCOMP),y)
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-seccomp.so $(1)/lib
endif
endef
define Package/procd-jail/install
$(INSTALL_DIR) $(1)/sbin $(1)/lib
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{utrace,ujail} $(1)/sbin/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-trace.so $(1)/lib
endef
define Package/procd-nand/install
$(INSTALL_DIR) $(1)/sbin $(1)/lib/upgrade
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
$(INSTALL_DATA) ./files/nand.sh $(1)/lib/upgrade/
endef
@ -103,5 +123,6 @@ define Package/procd-nand-firstboot/install
endef
$(eval $(call BuildPackage,procd))
$(eval $(call BuildPackage,procd-jail))
$(eval $(call BuildPackage,procd-nand))
$(eval $(call BuildPackage,procd-nand-firstboot))

View file

@ -112,6 +112,7 @@ _procd_open_instance() {
_PROCD_INSTANCE_SEQ="$(($_PROCD_INSTANCE_SEQ + 1))"
name="${name:-instance$_PROCD_INSTANCE_SEQ}"
json_add_object "$name"
[ -n "$TRACE_SYSCALLS" ] && json_add_boolean trace "1"
}
_procd_open_trigger() {
@ -122,6 +123,60 @@ _procd_open_validate() {
json_add_array "validate"
}
_procd_add_jail() {
json_add_object "jail"
json_add_string name "$1"
json_add_string root "/tmp/.jail/$1"
shift
for a in $@; do
case $a in
log) json_add_boolean "log" "1";;
ubus) json_add_boolean "ubus" "1";;
procfs) json_add_boolean "procfs" "1";;
sysfs) json_add_boolean "sysfs" "1";;
esac
done
json_add_object "mount"
json_close_object
json_close_object
}
_procd_add_jail_mount() {
local _json_no_warning=1
json_select "jail"
[ $? = 0 ] || return
json_select "mount"
[ $? = 0 ] || {
json_select ..
return
}
for a in $@; do
json_add_string "$a" "0"
done
json_select ..
json_select ..
}
_procd_add_jail_mount_rw() {
local _json_no_warning=1
json_select "jail"
[ $? = 0 ] || return
json_select "mount"
[ $? = 0 ] || {
json_select ..
return
}
for a in $@; do
json_add_string "$a" "1"
done
json_select ..
json_select ..
}
_procd_set_param() {
local type="$1"; shift
@ -140,7 +195,7 @@ _procd_set_param() {
nice)
json_add_int "$type" "$1"
;;
user)
user|seccomp)
json_add_string "$type" "$1"
;;
stdout|stderr)
@ -367,6 +422,9 @@ _procd_wrapper \
procd_close_instance \
procd_open_validate \
procd_close_validate \
procd_add_jail \
procd_add_jail_mount \
procd_add_jail_mount_rw \
procd_set_param \
procd_append_param \
procd_add_validation \