procd: add jail support
Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 45010
This commit is contained in:
parent
4cf7929869
commit
e85b93d9b8
2 changed files with 84 additions and 5 deletions
|
@ -8,14 +8,14 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=procd
|
||||
PKG_VERSION:=2015-03-18
|
||||
PKG_VERSION:=2015-03-25
|
||||
|
||||
PKG_RELEASE=$(PKG_SOURCE_VERSION)
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=git://nbd.name/luci2/procd.git
|
||||
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
|
||||
PKG_SOURCE_VERSION:=0cf744c720c9ed01c2dae25f338d4e96b9db95e3
|
||||
PKG_SOURCE_VERSION:=29f139217c71c8753643779c800788783bf43c23
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
|
||||
CMAKE_INSTALL:=1
|
||||
|
||||
|
@ -24,6 +24,8 @@ PKG_LICENSE_FILES:=
|
|||
|
||||
PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
|
||||
|
||||
PKG_CONFIG_DEPENDS:=CONFIG_KERNEL_SECCOMP
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(INCLUDE_DIR)/cmake.mk
|
||||
|
||||
|
@ -36,6 +38,14 @@ define Package/procd
|
|||
TITLE:=OpenWrt system process manager
|
||||
endef
|
||||
|
||||
define Package/procd-jail
|
||||
SECTION:=base
|
||||
CATEGORY:=Base system
|
||||
DEPENDS:=procd +@KERNEL_NAMESPACES +@KERNEL_UTS_NS +@KERNEL_IPC_NS +@KERNEL_PID_NS @mips||mipsel||i386||x86_64
|
||||
TITLE:=OpenWrt process jail
|
||||
DEFAULT:=n
|
||||
endef
|
||||
|
||||
define Package/procd-nand
|
||||
SECTION:=utils
|
||||
CATEGORY:=Utilities
|
||||
|
@ -83,16 +93,26 @@ endif
|
|||
define Package/procd/install
|
||||
$(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
|
||||
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
|
||||
$(INSTALL_BIN) ./files/reload_config $(1)/sbin/
|
||||
$(INSTALL_DATA) ./files/hotplug*.json $(1)/etc/
|
||||
$(INSTALL_DATA) ./files/procd.sh $(1)/lib/functions/
|
||||
ifeq ($(CONFIG_KERNEL_SECCOMP),y)
|
||||
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-seccomp.so $(1)/lib
|
||||
endif
|
||||
endef
|
||||
|
||||
define Package/procd-jail/install
|
||||
$(INSTALL_DIR) $(1)/sbin $(1)/lib
|
||||
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{utrace,ujail} $(1)/sbin/
|
||||
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-trace.so $(1)/lib
|
||||
endef
|
||||
|
||||
define Package/procd-nand/install
|
||||
$(INSTALL_DIR) $(1)/sbin $(1)/lib/upgrade
|
||||
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
|
||||
$(INSTALL_DATA) ./files/nand.sh $(1)/lib/upgrade/
|
||||
endef
|
||||
|
||||
|
@ -103,5 +123,6 @@ define Package/procd-nand-firstboot/install
|
|||
endef
|
||||
|
||||
$(eval $(call BuildPackage,procd))
|
||||
$(eval $(call BuildPackage,procd-jail))
|
||||
$(eval $(call BuildPackage,procd-nand))
|
||||
$(eval $(call BuildPackage,procd-nand-firstboot))
|
||||
|
|
|
@ -112,6 +112,7 @@ _procd_open_instance() {
|
|||
_PROCD_INSTANCE_SEQ="$(($_PROCD_INSTANCE_SEQ + 1))"
|
||||
name="${name:-instance$_PROCD_INSTANCE_SEQ}"
|
||||
json_add_object "$name"
|
||||
[ -n "$TRACE_SYSCALLS" ] && json_add_boolean trace "1"
|
||||
}
|
||||
|
||||
_procd_open_trigger() {
|
||||
|
@ -122,6 +123,60 @@ _procd_open_validate() {
|
|||
json_add_array "validate"
|
||||
}
|
||||
|
||||
_procd_add_jail() {
|
||||
json_add_object "jail"
|
||||
json_add_string name "$1"
|
||||
json_add_string root "/tmp/.jail/$1"
|
||||
|
||||
shift
|
||||
|
||||
for a in $@; do
|
||||
case $a in
|
||||
log) json_add_boolean "log" "1";;
|
||||
ubus) json_add_boolean "ubus" "1";;
|
||||
procfs) json_add_boolean "procfs" "1";;
|
||||
sysfs) json_add_boolean "sysfs" "1";;
|
||||
esac
|
||||
done
|
||||
json_add_object "mount"
|
||||
json_close_object
|
||||
json_close_object
|
||||
}
|
||||
|
||||
_procd_add_jail_mount() {
|
||||
local _json_no_warning=1
|
||||
|
||||
json_select "jail"
|
||||
[ $? = 0 ] || return
|
||||
json_select "mount"
|
||||
[ $? = 0 ] || {
|
||||
json_select ..
|
||||
return
|
||||
}
|
||||
for a in $@; do
|
||||
json_add_string "$a" "0"
|
||||
done
|
||||
json_select ..
|
||||
json_select ..
|
||||
}
|
||||
|
||||
_procd_add_jail_mount_rw() {
|
||||
local _json_no_warning=1
|
||||
|
||||
json_select "jail"
|
||||
[ $? = 0 ] || return
|
||||
json_select "mount"
|
||||
[ $? = 0 ] || {
|
||||
json_select ..
|
||||
return
|
||||
}
|
||||
for a in $@; do
|
||||
json_add_string "$a" "1"
|
||||
done
|
||||
json_select ..
|
||||
json_select ..
|
||||
}
|
||||
|
||||
_procd_set_param() {
|
||||
local type="$1"; shift
|
||||
|
||||
|
@ -140,7 +195,7 @@ _procd_set_param() {
|
|||
nice)
|
||||
json_add_int "$type" "$1"
|
||||
;;
|
||||
user)
|
||||
user|seccomp)
|
||||
json_add_string "$type" "$1"
|
||||
;;
|
||||
stdout|stderr)
|
||||
|
@ -367,6 +422,9 @@ _procd_wrapper \
|
|||
procd_close_instance \
|
||||
procd_open_validate \
|
||||
procd_close_validate \
|
||||
procd_add_jail \
|
||||
procd_add_jail_mount \
|
||||
procd_add_jail_mount_rw \
|
||||
procd_set_param \
|
||||
procd_append_param \
|
||||
procd_add_validation \
|
||||
|
|
Loading…
Reference in a new issue