mdns: add jail and seccomp support

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45012
This commit is contained in:
John Crispin 2015-03-26 10:58:44 +00:00
parent f5e2b62ab7
commit eadb51fa98
4 changed files with 38 additions and 1 deletions

View file

@ -20,6 +20,7 @@ PKG_SOURCE_VERSION:=a5560f88bb2cddeef0ef11a12e7822b9c19a75a5
PKG_MAINTAINER:=John Crispin <blogic@openwrt.org> PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
PKG_LICENSE:=LGPL-2.1 PKG_LICENSE:=LGPL-2.1
include $(INCLUDE_DIR)/package-seccomp.mk
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk include $(INCLUDE_DIR)/cmake.mk
@ -37,6 +38,7 @@ define Package/mdns/install
$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/ $(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/
$(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns $(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns
$(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns $(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns
$(call InstallSeccomp,$(1),./files/mdns.json)
endef endef
$(eval $(call BuildPackage,mdns)) $(eval $(call BuildPackage,mdns))

View file

@ -1,2 +1,3 @@
config mdns config mdns
option jail 1
list network lan list network lan

View file

@ -35,6 +35,7 @@ start_service() {
procd_open_instance procd_open_instance
procd_set_param command "$PROG" procd_set_param command "$PROG"
procd_set_param seccomp /etc/seccomp/mdns.json
procd_set_param respawn procd_set_param respawn
procd_open_trigger procd_open_trigger
procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload
@ -43,10 +44,11 @@ start_service() {
done done
procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload" procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload"
procd_close_trigger procd_close_trigger
[ "$(uci get mdns.@mdns[-1].jail)" = 1 ] && procd_add_jail mdns ubus log
procd_close_instance procd_close_instance
} }
service_started() { service_started() {
ubus wait_for -t 5 mdns ubus wait_for -t 10 mdns
[ $? = 0 ] && reload_service [ $? = 0 ] && reload_service
} }

View file

@ -0,0 +1,32 @@
{
"whitelist": [
"read",
"write",
"open",
"close",
"time",
"brk",
"ioctl",
"uname",
"bind",
"connect",
"getsockname",
"recvmsg",
"sendmsg",
"sendto",
"setsockopt",
"socket",
"poll",
"fcntl64",
"epoll_create",
"epoll_ctl",
"epoll_wait",
"rt_sigaction",
"sigreturn",
"rt_sigreturn",
"exit_group",
"exit",
"clock_gettime"
],
"policy": 1
}