mdns: add jail and seccomp support
Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 45012
This commit is contained in:
parent
f5e2b62ab7
commit
eadb51fa98
4 changed files with 38 additions and 1 deletions
|
@ -20,6 +20,7 @@ PKG_SOURCE_VERSION:=a5560f88bb2cddeef0ef11a12e7822b9c19a75a5
|
||||||
PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
|
PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
|
||||||
PKG_LICENSE:=LGPL-2.1
|
PKG_LICENSE:=LGPL-2.1
|
||||||
|
|
||||||
|
include $(INCLUDE_DIR)/package-seccomp.mk
|
||||||
include $(INCLUDE_DIR)/package.mk
|
include $(INCLUDE_DIR)/package.mk
|
||||||
include $(INCLUDE_DIR)/cmake.mk
|
include $(INCLUDE_DIR)/cmake.mk
|
||||||
|
|
||||||
|
@ -37,6 +38,7 @@ define Package/mdns/install
|
||||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/
|
$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/
|
||||||
$(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns
|
$(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns
|
||||||
$(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns
|
$(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns
|
||||||
|
$(call InstallSeccomp,$(1),./files/mdns.json)
|
||||||
endef
|
endef
|
||||||
|
|
||||||
$(eval $(call BuildPackage,mdns))
|
$(eval $(call BuildPackage,mdns))
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
config mdns
|
config mdns
|
||||||
|
option jail 1
|
||||||
list network lan
|
list network lan
|
||||||
|
|
|
@ -35,6 +35,7 @@ start_service() {
|
||||||
|
|
||||||
procd_open_instance
|
procd_open_instance
|
||||||
procd_set_param command "$PROG"
|
procd_set_param command "$PROG"
|
||||||
|
procd_set_param seccomp /etc/seccomp/mdns.json
|
||||||
procd_set_param respawn
|
procd_set_param respawn
|
||||||
procd_open_trigger
|
procd_open_trigger
|
||||||
procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload
|
procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload
|
||||||
|
@ -43,10 +44,11 @@ start_service() {
|
||||||
done
|
done
|
||||||
procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload"
|
procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload"
|
||||||
procd_close_trigger
|
procd_close_trigger
|
||||||
|
[ "$(uci get mdns.@mdns[-1].jail)" = 1 ] && procd_add_jail mdns ubus log
|
||||||
procd_close_instance
|
procd_close_instance
|
||||||
}
|
}
|
||||||
|
|
||||||
service_started() {
|
service_started() {
|
||||||
ubus wait_for -t 5 mdns
|
ubus wait_for -t 10 mdns
|
||||||
[ $? = 0 ] && reload_service
|
[ $? = 0 ] && reload_service
|
||||||
}
|
}
|
||||||
|
|
32
package/network/services/mdns/files/mdns.json
Normal file
32
package/network/services/mdns/files/mdns.json
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
{
|
||||||
|
"whitelist": [
|
||||||
|
"read",
|
||||||
|
"write",
|
||||||
|
"open",
|
||||||
|
"close",
|
||||||
|
"time",
|
||||||
|
"brk",
|
||||||
|
"ioctl",
|
||||||
|
"uname",
|
||||||
|
"bind",
|
||||||
|
"connect",
|
||||||
|
"getsockname",
|
||||||
|
"recvmsg",
|
||||||
|
"sendmsg",
|
||||||
|
"sendto",
|
||||||
|
"setsockopt",
|
||||||
|
"socket",
|
||||||
|
"poll",
|
||||||
|
"fcntl64",
|
||||||
|
"epoll_create",
|
||||||
|
"epoll_ctl",
|
||||||
|
"epoll_wait",
|
||||||
|
"rt_sigaction",
|
||||||
|
"sigreturn",
|
||||||
|
"rt_sigreturn",
|
||||||
|
"exit_group",
|
||||||
|
"exit",
|
||||||
|
"clock_gettime"
|
||||||
|
],
|
||||||
|
"policy": 1
|
||||||
|
}
|
Loading…
Reference in a new issue