From e85b93d9b83fef4f3d6f1bc82be15f97b2cb98bf Mon Sep 17 00:00:00 2001 From: John Crispin Date: Thu, 26 Mar 2015 10:58:25 +0000 Subject: [PATCH] procd: add jail support Signed-off-by: John Crispin SVN-Revision: 45010 --- package/system/procd/Makefile | 29 ++++++++++++-- package/system/procd/files/procd.sh | 60 ++++++++++++++++++++++++++++- 2 files changed, 84 insertions(+), 5 deletions(-) diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile index 701b70320b..40fcdb7061 100644 --- a/package/system/procd/Makefile +++ b/package/system/procd/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=procd -PKG_VERSION:=2015-03-18 +PKG_VERSION:=2015-03-25 PKG_RELEASE=$(PKG_SOURCE_VERSION) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=git://nbd.name/luci2/procd.git PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=0cf744c720c9ed01c2dae25f338d4e96b9db95e3 +PKG_SOURCE_VERSION:=29f139217c71c8753643779c800788783bf43c23 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz CMAKE_INSTALL:=1 @@ -24,6 +24,8 @@ PKG_LICENSE_FILES:= PKG_MAINTAINER:=John Crispin +PKG_CONFIG_DEPENDS:=CONFIG_KERNEL_SECCOMP + include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk @@ -36,6 +38,14 @@ define Package/procd TITLE:=OpenWrt system process manager endef +define Package/procd-jail + SECTION:=base + CATEGORY:=Base system + DEPENDS:=procd +@KERNEL_NAMESPACES +@KERNEL_UTS_NS +@KERNEL_IPC_NS +@KERNEL_PID_NS @mips||mipsel||i386||x86_64 + TITLE:=OpenWrt process jail + DEFAULT:=n +endef + define Package/procd-nand SECTION:=utils CATEGORY:=Utilities @@ -83,16 +93,26 @@ endif define Package/procd/install $(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/ $(INSTALL_BIN) ./files/reload_config $(1)/sbin/ $(INSTALL_DATA) ./files/hotplug*.json $(1)/etc/ $(INSTALL_DATA) ./files/procd.sh $(1)/lib/functions/ +ifeq ($(CONFIG_KERNEL_SECCOMP),y) + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-seccomp.so $(1)/lib +endif +endef + +define Package/procd-jail/install + $(INSTALL_DIR) $(1)/sbin $(1)/lib + + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{utrace,ujail} $(1)/sbin/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-trace.so $(1)/lib endef define Package/procd-nand/install $(INSTALL_DIR) $(1)/sbin $(1)/lib/upgrade - $(CP) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/ $(INSTALL_DATA) ./files/nand.sh $(1)/lib/upgrade/ endef @@ -103,5 +123,6 @@ define Package/procd-nand-firstboot/install endef $(eval $(call BuildPackage,procd)) +$(eval $(call BuildPackage,procd-jail)) $(eval $(call BuildPackage,procd-nand)) $(eval $(call BuildPackage,procd-nand-firstboot)) diff --git a/package/system/procd/files/procd.sh b/package/system/procd/files/procd.sh index 78352c0b76..f6c5e97216 100644 --- a/package/system/procd/files/procd.sh +++ b/package/system/procd/files/procd.sh @@ -112,6 +112,7 @@ _procd_open_instance() { _PROCD_INSTANCE_SEQ="$(($_PROCD_INSTANCE_SEQ + 1))" name="${name:-instance$_PROCD_INSTANCE_SEQ}" json_add_object "$name" + [ -n "$TRACE_SYSCALLS" ] && json_add_boolean trace "1" } _procd_open_trigger() { @@ -122,6 +123,60 @@ _procd_open_validate() { json_add_array "validate" } +_procd_add_jail() { + json_add_object "jail" + json_add_string name "$1" + json_add_string root "/tmp/.jail/$1" + + shift + + for a in $@; do + case $a in + log) json_add_boolean "log" "1";; + ubus) json_add_boolean "ubus" "1";; + procfs) json_add_boolean "procfs" "1";; + sysfs) json_add_boolean "sysfs" "1";; + esac + done + json_add_object "mount" + json_close_object + json_close_object +} + +_procd_add_jail_mount() { + local _json_no_warning=1 + + json_select "jail" + [ $? = 0 ] || return + json_select "mount" + [ $? = 0 ] || { + json_select .. + return + } + for a in $@; do + json_add_string "$a" "0" + done + json_select .. + json_select .. +} + +_procd_add_jail_mount_rw() { + local _json_no_warning=1 + + json_select "jail" + [ $? = 0 ] || return + json_select "mount" + [ $? = 0 ] || { + json_select .. + return + } + for a in $@; do + json_add_string "$a" "1" + done + json_select .. + json_select .. +} + _procd_set_param() { local type="$1"; shift @@ -140,7 +195,7 @@ _procd_set_param() { nice) json_add_int "$type" "$1" ;; - user) + user|seccomp) json_add_string "$type" "$1" ;; stdout|stderr) @@ -367,6 +422,9 @@ _procd_wrapper \ procd_close_instance \ procd_open_validate \ procd_close_validate \ + procd_add_jail \ + procd_add_jail_mount \ + procd_add_jail_mount_rw \ procd_set_param \ procd_append_param \ procd_add_validation \ -- 2.25.1