[OpenWrt-Devel] [PATCH] package/utils/busybox: Jail sysntpd
Etienne Champetier
champetier.etienne at gmail.com
Thu Dec 17 03:15:41 EST 2015
adding openwrt-devel
2015-12-17 9:14 GMT+01:00 Etienne Champetier <champetier.etienne at gmail.com>:
> Hi,
>
> 2015-12-16 23:34 GMT+01:00 <openwrt at daniel.thecshore.com>:
>
>> From: Daniel Dickinson <openwrt at daniel.thecshore.com>
>>
>> Note that not all of procfs sysfs log and ubus may be required for actual
>> operation, they are just what strace reveals attempting to make accesses.
>>
>> Signed-off-by: Daniel Dickinson <openwrt at daniel.thecshore.com>
>> ---
>> package/utils/busybox/files/sysntpd | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/package/utils/busybox/files/sysntpd
>> b/package/utils/busybox/files/sysntpd
>> index f73bb83..e61c9fc 100755
>> --- a/package/utils/busybox/files/sysntpd
>> +++ b/package/utils/busybox/files/sysntpd
>> @@ -31,7 +31,11 @@ start_service() {
>> for peer in $server; do
>> procd_append_param command -p $peer
>> done
>> + touch /var/run/ntpd.pid
>> procd_set_param respawn
>> + procd_add_jail sysntpd procfs sysfs log ubus
>> + procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf
>> /tmp/resolv.conf /etc/hosts /etc/TZ
>> + procd_add_jail_mount_rw /var/run/ntpd.pid
>> procd_close_instance
>> }
>>
>>
> Nice to see people jailing daemon.
> I've added some feature to ujail recently but it lack proper documentation
> https://dev.openwrt.org/changeset/47862/trunk
>
> Keep in mind that root inside the jail is the same as root outside it (we
> don't use user namespace for now),
> so sysntpd is still root and has access to /proc and /sys, so he can do
> lots of things
>
> Can you try to add capabilities restrictions ?
> procd_set_param capabilities <json file>
> for the syntax see
>
> http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0
>
> maybe you can also add
> procd_set_param no_new_privs 1
> which prevent the process to gain new privileges (this disable suid ...)
>
> Etienne
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151217/85867291/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list