[OpenWrt-Devel] [PATCH] package/utils/busybox: Jail sysntpd

Thu Dec 17 03:27:38 EST 2015

Hi,

2015-12-17 9:20 GMT+01:00 Daniel Dickinson <openwrt at daniel.thecshore.com>:

> Hi,
>
> Speaking of jails, is it possible yet to automagically detect the
> dependencies for multiple binaries yet (there is package I've got a pull
> request to add to the packages feed that I haven't jailed because of a
> dependency on another program; if that other program can be included in the
> jail without having to manually figure out library dependencies I'll move
> it as well).
>

yes, i've recently added that, each file that you add to the jail are now
"parsed", if it's an ELF, all needed lib (.so) are added, if it's a script
(#!), the interpreter is added
http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=15ff8b1d09187c11b1331f811cc75b0dd2076827


> I'll do some additional testing etc with sysntpd to see about narrowing
> it's privileges.
>
> Regards,
>
> Daniel
>
> On 17/12/15 03:14 AM, Etienne Champetier wrote:
>
>> Hi,
>>
>> 2015-12-16 23:34 GMT+01:00 <openwrt at daniel.thecshore.com
>> <mailto:openwrt at daniel.thecshore.com>>:
>>
>>     From: Daniel Dickinson <openwrt at daniel.thecshore.com
>>     <mailto:openwrt at daniel.thecshore.com>>
>>
>>     Note that not all of procfs sysfs log and ubus may be required for
>>     actual
>>     operation, they are just what strace reveals attempting to make
>>     accesses.
>>
>>     Signed-off-by: Daniel Dickinson <openwrt at daniel.thecshore.com
>>     <mailto:openwrt at daniel.thecshore.com>>
>>
>>     ---
>>       package/utils/busybox/files/sysntpd | 4 ++++
>>       1 file changed, 4 insertions(+)
>>
>>     diff --git a/package/utils/busybox/files/sysntpd
>>     b/package/utils/busybox/files/sysntpd
>>     index f73bb83..e61c9fc 100755
>>     --- a/package/utils/busybox/files/sysntpd
>>     +++ b/package/utils/busybox/files/sysntpd
>>     @@ -31,7 +31,11 @@ start_service() {
>>              for peer in $server; do
>>                      procd_append_param command -p $peer
>>              done
>>     +       touch /var/run/ntpd.pid
>>              procd_set_param respawn
>>     +       procd_add_jail sysntpd procfs sysfs log ubus
>>     +       procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf
>>     /tmp/resolv.conf /etc/hosts /etc/TZ
>>     +       procd_add_jail_mount_rw /var/run/ntpd.pid
>>              procd_close_instance
>>       }
>>
>>
>> Nice to see people jailing daemon.
>> I've added some feature to ujail recently but it lack proper documentation
>> https://dev.openwrt.org/changeset/47862/trunk
>>
>> Keep in mind that root inside the jail is the same as root outside it
>> (we don't use user namespace for now),
>> so sysntpd is still root and has access to /proc and /sys, so he can do
>> lots of things
>>
>> Can you try to add capabilities restrictions ?
>> procd_set_param capabilities <json file>
>> for the syntax see
>>
>> http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0
>>
>> maybe you can also add
>> procd_set_param no_new_privs 1
>> which prevent the process to gain new privileges (this disable suid ...)
>>
>> Etienne
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151217/7787bacc/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel