From eadb51fa98d060a0f708fdf3382cc9eabf960952 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Thu, 26 Mar 2015 10:58:44 +0000 Subject: [PATCH] mdns: add jail and seccomp support Signed-off-by: John Crispin SVN-Revision: 45012 --- package/network/services/mdns/Makefile | 2 ++ .../network/services/mdns/files/mdns.config | 1 + package/network/services/mdns/files/mdns.init | 4 ++- package/network/services/mdns/files/mdns.json | 32 +++++++++++++++++++ 4 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 package/network/services/mdns/files/mdns.json diff --git a/package/network/services/mdns/Makefile b/package/network/services/mdns/Makefile index 690f54770a..a731400206 100644 --- a/package/network/services/mdns/Makefile +++ b/package/network/services/mdns/Makefile @@ -20,6 +20,7 @@ PKG_SOURCE_VERSION:=a5560f88bb2cddeef0ef11a12e7822b9c19a75a5 PKG_MAINTAINER:=John Crispin PKG_LICENSE:=LGPL-2.1 +include $(INCLUDE_DIR)/package-seccomp.mk include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk @@ -37,6 +38,7 @@ define Package/mdns/install $(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/ $(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns $(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns + $(call InstallSeccomp,$(1),./files/mdns.json) endef $(eval $(call BuildPackage,mdns)) diff --git a/package/network/services/mdns/files/mdns.config b/package/network/services/mdns/files/mdns.config index d64ba6768c..b09eaf5c89 100644 --- a/package/network/services/mdns/files/mdns.config +++ b/package/network/services/mdns/files/mdns.config @@ -1,2 +1,3 @@ config mdns + option jail 1 list network lan diff --git a/package/network/services/mdns/files/mdns.init b/package/network/services/mdns/files/mdns.init index 1bb764ee13..6f781190ff 100644 --- a/package/network/services/mdns/files/mdns.init +++ b/package/network/services/mdns/files/mdns.init @@ -35,6 +35,7 @@ start_service() { procd_open_instance procd_set_param command "$PROG" + procd_set_param seccomp /etc/seccomp/mdns.json procd_set_param respawn procd_open_trigger procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload @@ -43,10 +44,11 @@ start_service() { done procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload" procd_close_trigger + [ "$(uci get mdns.@mdns[-1].jail)" = 1 ] && procd_add_jail mdns ubus log procd_close_instance } service_started() { - ubus wait_for -t 5 mdns + ubus wait_for -t 10 mdns [ $? = 0 ] && reload_service } diff --git a/package/network/services/mdns/files/mdns.json b/package/network/services/mdns/files/mdns.json new file mode 100644 index 0000000000..c22ba6f5fb --- /dev/null +++ b/package/network/services/mdns/files/mdns.json @@ -0,0 +1,32 @@ +{ + "whitelist": [ + "read", + "write", + "open", + "close", + "time", + "brk", + "ioctl", + "uname", + "bind", + "connect", + "getsockname", + "recvmsg", + "sendmsg", + "sendto", + "setsockopt", + "socket", + "poll", + "fcntl64", + "epoll_create", + "epoll_ctl", + "epoll_wait", + "rt_sigaction", + "sigreturn", + "rt_sigreturn", + "exit_group", + "exit", + "clock_gettime" + ], + "policy": 1 +}