Re: [OpenWrt-Devel] [PATCH] package/utils/busybox: Jail sysntpd

Thu, 17 Dec 2015 00:17:13 -0800 

adding openwrt-devel

2015-12-17 9:14 GMT+01:00 Etienne Champetier <champetier.etie...@gmail.com>:

> Hi,
>
> 2015-12-16 23:34 GMT+01:00 <open...@daniel.thecshore.com>:
>
>> From: Daniel Dickinson <open...@daniel.thecshore.com>
>>
>> Note that not all of procfs sysfs log and ubus may be required for actual
>> operation, they are just what strace reveals attempting to make accesses.
>>
>> Signed-off-by: Daniel Dickinson <open...@daniel.thecshore.com>
>> ---
>>  package/utils/busybox/files/sysntpd | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/package/utils/busybox/files/sysntpd
>> b/package/utils/busybox/files/sysntpd
>> index f73bb83..e61c9fc 100755
>> --- a/package/utils/busybox/files/sysntpd
>> +++ b/package/utils/busybox/files/sysntpd
>> @@ -31,7 +31,11 @@ start_service() {
>>         for peer in $server; do
>>                 procd_append_param command -p $peer
>>         done
>> +       touch /var/run/ntpd.pid
>>         procd_set_param respawn
>> +       procd_add_jail sysntpd procfs sysfs log ubus
>> +       procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf
>> /tmp/resolv.conf /etc/hosts /etc/TZ
>> +       procd_add_jail_mount_rw /var/run/ntpd.pid
>>         procd_close_instance
>>  }
>>
>>
> Nice to see people jailing daemon.
> I've added some feature to ujail recently but it lack proper documentation
> https://dev.openwrt.org/changeset/47862/trunk
>
> Keep in mind that root inside the jail is the same as root outside it (we
> don't use user namespace for now),
> so sysntpd is still root and has access to /proc and /sys, so he can do
> lots of things
>
> Can you try to add capabilities restrictions ?
> procd_set_param capabilities <json file>
> for the syntax see
>
> http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0
>
> maybe you can also add
> procd_set_param no_new_privs 1
> which prevent the process to gain new privileges (this disable suid ...)
>
> Etienne
>
>

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Reply via email to