Re: [OpenWrt-Devel] [PATCH] package/utils/busybox: Jail sysntpd

[Daniel Dickinson]

Hi,

Speaking of jails, is it possible yet to automagically detect the 
dependencies for multiple binaries yet (there is package I've got a pull 
request to add to the packages feed that I haven't jailed because of a 
dependency on another program; if that other program can be included in 
the jail without having to manually figure out library dependencies I'll 
move it as well).

I'll do some additional testing etc with sysntpd to see about narrowing 
it's privileges.

Regards,

Daniel

On 17/12/15 03:14 AM, Etienne Champetier wrote:
Hi,

2015-12-16 23:34 GMT+01:00 <open...@daniel.thecshore.com
<mailto:open...@daniel.thecshore.com>>:

    From: Daniel Dickinson <open...@daniel.thecshore.com
    <mailto:open...@daniel.thecshore.com>>

    Note that not all of procfs sysfs log and ubus may be required for
    actual
    operation, they are just what strace reveals attempting to make
    accesses.

    Signed-off-by: Daniel Dickinson <open...@daniel.thecshore.com
    <mailto:open...@daniel.thecshore.com>>
    ---
      package/utils/busybox/files/sysntpd | 4 ++++
      1 file changed, 4 insertions(+)

    diff --git a/package/utils/busybox/files/sysntpd
    b/package/utils/busybox/files/sysntpd
    index f73bb83..e61c9fc 100755
    --- a/package/utils/busybox/files/sysntpd
    +++ b/package/utils/busybox/files/sysntpd
    @@ -31,7 +31,11 @@ start_service() {
             for peer in $server; do
                     procd_append_param command -p $peer
             done
    +       touch /var/run/ntpd.pid
             procd_set_param respawn
    +       procd_add_jail sysntpd procfs sysfs log ubus
    +       procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf
    /tmp/resolv.conf /etc/hosts /etc/TZ
    +       procd_add_jail_mount_rw /var/run/ntpd.pid
             procd_close_instance
      }


Nice to see people jailing daemon.
I've added some feature to ujail recently but it lack proper documentation
https://dev.openwrt.org/changeset/47862/trunk

Keep in mind that root inside the jail is the same as root outside it
(we don't use user namespace for now),
so sysntpd is still root and has access to /proc and /sys, so he can do
lots of things

Can you try to add capabilities restrictions ?
procd_set_param capabilities <json file>
for the syntax see
http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0

maybe you can also add
procd_set_param no_new_privs 1
which prevent the process to gain new privileges (this disable suid ...)

Etienne

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel