Hi, 2015-12-17 9:20 GMT+01:00 Daniel Dickinson <open...@daniel.thecshore.com>:
> Hi, > > Speaking of jails, is it possible yet to automagically detect the > dependencies for multiple binaries yet (there is package I've got a pull > request to add to the packages feed that I haven't jailed because of a > dependency on another program; if that other program can be included in the > jail without having to manually figure out library dependencies I'll move > it as well). > yes, i've recently added that, each file that you add to the jail are now "parsed", if it's an ELF, all needed lib (.so) are added, if it's a script (#!), the interpreter is added http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=15ff8b1d09187c11b1331f811cc75b0dd2076827 > I'll do some additional testing etc with sysntpd to see about narrowing > it's privileges. > > Regards, > > Daniel > > On 17/12/15 03:14 AM, Etienne Champetier wrote: > >> Hi, >> >> 2015-12-16 23:34 GMT+01:00 <open...@daniel.thecshore.com >> <mailto:open...@daniel.thecshore.com>>: >> >> From: Daniel Dickinson <open...@daniel.thecshore.com >> <mailto:open...@daniel.thecshore.com>> >> >> Note that not all of procfs sysfs log and ubus may be required for >> actual >> operation, they are just what strace reveals attempting to make >> accesses. >> >> Signed-off-by: Daniel Dickinson <open...@daniel.thecshore.com >> <mailto:open...@daniel.thecshore.com>> >> >> --- >> package/utils/busybox/files/sysntpd | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/package/utils/busybox/files/sysntpd >> b/package/utils/busybox/files/sysntpd >> index f73bb83..e61c9fc 100755 >> --- a/package/utils/busybox/files/sysntpd >> +++ b/package/utils/busybox/files/sysntpd >> @@ -31,7 +31,11 @@ start_service() { >> for peer in $server; do >> procd_append_param command -p $peer >> done >> + touch /var/run/ntpd.pid >> procd_set_param respawn >> + procd_add_jail sysntpd procfs sysfs log ubus >> + procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf >> /tmp/resolv.conf /etc/hosts /etc/TZ >> + procd_add_jail_mount_rw /var/run/ntpd.pid >> procd_close_instance >> } >> >> >> Nice to see people jailing daemon. >> I've added some feature to ujail recently but it lack proper documentation >> https://dev.openwrt.org/changeset/47862/trunk >> >> Keep in mind that root inside the jail is the same as root outside it >> (we don't use user namespace for now), >> so sysntpd is still root and has access to /proc and /sys, so he can do >> lots of things >> >> Can you try to add capabilities restrictions ? >> procd_set_param capabilities <json file> >> for the syntax see >> >> http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0 >> >> maybe you can also add >> procd_set_param no_new_privs 1 >> which prevent the process to gain new privileges (this disable suid ...) >> >> Etienne >> >>
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
