Hi all!
A while ago we have added some useful kernel features to !SMALL_FLASH
devices[1]. To make more use of that by default in a way which will
make exploiting potential vulnerabilities in OpenWrt's services much
harder, it'd be great to also have procd-ujail as well as procd-seccomp
installed by default, adding about 38kB to squashfs rootfs.
As it was reverted after it (actually something else) had broken the
build, I've extensively tested ujail on x86/64, ath79/generic,
ramips/mt7621, malta/mips64be and armvirt/64.
Previous problems on MIPS64 systems (originating from a very strange
compiler bug, but I was able to work around it) are fixed now, thanks
to help from Roman Kuzmitskii (@damex).
I must admit that I have no means to do any tests on PPC platforms and
in order to avoid similar unexpected problems, it'd be great if someone
with PPC hardware could test-run, simply by installing procd-ujail and
procd-seccomp to their system and checking if everything still works as
expected after a reboot (if there are problems you would notice dnsmasq
and ntpd not coming up, as those would be jailed by default in case of
/sbin/ujail being found).
Please report back and voice any concens, it'd be great to have this
included in OpenWrt 20.xx (xx == 11?)
[1]: commit fcb41decf6 ("config: enable some useful features on !SMALL_FLASH
devices")
Daniel Golle (2):
target: select procd-ujail if !SMALL_FLASH
target: select procd-seccomp if kernel support is present
include/target.mk | 10 ++++++++++
1 file changed, 10 insertions(+)
--
2.29.2
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
