On Fri, Dec 10, 2021 at 04:03:34PM +0100, e9hack wrote: > > Hi, > > usually the files for a jailed process must be given via procd_add_jail_mount > or procd_add_jail_mount_rw. It looks like that this isn't necessary for > hostapd. Why not? I can't found this two parameters in '/etc/init.d/wpad'.
Using namespaces is not mandatory when using other ujail features (ie. capabilities or seccomp can be used also without namespaces). So hostapd doesn't use mount/filesystem namespaces at this moment but rather only uses ujail to retain some capabilities while being run as user and group 'network' (instead of 'root'). I choose to do it in that way because the files needed for hostapd at run-time depend on the configuration (think: tls certificates or credentials stored in files) which isn't known by the init script and may also change without having to restart the process. Hence limiting filesystem access would always conflict with configurations which are using addtional files. Another example is umdns which uses ujail only for setting up seccomp filter and doesn't make use of any other ujail features. _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
