diff options
| author | John Crispin <john@openwrt.org> | 2015-03-26 10:58:44 +0000 |
|---|---|---|
| committer | John Crispin <john@openwrt.org> | 2015-03-26 10:58:44 +0000 |
| commit | eadb51fa98d060a0f708fdf3382cc9eabf960952 (patch) | |
| tree | 2c0dfed071ca6df2a3604a6d6d5f8dabebb7e1e1 | |
| parent | f5e2b62ab7729c7c21e75d7b60ce3bb99620fa8a (diff) | |
| download | master-31e0f0ae-eadb51fa98d060a0f708fdf3382cc9eabf960952.tar.gz master-31e0f0ae-eadb51fa98d060a0f708fdf3382cc9eabf960952.tar.bz2 master-31e0f0ae-eadb51fa98d060a0f708fdf3382cc9eabf960952.zip | |
mdns: add jail and seccomp support
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 45012
| -rw-r--r-- | package/network/services/mdns/Makefile | 2 | ||||
| -rw-r--r-- | package/network/services/mdns/files/mdns.config | 1 | ||||
| -rw-r--r-- | package/network/services/mdns/files/mdns.init | 4 | ||||
| -rw-r--r-- | package/network/services/mdns/files/mdns.json | 32 |
4 files changed, 38 insertions, 1 deletions
diff --git a/package/network/services/mdns/Makefile b/package/network/services/mdns/Makefile index 690f54770a..a731400206 100644 --- a/package/network/services/mdns/Makefile +++ b/package/network/services/mdns/Makefile @@ -20,6 +20,7 @@ PKG_SOURCE_VERSION:=a5560f88bb2cddeef0ef11a12e7822b9c19a75a5 PKG_MAINTAINER:=John Crispin <blogic@openwrt.org> PKG_LICENSE:=LGPL-2.1 +include $(INCLUDE_DIR)/package-seccomp.mk include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk @@ -37,6 +38,7 @@ define Package/mdns/install $(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/ $(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns $(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns + $(call InstallSeccomp,$(1),./files/mdns.json) endef $(eval $(call BuildPackage,mdns)) diff --git a/package/network/services/mdns/files/mdns.config b/package/network/services/mdns/files/mdns.config index d64ba6768c..b09eaf5c89 100644 --- a/package/network/services/mdns/files/mdns.config +++ b/package/network/services/mdns/files/mdns.config @@ -1,2 +1,3 @@ config mdns + option jail 1 list network lan diff --git a/package/network/services/mdns/files/mdns.init b/package/network/services/mdns/files/mdns.init index 1bb764ee13..6f781190ff 100644 --- a/package/network/services/mdns/files/mdns.init +++ b/package/network/services/mdns/files/mdns.init @@ -35,6 +35,7 @@ start_service() { procd_open_instance procd_set_param command "$PROG" + procd_set_param seccomp /etc/seccomp/mdns.json procd_set_param respawn procd_open_trigger procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload @@ -43,10 +44,11 @@ start_service() { done procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload" procd_close_trigger + [ "$(uci get mdns.@mdns[-1].jail)" = 1 ] && procd_add_jail mdns ubus log procd_close_instance } service_started() { - ubus wait_for -t 5 mdns + ubus wait_for -t 10 mdns [ $? = 0 ] && reload_service } diff --git a/package/network/services/mdns/files/mdns.json b/package/network/services/mdns/files/mdns.json new file mode 100644 index 0000000000..c22ba6f5fb --- /dev/null +++ b/package/network/services/mdns/files/mdns.json @@ -0,0 +1,32 @@ +{ + "whitelist": [ + "read", + "write", + "open", + "close", + "time", + "brk", + "ioctl", + "uname", + "bind", + "connect", + "getsockname", + "recvmsg", + "sendmsg", + "sendto", + "setsockopt", + "socket", + "poll", + "fcntl64", + "epoll_create", + "epoll_ctl", + "epoll_wait", + "rt_sigaction", + "sigreturn", + "rt_sigreturn", + "exit_group", + "exit", + "clock_gettime" + ], + "policy": 1 +} |