aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Crispin <john@openwrt.org>2015-03-26 10:58:25 +0000
committerJohn Crispin <john@openwrt.org>2015-03-26 10:58:25 +0000
commite85b93d9b83fef4f3d6f1bc82be15f97b2cb98bf (patch)
tree670150b40ff9f8751f6d1e6088950d6d59ce7eab
parent4cf79298697bb34de1df53ea79535cba5d2c1e99 (diff)
downloadupstream-e85b93d9b83fef4f3d6f1bc82be15f97b2cb98bf.tar.gz
upstream-e85b93d9b83fef4f3d6f1bc82be15f97b2cb98bf.tar.bz2
upstream-e85b93d9b83fef4f3d6f1bc82be15f97b2cb98bf.zip
procd: add jail support
Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 45010
-rw-r--r--package/system/procd/Makefile29
-rw-r--r--package/system/procd/files/procd.sh60
2 files changed, 84 insertions, 5 deletions
diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile
index 701b70320b..40fcdb7061 100644
--- a/package/system/procd/Makefile
+++ b/package/system/procd/Makefile
@@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=procd
-PKG_VERSION:=2015-03-18
+PKG_VERSION:=2015-03-25
PKG_RELEASE=$(PKG_SOURCE_VERSION)
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=git://nbd.name/luci2/procd.git
PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=0cf744c720c9ed01c2dae25f338d4e96b9db95e3
+PKG_SOURCE_VERSION:=29f139217c71c8753643779c800788783bf43c23
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
CMAKE_INSTALL:=1
@@ -24,6 +24,8 @@ PKG_LICENSE_FILES:=
PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
+PKG_CONFIG_DEPENDS:=CONFIG_KERNEL_SECCOMP
+
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
@@ -36,6 +38,14 @@ define Package/procd
TITLE:=OpenWrt system process manager
endef
+define Package/procd-jail
+ SECTION:=base
+ CATEGORY:=Base system
+ DEPENDS:=procd +@KERNEL_NAMESPACES +@KERNEL_UTS_NS +@KERNEL_IPC_NS +@KERNEL_PID_NS @mips||mipsel||i386||x86_64
+ TITLE:=OpenWrt process jail
+ DEFAULT:=n
+endef
+
define Package/procd-nand
SECTION:=utils
CATEGORY:=Utilities
@@ -83,16 +93,26 @@ endif
define Package/procd/install
$(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
- $(CP) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
$(INSTALL_BIN) ./files/reload_config $(1)/sbin/
$(INSTALL_DATA) ./files/hotplug*.json $(1)/etc/
$(INSTALL_DATA) ./files/procd.sh $(1)/lib/functions/
+ifeq ($(CONFIG_KERNEL_SECCOMP),y)
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-seccomp.so $(1)/lib
+endif
+endef
+
+define Package/procd-jail/install
+ $(INSTALL_DIR) $(1)/sbin $(1)/lib
+
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{utrace,ujail} $(1)/sbin/
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-trace.so $(1)/lib
endef
define Package/procd-nand/install
$(INSTALL_DIR) $(1)/sbin $(1)/lib/upgrade
- $(CP) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
$(INSTALL_DATA) ./files/nand.sh $(1)/lib/upgrade/
endef
@@ -103,5 +123,6 @@ define Package/procd-nand-firstboot/install
endef
$(eval $(call BuildPackage,procd))
+$(eval $(call BuildPackage,procd-jail))
$(eval $(call BuildPackage,procd-nand))
$(eval $(call BuildPackage,procd-nand-firstboot))
diff --git a/package/system/procd/files/procd.sh b/package/system/procd/files/procd.sh
index 78352c0b76..f6c5e97216 100644
--- a/package/system/procd/files/procd.sh
+++ b/package/system/procd/files/procd.sh
@@ -112,6 +112,7 @@ _procd_open_instance() {
_PROCD_INSTANCE_SEQ="$(($_PROCD_INSTANCE_SEQ + 1))"
name="${name:-instance$_PROCD_INSTANCE_SEQ}"
json_add_object "$name"
+ [ -n "$TRACE_SYSCALLS" ] && json_add_boolean trace "1"
}
_procd_open_trigger() {
@@ -122,6 +123,60 @@ _procd_open_validate() {
json_add_array "validate"
}
+_procd_add_jail() {
+ json_add_object "jail"
+ json_add_string name "$1"
+ json_add_string root "/tmp/.jail/$1"
+
+ shift
+
+ for a in $@; do
+ case $a in
+ log) json_add_boolean "log" "1";;
+ ubus) json_add_boolean "ubus" "1";;
+ procfs) json_add_boolean "procfs" "1";;
+ sysfs) json_add_boolean "sysfs" "1";;
+ esac
+ done
+ json_add_object "mount"
+ json_close_object
+ json_close_object
+}
+
+_procd_add_jail_mount() {
+ local _json_no_warning=1
+
+ json_select "jail"
+ [ $? = 0 ] || return
+ json_select "mount"
+ [ $? = 0 ] || {
+ json_select ..
+ return
+ }
+ for a in $@; do
+ json_add_string "$a" "0"
+ done
+ json_select ..
+ json_select ..
+}
+
+_procd_add_jail_mount_rw() {
+ local _json_no_warning=1
+
+ json_select "jail"
+ [ $? = 0 ] || return
+ json_select "mount"
+ [ $? = 0 ] || {
+ json_select ..
+ return
+ }
+ for a in $@; do
+ json_add_string "$a" "1"
+ done
+ json_select ..
+ json_select ..
+}
+
_procd_set_param() {
local type="$1"; shift
@@ -140,7 +195,7 @@ _procd_set_param() {
nice)
json_add_int "$type" "$1"
;;
- user)
+ user|seccomp)
json_add_string "$type" "$1"
;;
stdout|stderr)
@@ -367,6 +422,9 @@ _procd_wrapper \
procd_close_instance \
procd_open_validate \
procd_close_validate \
+ procd_add_jail \
+ procd_add_jail_mount \
+ procd_add_jail_mount_rw \
procd_set_param \
procd_append_param \
procd_add_validation \