diff options
| author | Daniel Golle <daniel@makrotopia.org> | 2021-08-01 11:25:41 +0100 |
|---|---|---|
| committer | Daniel Golle <daniel@makrotopia.org> | 2021-08-01 11:35:31 +0100 |
| commit | ac4e8aa2f8d98158ea7b749f877269f1f5fa9c5a (patch) | |
| tree | dec2ebb2edac132c10e2b42c1848f2e7c75d1b1a | |
| parent | 59c63224e11d6c4eca27131a73bf16218e47a271 (diff) | |
| download | upstream-ac4e8aa2f8d98158ea7b749f877269f1f5fa9c5a.tar.gz upstream-ac4e8aa2f8d98158ea7b749f877269f1f5fa9c5a.tar.bz2 upstream-ac4e8aa2f8d98158ea7b749f877269f1f5fa9c5a.zip | |
dnsmasq: fix more dnsmasq jail issues
* remove superflus mounts of /dev/null and /dev/urandom
* reset EXTRA_MOUNTS at the beginning of the script
* add mount according to ignore_hosts_dir
* don't add mount for file which is inside a directory already in the
EXTRA_MOUNTS list
Fixes: 59c63224e1 ("dnsmasq: rework jail mounts")
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
| -rw-r--r-- | package/network/services/dnsmasq/files/dnsmasq.init | 36 |
1 files changed, 26 insertions, 10 deletions
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 460041d4b9..fe2edcbb56 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -10,6 +10,7 @@ ADD_LOCAL_DOMAIN=1 ADD_LOCAL_HOSTNAME=1 ADD_WAN_FQDN=0 ADD_LOCAL_FQDN="" +EXTRA_MOUNT="" BASECONFIGFILE="/var/etc/dnsmasq.conf" BASEHOSTFILE="/tmp/hosts/dhcp" @@ -187,8 +188,22 @@ append_notinterface() { xappend "--except-interface=$ifname" } +ismounted() { + local filename="$1" + local dirname + for dirname in $EXTRA_MOUNT ; do + case "$filename" in + "${dirname}/"* | "${dirname}" ) + return 1 + ;; + esac + done + + return 0 +} + append_addnhosts() { - append EXTRA_MOUNT "$1" + ismounted "$1" || append EXTRA_MOUNT "$1" xappend "--addn-hosts=$1" } @@ -927,6 +942,14 @@ dnsmasq_start() config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface } + config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0 + if [ "$ignore_hosts_dir" = "1" ]; then + xappend "--addn-hosts=$HOSTFILE" + append EXTRA_MOUNT "$HOSTFILE" + else + xappend "--addn-hosts=$(dirname $HOSTFILE)" + append EXTRA_MOUNT "$(dirname $HOSTFILE)" + fi config_list_foreach "$cfg" "addnhosts" append_addnhosts config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases" @@ -1022,12 +1045,6 @@ dnsmasq_start() xappend "--dhcp-broadcast=tag:needs-broadcast" - config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0 - if [ "$ignore_hosts_dir" = "1" ]; then - xappend "--addn-hosts=$HOSTFILE" - else - xappend "--addn-hosts=$(dirname $HOSTFILE)" - fi config_get dnsmasqconfdir "$cfg" confdir "/tmp/dnsmasq.d" xappend "--conf-dir=$dnsmasqconfdir" @@ -1121,10 +1138,9 @@ dnsmasq_start() procd_set_param respawn procd_add_jail dnsmasq ubus log - procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE - procd_add_jail_mount $EXTRA_MOUNT $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS + procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS + procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript - procd_add_jail_mount /dev/null /dev/urandom procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile |