projects / openwrt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0ebc351)
mdns: add jail and seccomp support
authorblogic <blogic@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Thu, 26 Mar 2015 10:58:44 +0000 (10:58 +0000)
committerblogic <blogic@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Thu, 26 Mar 2015 10:58:44 +0000 (10:58 +0000)
Signed-off-by: John Crispin <blogic@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@45012 3c298f89-4303-0410-b956-a3cf2f4a3e73

package/network/services/mdns/Makefile patch | blob | history
package/network/services/mdns/files/mdns.config patch | blob | history
package/network/services/mdns/files/mdns.init patch | blob | history
package/network/services/mdns/files/mdns.json [new file with mode: 0644] patch | blob

diff --git a/package/network/services/mdns/Makefile b/package/network/services/mdns/Makefile
index 690f547..a731400 100644 (file)
--- a/package/network/services/mdns/Makefile
+++ b/package/network/services/mdns/Makefile
@@ -20,6 +20,7 @@ PKG_SOURCE_VERSION:=a5560f88bb2cddeef0ef11a12e7822b9c19a75a5
 PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
 PKG_LICENSE:=LGPL-2.1
 
+include $(INCLUDE_DIR)/package-seccomp.mk
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 
@@ -37,6 +38,7 @@ define Package/mdns/install
        $(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/
        $(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns
        $(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns
+       $(call InstallSeccomp,$(1),./files/mdns.json)
 endef
 
 $(eval $(call BuildPackage,mdns))
diff --git a/package/network/services/mdns/files/mdns.init b/package/network/services/mdns/files/mdns.init
index 1bb764e..6f78119 100644 (file)
--- a/package/network/services/mdns/files/mdns.init
+++ b/package/network/services/mdns/files/mdns.init
@@ -35,6 +35,7 @@ start_service() {
 
        procd_open_instance
        procd_set_param command "$PROG"
+       procd_set_param seccomp /etc/seccomp/mdns.json
        procd_set_param respawn
        procd_open_trigger
        procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload
@@ -43,10 +44,11 @@ start_service() {
        done
        procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload"
        procd_close_trigger
+       [ "$(uci get mdns.@mdns[-1].jail)" = 1 ] && procd_add_jail mdns ubus log
        procd_close_instance
 }
 
 service_started() {
-       ubus wait_for -t 5 mdns
+       ubus wait_for -t 10 mdns
        [ $? = 0 ] && reload_service
 }
diff --git a/package/network/services/mdns/files/mdns.json b/package/network/services/mdns/files/mdns.json
new file mode 100644 (file)
index 0000000..c22ba6f
--- /dev/null
+++ b/package/network/services/mdns/files/mdns.json
@@ -0,0 +1,32 @@
+{
+       "whitelist": [
+               "read",
+               "write",
+               "open",
+               "close",
+               "time",
+               "brk",
+               "ioctl",
+               "uname",
+               "bind",
+               "connect",
+               "getsockname",
+               "recvmsg",
+               "sendmsg",
+               "sendto",
+               "setsockopt",
+               "socket",
+               "poll",
+               "fcntl64",
+               "epoll_create",
+               "epoll_ctl",
+               "epoll_wait",
+               "rt_sigaction",
+               "sigreturn",
+               "rt_sigreturn",
+               "exit_group",
+               "exit",
+               "clock_gettime"
+       ],
+       "policy": 1
+}
OpenWrt main development branch