[openwrt/openwrt] dnsmasq: fix more dnsmasq jail issues
LEDE Commits
lede-commits at lists.infradead.org
Mon Aug 2 16:47:07 PDT 2021
dangole pushed a commit to openwrt/openwrt.git, branch openwrt-21.02:
https://git.openwrt.org/6ca34c5c0c8bc394093c7b4da015816d5ebfbe91
commit 6ca34c5c0c8bc394093c7b4da015816d5ebfbe91
Author: Daniel Golle <daniel at makrotopia.org>
AuthorDate: Sun Aug 1 11:25:41 2021 +0100
dnsmasq: fix more dnsmasq jail issues
* remove superflus mounts of /dev/null and /dev/urandom
* reset EXTRA_MOUNTS at the beginning of the script
* add mount according to ignore_hosts_dir
* don't add mount for file which is inside a directory already in the
EXTRA_MOUNTS list
Fixes: 59c63224e1 ("dnsmasq: rework jail mounts")
Reported-by: Hartmut Birr <e9hack at gmail.com>
Signed-off-by: Daniel Golle <daniel at makrotopia.org>
(cherry picked from commit ac4e8aa2f8d98158ea7b749f877269f1f5fa9c5a)
---
.../network/services/dnsmasq/files/dnsmasq.init | 36 ++++++++++++++++------
1 file changed, 26 insertions(+), 10 deletions(-)
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 460041d4b9..fe2edcbb56 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -10,6 +10,7 @@ ADD_LOCAL_DOMAIN=1
ADD_LOCAL_HOSTNAME=1
ADD_WAN_FQDN=0
ADD_LOCAL_FQDN=""
+EXTRA_MOUNT=""
BASECONFIGFILE="/var/etc/dnsmasq.conf"
BASEHOSTFILE="/tmp/hosts/dhcp"
@@ -187,8 +188,22 @@ append_notinterface() {
xappend "--except-interface=$ifname"
}
+ismounted() {
+ local filename="$1"
+ local dirname
+ for dirname in $EXTRA_MOUNT ; do
+ case "$filename" in
+ "${dirname}/"* | "${dirname}" )
+ return 1
+ ;;
+ esac
+ done
+
+ return 0
+}
+
append_addnhosts() {
- append EXTRA_MOUNT "$1"
+ ismounted "$1" || append EXTRA_MOUNT "$1"
xappend "--addn-hosts=$1"
}
@@ -927,6 +942,14 @@ dnsmasq_start()
config_list_foreach "$cfg" "interface" append_interface
config_list_foreach "$cfg" "notinterface" append_notinterface
}
+ config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0
+ if [ "$ignore_hosts_dir" = "1" ]; then
+ xappend "--addn-hosts=$HOSTFILE"
+ append EXTRA_MOUNT "$HOSTFILE"
+ else
+ xappend "--addn-hosts=$(dirname $HOSTFILE)"
+ append EXTRA_MOUNT "$(dirname $HOSTFILE)"
+ fi
config_list_foreach "$cfg" "addnhosts" append_addnhosts
config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain
append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases"
@@ -1022,12 +1045,6 @@ dnsmasq_start()
xappend "--dhcp-broadcast=tag:needs-broadcast"
- config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0
- if [ "$ignore_hosts_dir" = "1" ]; then
- xappend "--addn-hosts=$HOSTFILE"
- else
- xappend "--addn-hosts=$(dirname $HOSTFILE)"
- fi
config_get dnsmasqconfdir "$cfg" confdir "/tmp/dnsmasq.d"
xappend "--conf-dir=$dnsmasqconfdir"
@@ -1121,10 +1138,9 @@ dnsmasq_start()
procd_set_param respawn
procd_add_jail dnsmasq ubus log
- procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE
- procd_add_jail_mount $EXTRA_MOUNT $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
+ procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
+ procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
- procd_add_jail_mount /dev/null /dev/urandom
procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
More information about the lede-commits
mailing list