[LEDE-DEV] [PATCH procd 7/7] jail: don't CLONE_NEWUTS if we don't change hostname

Etienne Champetier champetier.etienne at gmail.com
Mon May 30 02:59:20 PDT 2016


Hi John,

2016-05-30 9:33 GMT+02:00 John Crispin <john at phrozen.org>:
>
>
> Hi Etienne,
>
> why dont we want to do that ?

If you modify the hostname of the router you might want to propagate
it into the jail, it depends

Please don't merge this patch, i will improve it a bit:
 no -h => no CLONE_NEWUTS
 -h => CLONE_NEWUTS
 -h <newhostname> => CLONE_NEWUTS + sethostname()

CLONE_NEWUTS is not a security feature,
sethostname() require CAP_SYS_ADMIN which allow you to escape jail
(mknod + mount for exemple)

Etienne


>
>         John
>
>
> On 30/05/2016 01:39, Etienne CHAMPETIER wrote:
>> Signed-off-by: Etienne CHAMPETIER <champetier.etienne at gmail.com>
>> ---
>>  jail/jail.c | 7 ++++---
>>  1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/jail/jail.c b/jail/jail.c
>> index e425254..926e42c 100644
>> --- a/jail/jail.c
>> +++ b/jail/jail.c
>> @@ -386,9 +386,10 @@ int main(int argc, char **argv)
>>
>>       uloop_init();
>>       if (opts.namespace) {
>> -             jail_process.pid = clone(exec_jail,
>> -                     child_stack + STACK_SIZE,
>> -                     CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | SIGCHLD, NULL);
>> +             int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | SIGCHLD;
>> +             if (opts.hostname)
>> +                     flags |= CLONE_NEWUTS;
>> +             jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, flags, NULL);
>>       } else {
>>               jail_process.pid = fork();
>>       }
>>



More information about the Lede-dev mailing list