[OpenWrt-Devel] [PATCH procd 4/9] instance, ujail: wire capabilities (-C) support

Etienne Champetier champetier.etienne at gmail.com
Fri Dec 11 16:46:44 EST 2015 

Hi,

2015-12-11 12:00 GMT+01:00 John Crispin <blogic at openwrt.org>:

> Hi,
>
> nice to see cpas being added. please expalin a bit about the file that
> needs to be created for it to work
>

I'll document that in the future README.
i've put a small exemple into the commit that introduced capabilities:
http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0
-C option take a file with json in it, like
{
"cap.keep": [
        "cap_net_raw"
],
"cap.drop": []
}

The capabilities are lower case in the config
If there is one or more capabilities in cap.keep, drop all capabilities not
in cap.keep.
Always drop all capabilities in cap.drop

so in the exemple we only keep cap_net_raw

activating debug (ujail -d) should help (it prints every drop or keep, ...)
you also have the full list of capabilities supported by your kernel
see man capabilites (
http://man7.org/linux/man-pages/man7/capabilities.7.html)
for more infos on each capabilities

i just saw that for now i'm mounting the capabilities conf into the jail,
where i could just read it before building the fs jail (one more todo :) )

Etienne


>
>         John
>
> On 01/12/2015 00:09, Etienne CHAMPETIER wrote:
> > Signed-off-by: Etienne CHAMPETIER <champetier.etienne at gmail.com>
> > ---
> >  service/instance.c | 22 ++++++++++++++++++++++
> >  service/instance.h |  1 +
> >  2 files changed, 23 insertions(+)
> >
> > diff --git a/service/instance.c b/service/instance.c
> > index c478d4b..0f4e711 100644
> > --- a/service/instance.c
> > +++ b/service/instance.c
> > @@ -52,6 +52,7 @@ enum {
> >       INSTANCE_ATTR_JAIL,
> >       INSTANCE_ATTR_TRACE,
> >       INSTANCE_ATTR_SECCOMP,
> > +     INSTANCE_ATTR_CAPABILITIES,
> >       __INSTANCE_ATTR_MAX
> >  };
> >
> > @@ -73,6 +74,7 @@ static const struct blobmsg_policy
> instance_attr[__INSTANCE_ATTR_MAX] = {
> >       [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE },
> >       [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL },
> >       [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING },
> > +     [INSTANCE_ATTR_CAPABILITIES] = { "capabilities",
> BLOBMSG_TYPE_STRING },
> >  };
> >
> >  enum {
> > @@ -186,6 +188,11 @@ jail_run(struct service_instance *in, char **argv)
> >               argv[argc++] = in->seccomp;
> >       }
> >
> > +     if (in->capabilities) {
> > +             argv[argc++] = "-C";
> > +             argv[argc++] = in->capabilities;
> > +     }
> > +
> >       if (jail->procfs)
> >               argv[argc++] = "-p";
> >
> > @@ -666,6 +673,9 @@ instance_jail_parse(struct service_instance *in,
> struct blob_attr *attr)
> >       if (in->seccomp)
> >               jail->argc += 2;
> >
> > +     if (in->capabilities)
> > +             jail->argc += 2;
> > +
> >       return 1;
> >  }
> >
> > @@ -752,6 +762,15 @@ instance_config_parse(struct service_instance *in)
> >               else
> >                       in->seccomp = seccomp;
> >       }
> > +     if (!in->trace && tb[INSTANCE_ATTR_CAPABILITIES]) {
> > +             char *capabilities =
> blobmsg_get_string(tb[INSTANCE_ATTR_CAPABILITIES]);
> > +             struct stat s;
> > +
> > +             if (stat(capabilities, &s))
> > +                     ERROR("%s: not dropping capabilities as %s is
> missing\n", in->name, capabilities);
> > +             else
> > +                     in->capabilities = capabilities;
> > +     }
> >       if (!in->trace && tb[INSTANCE_ATTR_JAIL])
> >               in->has_jail = instance_jail_parse(in,
> tb[INSTANCE_ATTR_JAIL]);
> >
> > @@ -935,6 +954,9 @@ void instance_dump(struct blob_buf *b, struct
> service_instance *in, int verbose)
> >       if (in->seccomp)
> >               blobmsg_add_string(b, "seccomp", in->seccomp);
> >
> > +     if (in->capabilities)
> > +             blobmsg_add_string(b, "capabilities", in->capabilities);
> > +
> >       if (in->has_jail) {
> >               void *r = blobmsg_open_table(b, "jail");
> >               if (in->jail.name)
> > diff --git a/service/instance.h b/service/instance.h
> > index 5a76841..19f780d 100644
> > --- a/service/instance.h
> > +++ b/service/instance.h
> > @@ -53,6 +53,7 @@ struct service_instance {
> >       bool has_jail;
> >       struct jail jail;
> >       char *seccomp;
> > +     char *capabilities;
> >
> >       uint32_t respawn_timeout;
> >       uint32_t respawn_threshold;
> >
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151211/646138f0/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list