<div dir="ltr">Hi,<br><div class="gmail_extra"><br><div class="gmail_quote">2015-12-11 12:00 GMT+01:00 John Crispin <span dir="ltr"><<a href="mailto:blogic@openwrt.org" target="_blank">blogic@openwrt.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
nice to see cpas being added. please expalin a bit about the file that<br>
needs to be created for it to work<br></blockquote><div><br></div><div>I'll document that in the future README.<br></div><div>i've put a small exemple into the commit that introduced capabilities:<br><a href="http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0">http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0</a><br></div><div>-C option take a file with json in it, like<br>{<br>"cap.keep": [<br>        "cap_net_raw"<br>],<br>"cap.drop": []<br>}<br></div><div><br>The capabilities are lower case in the config<br>If there is one or more capabilities in cap.keep, drop all capabilities not in cap.keep.<br>Always drop all capabilities in cap.drop<br></div><div><br></div><div>so in the exemple we only keep cap_net_raw<br><br></div><div>activating debug (ujail -d) should help (it prints every drop or keep, ...)<br></div><div>you also have the full list of capabilities supported by your kernel<br></div><div>see man capabilites (<a href="http://man7.org/linux/man-pages/man7/capabilities.7.html">http://man7.org/linux/man-pages/man7/capabilities.7.html</a>)<br></div><div>for more infos on each capabilities<br></div><div><br></div><div>i just saw that for now i'm mounting the capabilities conf into the jail,<br></div><div>where i could just read it before building the fs jail (one more todo :) )<br></div><div><br></div><div>Etienne<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
        John<br>
<div><div class="h5"><br>
On 01/12/2015 00:09, Etienne CHAMPETIER wrote:<br>
> Signed-off-by: Etienne CHAMPETIER <<a href="mailto:champetier.etienne@gmail.com">champetier.etienne@gmail.com</a>><br>
> ---<br>
>  service/instance.c | 22 ++++++++++++++++++++++<br>
>  service/instance.h |  1 +<br>
>  2 files changed, 23 insertions(+)<br>
><br>
> diff --git a/service/instance.c b/service/instance.c<br>
> index c478d4b..0f4e711 100644<br>
> --- a/service/instance.c<br>
> +++ b/service/instance.c<br>
> @@ -52,6 +52,7 @@ enum {<br>
>       INSTANCE_ATTR_JAIL,<br>
>       INSTANCE_ATTR_TRACE,<br>
>       INSTANCE_ATTR_SECCOMP,<br>
> +     INSTANCE_ATTR_CAPABILITIES,<br>
>       __INSTANCE_ATTR_MAX<br>
>  };<br>
><br>
> @@ -73,6 +74,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = {<br>
>       [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE },<br>
>       [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL },<br>
>       [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING },<br>
> +     [INSTANCE_ATTR_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_STRING },<br>
>  };<br>
><br>
>  enum {<br>
> @@ -186,6 +188,11 @@ jail_run(struct service_instance *in, char **argv)<br>
>               argv[argc++] = in->seccomp;<br>
>       }<br>
><br>
> +     if (in->capabilities) {<br>
> +             argv[argc++] = "-C";<br>
> +             argv[argc++] = in->capabilities;<br>
> +     }<br>
> +<br>
>       if (jail->procfs)<br>
>               argv[argc++] = "-p";<br>
><br>
> @@ -666,6 +673,9 @@ instance_jail_parse(struct service_instance *in, struct blob_attr *attr)<br>
>       if (in->seccomp)<br>
>               jail->argc += 2;<br>
><br>
> +     if (in->capabilities)<br>
> +             jail->argc += 2;<br>
> +<br>
>       return 1;<br>
>  }<br>
><br>
> @@ -752,6 +762,15 @@ instance_config_parse(struct service_instance *in)<br>
>               else<br>
>                       in->seccomp = seccomp;<br>
>       }<br>
> +     if (!in->trace && tb[INSTANCE_ATTR_CAPABILITIES]) {<br>
> +             char *capabilities = blobmsg_get_string(tb[INSTANCE_ATTR_CAPABILITIES]);<br>
> +             struct stat s;<br>
> +<br>
> +             if (stat(capabilities, &s))<br>
> +                     ERROR("%s: not dropping capabilities as %s is missing\n", in->name, capabilities);<br>
> +             else<br>
> +                     in->capabilities = capabilities;<br>
> +     }<br>
>       if (!in->trace && tb[INSTANCE_ATTR_JAIL])<br>
>               in->has_jail = instance_jail_parse(in, tb[INSTANCE_ATTR_JAIL]);<br>
><br>
> @@ -935,6 +954,9 @@ void instance_dump(struct blob_buf *b, struct service_instance *in, int verbose)<br>
>       if (in->seccomp)<br>
>               blobmsg_add_string(b, "seccomp", in->seccomp);<br>
><br>
> +     if (in->capabilities)<br>
> +             blobmsg_add_string(b, "capabilities", in->capabilities);<br>
> +<br>
>       if (in->has_jail) {<br>
>               void *r = blobmsg_open_table(b, "jail");<br>
>               if (in-><a href="http://jail.name" rel="noreferrer" target="_blank">jail.name</a>)<br>
> diff --git a/service/instance.h b/service/instance.h<br>
> index 5a76841..19f780d 100644<br>
> --- a/service/instance.h<br>
> +++ b/service/instance.h<br>
> @@ -53,6 +53,7 @@ struct service_instance {<br>
>       bool has_jail;<br>
>       struct jail jail;<br>
>       char *seccomp;<br>
> +     char *capabilities;<br>
><br>
>       uint32_t respawn_timeout;<br>
>       uint32_t respawn_threshold;<br>
><br>
</div></div>_______________________________________________<br>
openwrt-devel mailing list<br>
<a href="mailto:openwrt-devel@lists.openwrt.org">openwrt-devel@lists.openwrt.org</a><br>
<a href="https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel" rel="noreferrer" target="_blank">https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel</a><br>
</blockquote></div><br></div></div>