<div dir="ltr">Hi,<br><div><div class="gmail_extra"><br><div class="gmail_quote">2015-12-17 9:20 GMT+01:00 Daniel Dickinson <span dir="ltr"><<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
Speaking of jails, is it possible yet to automagically detect the dependencies for multiple binaries yet (there is package I've got a pull request to add to the packages feed that I haven't jailed because of a dependency on another program; if that other program can be included in the jail without having to manually figure out library dependencies I'll move it as well).<br></blockquote><div><br></div><div>yes, i've recently added that, each file that you add to the jail are now "parsed", if it's an ELF, all needed lib (.so) are added, if it's a script (#!), the interpreter is added<br></div><div><a href="http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=15ff8b1d09187c11b1331f811cc75b0dd2076827">http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=15ff8b1d09187c11b1331f811cc75b0dd2076827</a><br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I'll do some additional testing etc with sysntpd to see about narrowing it's privileges.<br>
<br>
Regards,<br>
<br>
Daniel<span class=""><br>
<br>
On 17/12/15 03:14 AM, Etienne Champetier wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">
Hi,<br>
<br>
2015-12-16 23:34 GMT+01:00 <<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a><br></span>
<mailto:<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a>>>:<br>
<br>
From: Daniel Dickinson <<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a><br>
<mailto:<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a>>><span class=""><br>
<br>
Note that not all of procfs sysfs log and ubus may be required for<br>
actual<br>
operation, they are just what strace reveals attempting to make<br>
accesses.<br>
<br>
Signed-off-by: Daniel Dickinson <<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a><br></span>
<mailto:<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a>>><div><div class="h5"><br>
---<br>
package/utils/busybox/files/sysntpd | 4 ++++<br>
1 file changed, 4 insertions(+)<br>
<br>
diff --git a/package/utils/busybox/files/sysntpd<br>
b/package/utils/busybox/files/sysntpd<br>
index f73bb83..e61c9fc 100755<br>
--- a/package/utils/busybox/files/sysntpd<br>
+++ b/package/utils/busybox/files/sysntpd<br>
@@ -31,7 +31,11 @@ start_service() {<br>
for peer in $server; do<br>
procd_append_param command -p $peer<br>
done<br>
+ touch /var/run/ntpd.pid<br>
procd_set_param respawn<br>
+ procd_add_jail sysntpd procfs sysfs log ubus<br>
+ procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf<br>
/tmp/resolv.conf /etc/hosts /etc/TZ<br>
+ procd_add_jail_mount_rw /var/run/ntpd.pid<br>
procd_close_instance<br>
}<br>
<br>
<br>
Nice to see people jailing daemon.<br>
I've added some feature to ujail recently but it lack proper documentation<br>
<a href="https://dev.openwrt.org/changeset/47862/trunk" rel="noreferrer" target="_blank">https://dev.openwrt.org/changeset/47862/trunk</a><br>
<br>
Keep in mind that root inside the jail is the same as root outside it<br>
(we don't use user namespace for now),<br>
so sysntpd is still root and has access to /proc and /sys, so he can do<br>
lots of things<br>
<br>
Can you try to add capabilities restrictions ?<br>
procd_set_param capabilities <json file><br>
for the syntax see<br>
<a href="http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0" rel="noreferrer" target="_blank">http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0</a><br>
<br>
maybe you can also add<br>
procd_set_param no_new_privs 1<br>
which prevent the process to gain new privileges (this disable suid ...)<br>
<br>
Etienne<br>
<br>
</div></div></blockquote>
</blockquote></div><br></div></div></div>