<div dir="ltr">adding openwrt-devel<br><div><div class="gmail_extra"><br><div class="gmail_quote">2015-12-17 9:14 GMT+01:00 Etienne Champetier <span dir="ltr"><<a href="mailto:champetier.etienne@gmail.com" target="_blank">champetier.etienne@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">2015-12-16 23:34 GMT+01:00 <span dir="ltr"><<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Daniel Dickinson <<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a>><br>
<br>
Note that not all of procfs sysfs log and ubus may be required for actual<br>
operation, they are just what strace reveals attempting to make accesses.<br>
<br>
Signed-off-by: Daniel Dickinson <<a href="mailto:openwrt@daniel.thecshore.com" target="_blank">openwrt@daniel.thecshore.com</a>><br>
---<br>
package/utils/busybox/files/sysntpd | 4 ++++<br>
1 file changed, 4 insertions(+)<br>
<br>
diff --git a/package/utils/busybox/files/sysntpd b/package/utils/busybox/files/sysntpd<br>
index f73bb83..e61c9fc 100755<br>
--- a/package/utils/busybox/files/sysntpd<br>
+++ b/package/utils/busybox/files/sysntpd<br>
@@ -31,7 +31,11 @@ start_service() {<br>
for peer in $server; do<br>
procd_append_param command -p $peer<br>
done<br>
+ touch /var/run/ntpd.pid<br>
procd_set_param respawn<br>
+ procd_add_jail sysntpd procfs sysfs log ubus<br>
+ procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf /tmp/resolv.conf /etc/hosts /etc/TZ<br>
+ procd_add_jail_mount_rw /var/run/ntpd.pid<br>
procd_close_instance<br>
}<br>
<span><font color="#888888"><br></font></span></blockquote><div><br></div></span><div>Nice to see people jailing daemon.<br></div><div>I've added some feature to ujail recently but it lack proper documentation<span><br></span><a href="https://dev.openwrt.org/changeset/47862/trunk" target="_blank">https://dev.openwrt.org/changeset/47862/trunk</a><br><br>Keep in mind that root inside the jail is the same as root outside it (we don't use user namespace for now),<br>so sysntpd is still root and has access to /proc and /sys, so he can do lots of things<br></div><div><br>Can you try to add capabilities restrictions ?<br>procd_set_param capabilities <json file><br></div></div>for the syntax see<br><a href="http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0" target="_blank">http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0</a><br><br>maybe you can also add<br><span>procd_set_param no_new_privs 1<br></span></div><div class="gmail_extra"><span>which prevent the process to gain new privileges (this disable suid ...)<span class="HOEnZb"><font color="#888888"><br></font></span></span></div><span class="HOEnZb"><font color="#888888"><div class="gmail_extra"><span><br></span></div><div class="gmail_extra">Etienne<br></div><div class="gmail_extra"><br></div></font></span></div>
</blockquote></div><br></div></div></div>