summaryrefslogtreecommitdiffstats
path: root/jail
AgeCommit message (Collapse)Author
2015-10-07jail: allow to not use namespacesEtienne CHAMPETIER
building a generic jail can be hard, choosing to drop some capabilities can be easier. This commit permit to use namespaces, capabilities and seccomp combined as you like. Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-07jail: cleanup includeEtienne CHAMPETIER
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-07jail: add capabilities supportEtienne CHAMPETIER
If there is one or more capabilities in cap.keep, drop all capabilities not in cap.keep. Always drop all capabalities in cap.drop exemple json syntax: { "cap.keep": [ "cap_net_raw" ], "cap.drop": [] } Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-03jail: reworks & cleanupsEtienne CHAMPETIER
-use EXIT_SUCCESS/EXIT_FAILURE (not -1) -parse every option in main, put them in opts struct -add CLONE_NEWIPC to the clone() call (it's already compiled in openwrt kernel) -return the exit status of the jailed process, or the num of the signal that killed it -add missing options to usage() -add a warning in usage() about ujail security -debug option can now take an int as parameter (~debug level), with -d2 you now activate "LD_DEBUG=all" for exemple -do not depend on libpreload-seccomp.so if -S is not present -there is now only one ujail process instead of two jail creation is now as follow: 1) create jail root dir (mkdir) 2) create new namespace (clone) (in the parent wait for the child with uloop) 3) build the jail root fs (mount bind all the libs/bins ...), pivot_root and mount special fs (procfs, sysfs) (build_jail_fs()) 4) build envp (LD_PRELOAD the seccomp helper or ...) 5) drop capabilities (next patch) 6) execve the jailed bin 7) remove jail root dir (once child is dead) there is no need to umount anything because we are already in a namespace Todo: -allow signals from the parent to the child Feature request: -when we add a file or dir, detect if it's an exec and add it's dependencies Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-03jail, seccomp: remove useless root checkEtienne CHAMPETIER
prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN see https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-10-03jail, seccomp: fix typo/improve log prefixEtienne CHAMPETIER
(perload-jail -> preload-seccomp) Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-07-24jail: fix jail root folder permissionsEtienne CHAMPETIER
We need a+x rights on the path to the root of the jails so we can use users other than root (like nobody) This partly fixes jailed dnsmasq Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
2015-05-14jail: respect byte order when setting AUDIT_ARCHDaniel Golle
AUDIT_ARCH on ARM and MIPS differs depending on the byte order. Thus set AUDIT_ARCH to the respective endian-specific variants. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2015-05-14jail: add support for ARM architectureDaniel Golle
SECCOMP_FILTER isn't supported on ARM OABI. Thus enable seccomp support in jail only for EABI. thumb might work as well as it apparently implies EABI, but yet doesn't set __ARM_EABI__. The REG_SYSCALL macro seems to be an unused left-over. However, it's defined for other architectures as well. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2015-03-28properly handle return codesJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-03-27make it optional to remount the tmpfs as roJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>
2015-03-23add initial version of ujail and utraceJohn Crispin
Signed-off-by: John Crispin <blogic@openwrt.org>