Age | Commit message (Collapse) | Author |
|
|
|
otherwise LOG_USER/LOG_EMERG is used
Signed-off-by: Ulrich Weber <uw@ocedo.com>
|
|
this completes fafbf7338ec8304f2a0ec0ba76048fba2c01c07e
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
building a generic jail can be hard,
choosing to drop some capabilities can be easier.
This commit permit to use namespaces, capabilities
and seccomp combined as you like.
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
If there is one or more capabilities in cap.keep,
drop all capabilities not in cap.keep.
Always drop all capabalities in cap.drop
exemple json syntax:
{
"cap.keep": [
"cap_net_raw"
],
"cap.drop": []
}
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
-use EXIT_SUCCESS/EXIT_FAILURE (not -1)
-parse every option in main, put them in opts struct
-add CLONE_NEWIPC to the clone() call (it's already compiled in openwrt kernel)
-return the exit status of the jailed process, or the num of the signal that killed it
-add missing options to usage()
-add a warning in usage() about ujail security
-debug option can now take an int as parameter (~debug level),
with -d2 you now activate "LD_DEBUG=all" for exemple
-do not depend on libpreload-seccomp.so if -S is not present
-there is now only one ujail process instead of two
jail creation is now as follow:
1) create jail root dir (mkdir)
2) create new namespace (clone)
(in the parent wait for the child with uloop)
3) build the jail root fs (mount bind all the libs/bins ...),
pivot_root and mount special fs (procfs, sysfs) (build_jail_fs())
4) build envp (LD_PRELOAD the seccomp helper or ...)
5) drop capabilities (next patch)
6) execve the jailed bin
7) remove jail root dir (once child is dead)
there is no need to umount anything because we are already in a namespace
Todo:
-allow signals from the parent to the child
Feature request:
-when we add a file or dir, detect if it's an exec and add it's dependencies
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
prctl(PR_SET_NO_NEW_PRIVS, 1) is enough, we don't require CAP_SYS_ADMIN
see
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
(perload-jail -> preload-seccomp)
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
We need a+x rights on the path to the root of the jails
so we can use users other than root (like nobody)
This partly fixes jailed dnsmasq
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
|
|
AUDIT_ARCH on ARM and MIPS differs depending on the byte order.
Thus set AUDIT_ARCH to the respective endian-specific variants.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
SECCOMP_FILTER isn't supported on ARM OABI.
Thus enable seccomp support in jail only for EABI.
thumb might work as well as it apparently implies EABI, but
yet doesn't set __ARM_EABI__.
The REG_SYSCALL macro seems to be an unused left-over.
However, it's defined for other architectures as well.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
Signed-off-by: John Crispin <blogic@openwrt.org>
|