mdns: add jail and seccomp support

Signed-off-by: John Crispin <blogic@openwrt.org>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@45012 3c298f89-4303-0410-b956-a3cf2f4a3e73
master
John Crispin 2015-03-26 10:58:44 +00:00
parent 324ca9971e
commit 438c19fc32
4 changed files with 38 additions and 1 deletions

View File

@ -20,6 +20,7 @@ PKG_SOURCE_VERSION:=a5560f88bb2cddeef0ef11a12e7822b9c19a75a5
PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
PKG_LICENSE:=LGPL-2.1
include $(INCLUDE_DIR)/package-seccomp.mk
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
@ -37,6 +38,7 @@ define Package/mdns/install
$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/
$(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns
$(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns
$(call InstallSeccomp,$(1),./files/mdns.json)
endef
$(eval $(call BuildPackage,mdns))

View File

@ -1,2 +1,3 @@
config mdns
option jail 1
list network lan

View File

@ -35,6 +35,7 @@ start_service() {
procd_open_instance
procd_set_param command "$PROG"
procd_set_param seccomp /etc/seccomp/mdns.json
procd_set_param respawn
procd_open_trigger
procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload
@ -43,10 +44,11 @@ start_service() {
done
procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload"
procd_close_trigger
[ "$(uci get mdns.@mdns[-1].jail)" = 1 ] && procd_add_jail mdns ubus log
procd_close_instance
}
service_started() {
ubus wait_for -t 5 mdns
ubus wait_for -t 10 mdns
[ $? = 0 ] && reload_service
}

View File

@ -0,0 +1,32 @@
{
"whitelist": [
"read",
"write",
"open",
"close",
"time",
"brk",
"ioctl",
"uname",
"bind",
"connect",
"getsockname",
"recvmsg",
"sendmsg",
"sendto",
"setsockopt",
"socket",
"poll",
"fcntl64",
"epoll_create",
"epoll_ctl",
"epoll_wait",
"rt_sigaction",
"sigreturn",
"rt_sigreturn",
"exit_group",
"exit",
"clock_gettime"
],
"policy": 1
}