transmission: add seccomp filter and improve jail

author Daniel Golle <daniel@makrotopia.org>

Fri, 3 Jan 2020 19:37:53 +0000 (21:37 +0200)

committer Daniel Golle <daniel@makrotopia.org>

Sat, 4 Jan 2020 15:09:21 +0000 (17:09 +0200)
author Daniel Golle <daniel@makrotopia.org>
Fri, 3 Jan 2020 19:37:53 +0000 (21:37 +0200)
committer Daniel Golle <daniel@makrotopia.org>
Sat, 4 Jan 2020 15:09:21 +0000 (17:09 +0200)
diff --git a/net/transmission/Makefile b/net/transmission/Makefile

index 06c45f0d71a015ad93fd1346bb8d17b545661045..a2e9c94d839fd4ed6963f406af07fb9b44a64231 100644 (file)
--- a/net/transmission/Makefile
+++ b/net/transmission/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
  
  PKG_NAME:=transmission
  PKG_VERSION:=2.94
-PKG_RELEASE:=8
+PKG_RELEASE:=9
  
  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
  PKG_SOURCE_URL:=@GITHUB/transmission/transmission-releases/master
@@ -24,6 +24,7 @@ PKG_INSTALL:=1
  PKG_BUILD_PARALLEL:=1
  
  include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/package-seccomp.mk
  
  define Package/transmission/template
    SUBMENU:=BitTorrent
@@ -150,6 +151,7 @@ define Package/transmission-daemon-openssl/install
         $(INSTALL_CONF) files/transmission.config $(1)/etc/config/transmission
         $(INSTALL_DIR) $(1)/etc/sysctl.d/
         $(INSTALL_CONF) files/transmission.sysctl $(1)/etc/sysctl.d/20-transmission.conf
+       $(call InstallSeccomp,$(1),./files/transmission-daemon.json)
  endef
  Package/transmission-daemon-mbedtls/install = $(Package/transmission-daemon-openssl/install)
  
diff --git a/net/transmission/files/transmission-daemon.json b/net/transmission/files/transmission-daemon.json

new file mode 100644 (file)

index 0000000..e284886
--- /dev/null
+++ b/net/transmission/files/transmission-daemon.json
@@ -0,0 +1,74 @@
+{
+       "whitelist": [
+               "accept4",
+               "access",
+               "arm_fadvise64_64",
+               "bind",
+               "brk",
+               "clock_gettime",
+               "clone",
+               "close",
+               "connect",
+               "epoll_create1",
+               "epoll_ctl",
+               "epoll_pwait",
+               "exit",
+               "exit_group",
+               "fadvise64",
+               "fallocate",
+               "fcntl",
+               "fcntl64",
+               "fstat",
+               "fstat64",
+               "fsync",
+               "futex",
+               "getdents64",
+               "getpeername",
+               "getpid",
+               "getsockname",
+               "getsockopt",
+               "ioctl",
+               "listen",
+               "_llseek",
+               "lseek",
+               "madvise",
+               "membarrier",
+               "mkdir",
+               "mmap",
+               "mmap2",
+               "mprotect",
+               "munmap",
+               "nanosleep",
+               "_newselect",
+               "open",
+               "pipe",
+               "pipe2",
+               "poll",
+               "pread64",
+               "prlimit64",
+               "pwrite64",
+               "read",
+               "readlink",
+               "readv",
+               "recvfrom",
+               "rename",
+               "rmdir",
+               "rt_sigaction",
+               "rt_sigprocmask",
+               "rt_sigreturn",
+               "select",
+               "sendto",
+               "setsockopt",
+               "shutdown",
+               "sigreturn",
+               "socket",
+               "stat",
+               "stat64",
+               "umask",
+               "uname",
+               "unlink",
+               "write",
+               "writev"
+       ],
+       "policy": 1
+}
diff --git a/net/transmission/files/transmission.init b/net/transmission/files/transmission.init

index 1d57db5e629ab42188dfe1fee45f4ff2288e7596..dc20387298edb3e0195aafb2457564ef9f882964 100644 (file)
--- a/net/transmission/files/transmission.init
+++ b/net/transmission/files/transmission.init
@@ -48,7 +48,7 @@ transmission() {
         local user
         local group
         local config_overwrite
-       local download_dir config_dir
+       local download_dir config_dir incomplete_dir incomplete_dir_enabled
         local mem_percentage
         local nice
         local web_home
@@ -59,6 +59,8 @@ transmission() {
         config_get user "$cfg" 'user'
         config_get group "$cfg" 'group'
         config_get download_dir "$cfg" 'download_dir' '/var/etc/transmission'
+       config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission'
+       config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0
         config_get mem_percentage "$cfg" 'mem_percentage' '50'
         config_get config_overwrite "$cfg" config_overwrite 1
         config_get nice "$cfg" nice 0
@@ -71,11 +73,27 @@ transmission() {
                 USE=$((MEM * mem_percentage * 10))
         fi
  
+       [ -d "$download_dir" ] || {
+               mkdir -p "$download_dir"
+               chmod 0755 "$download_dir"
+               [ -z "$user" ] || chown -R "$user:$group" "$download_dir"
+       }
+
+       [ "$incomplete_dir_enabled" = "0" ] || [ -d "$incomplete_dir" ] || {
+               mkdir -p "$incomplete_dir"
+               chmod 0755 "$incomplete_dir"
+               [ -z "$user" ] || chown -R "$user:$group" "$incomplete_dir"
+       }
+
         config_file="$config_dir/settings.json"
         [ -d "$config_dir" ] || {
                 mkdir -p "$config_dir"
                 chmod 0755 "$config_dir"
                 touch "$config_file"
+               mkdir -p "$config_dir/resume"
+               mkdir -p "$config_dir/torrents"
+               mkdir -p "$config_dir/blocklists"
+               [ -e "$config_dir/stats.json" ] || touch "$config_dir/stats.json"
                 [ -z "$user" ] || chown -R "$user:$group" "$config_dir"
         }
  
@@ -120,6 +138,7 @@ transmission() {
         procd_set_param nice "$nice"
         procd_set_param stderr 1
         procd_set_param respawn
+       procd_set_param seccomp "/etc/seccomp/transmission-daemon.json"
  
         if [ -z "$USE" ]; then
                 procd_set_param limits core="0 0"
@@ -134,6 +153,10 @@ transmission() {
  
         procd_add_jail transmission log
         procd_add_jail_mount "$config_file"
+       procd_add_jail_mount_rw "$config_dir/resume"
+       procd_add_jail_mount_rw "$config_dir/torrents"
+       procd_add_jail_mount rw "$config_dir/blocklists"
+       procd_add_jail_mount_rw "$config_dir/stats.json"
         procd_add_jail_mount_rw "$download_dir"
         procd_close_instance
  }
author	Daniel Golle <daniel@makrotopia.org>
	Fri, 3 Jan 2020 19:37:53 +0000 (21:37 +0200)
committer	Daniel Golle <daniel@makrotopia.org>
	Sat, 4 Jan 2020 15:09:21 +0000 (17:09 +0200)
net/transmission/Makefile		patch \| blob \| history
net/transmission/files/transmission-daemon.json	[new file with mode: 0644]	patch \| blob
net/transmission/files/transmission.init		patch \| blob \| history