dnsmasq: fix more dnsmasq jail issues

 * remove superflus mounts of /dev/null and /dev/urandom
 * reset EXTRA_MOUNTS at the beginning of the script
 * add mount according to ignore_hosts_dir
 * don't add mount for file which is inside a directory already in the
   EXTRA_MOUNTS list

Fixes: 59c63224e1 ("dnsmasq: rework jail mounts")
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 460041d4b9ff85461dd13f7bd212dbb99c937fed..fe2edcbb56d706ab597a9fc117fddef36e9dddf4 100644 (file)
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -10,6 +10,7 @@ ADD_LOCAL_DOMAIN=1
 ADD_LOCAL_HOSTNAME=1
 ADD_WAN_FQDN=0
 ADD_LOCAL_FQDN=""
+EXTRA_MOUNT=""
 
 BASECONFIGFILE="/var/etc/dnsmasq.conf"
 BASEHOSTFILE="/tmp/hosts/dhcp"
@@ -187,8 +188,22 @@ append_notinterface() {
        xappend "--except-interface=$ifname"
 }
 
+ismounted() {
+       local filename="$1"
+       local dirname
+       for dirname in $EXTRA_MOUNT ; do
+               case "$filename" in
+                       "${dirname}/"* | "${dirname}" )
+                               return 1
+                               ;;
+               esac
+       done
+
+       return 0
+}
+
 append_addnhosts() {
-       append EXTRA_MOUNT "$1"
+       ismounted "$1" || append EXTRA_MOUNT "$1"
        xappend "--addn-hosts=$1"
 }
 
@@ -927,6 +942,14 @@ dnsmasq_start()
                config_list_foreach "$cfg" "interface" append_interface
                config_list_foreach "$cfg" "notinterface" append_notinterface
        }
+       config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0
+       if [ "$ignore_hosts_dir" = "1" ]; then
+               xappend "--addn-hosts=$HOSTFILE"
+               append EXTRA_MOUNT "$HOSTFILE"
+       else
+               xappend "--addn-hosts=$(dirname $HOSTFILE)"
+               append EXTRA_MOUNT "$(dirname $HOSTFILE)"
+       fi
        config_list_foreach "$cfg" "addnhosts" append_addnhosts
        config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain
        append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases"
@@ -1022,12 +1045,6 @@ dnsmasq_start()
 
        xappend "--dhcp-broadcast=tag:needs-broadcast"
 
-       config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0
-       if [ "$ignore_hosts_dir" = "1" ]; then
-               xappend "--addn-hosts=$HOSTFILE"
-       else
-               xappend "--addn-hosts=$(dirname $HOSTFILE)"
-       fi
 
        config_get dnsmasqconfdir "$cfg" confdir "/tmp/dnsmasq.d"
        xappend "--conf-dir=$dnsmasqconfdir"
@@ -1121,10 +1138,9 @@ dnsmasq_start()
        procd_set_param respawn
 
        procd_add_jail dnsmasq ubus log
-       procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE
-       procd_add_jail_mount $EXTRA_MOUNT $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
+       procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
+       procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
        procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
-       procd_add_jail_mount /dev/null /dev/urandom
        procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
        procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile