procd: add jail support
authorJohn Crispin <john@openwrt.org>
Thu, 26 Mar 2015 10:58:25 +0000 (10:58 +0000)
committerJohn Crispin <john@openwrt.org>
Thu, 26 Mar 2015 10:58:25 +0000 (10:58 +0000)
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 45010

package/system/procd/Makefile
package/system/procd/files/procd.sh

index 701b703..40fcdb7 100644 (file)
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=procd
-PKG_VERSION:=2015-03-18
+PKG_VERSION:=2015-03-25
 
 PKG_RELEASE=$(PKG_SOURCE_VERSION)
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=git://nbd.name/luci2/procd.git
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=0cf744c720c9ed01c2dae25f338d4e96b9db95e3
+PKG_SOURCE_VERSION:=29f139217c71c8753643779c800788783bf43c23
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 CMAKE_INSTALL:=1
 
@@ -24,6 +24,8 @@ PKG_LICENSE_FILES:=
 
 PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
 
+PKG_CONFIG_DEPENDS:=CONFIG_KERNEL_SECCOMP
+
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 
@@ -36,6 +38,14 @@ define Package/procd
   TITLE:=OpenWrt system process manager
 endef
 
+define Package/procd-jail
+  SECTION:=base
+  CATEGORY:=Base system
+  DEPENDS:=procd +@KERNEL_NAMESPACES +@KERNEL_UTS_NS +@KERNEL_IPC_NS +@KERNEL_PID_NS @mips||mipsel||i386||x86_64
+  TITLE:=OpenWrt process jail
+  DEFAULT:=n
+endef
+
 define Package/procd-nand
   SECTION:=utils
   CATEGORY:=Utilities
@@ -83,16 +93,26 @@ endif
 define Package/procd/install
        $(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
 
-       $(CP) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
        $(INSTALL_BIN) ./files/reload_config $(1)/sbin/
        $(INSTALL_DATA) ./files/hotplug*.json $(1)/etc/
        $(INSTALL_DATA) ./files/procd.sh $(1)/lib/functions/
+ifeq ($(CONFIG_KERNEL_SECCOMP),y)
+       $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-seccomp.so $(1)/lib
+endif
+endef
+
+define Package/procd-jail/install
+       $(INSTALL_DIR) $(1)/sbin $(1)/lib
+
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{utrace,ujail} $(1)/sbin/
+       $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-trace.so $(1)/lib
 endef
 
 define Package/procd-nand/install
        $(INSTALL_DIR) $(1)/sbin $(1)/lib/upgrade
 
-       $(CP) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
        $(INSTALL_DATA) ./files/nand.sh $(1)/lib/upgrade/
 endef
 
@@ -103,5 +123,6 @@ define Package/procd-nand-firstboot/install
 endef
 
 $(eval $(call BuildPackage,procd))
+$(eval $(call BuildPackage,procd-jail))
 $(eval $(call BuildPackage,procd-nand))
 $(eval $(call BuildPackage,procd-nand-firstboot))
index 78352c0..f6c5e97 100644 (file)
@@ -112,6 +112,7 @@ _procd_open_instance() {
        _PROCD_INSTANCE_SEQ="$(($_PROCD_INSTANCE_SEQ + 1))"
        name="${name:-instance$_PROCD_INSTANCE_SEQ}"
        json_add_object "$name"
+       [ -n "$TRACE_SYSCALLS" ] && json_add_boolean trace "1"
 }
 
 _procd_open_trigger() {
@@ -122,6 +123,60 @@ _procd_open_validate() {
        json_add_array "validate"
 }
 
+_procd_add_jail() {
+       json_add_object "jail"
+       json_add_string name "$1"
+       json_add_string root "/tmp/.jail/$1"
+
+       shift
+       
+       for a in $@; do
+               case $a in
+               log)    json_add_boolean "log" "1";;
+               ubus)   json_add_boolean "ubus" "1";;
+               procfs) json_add_boolean "procfs" "1";;
+               sysfs)  json_add_boolean "sysfs" "1";;
+               esac
+       done
+       json_add_object "mount"
+       json_close_object
+       json_close_object
+}
+
+_procd_add_jail_mount() {
+       local _json_no_warning=1
+
+       json_select "jail"
+       [ $? = 0 ] || return
+       json_select "mount"
+       [ $? = 0 ] || {
+               json_select ..
+               return
+       }
+       for a in $@; do
+               json_add_string "$a" "0"
+       done
+       json_select ..
+       json_select ..
+}
+
+_procd_add_jail_mount_rw() {
+       local _json_no_warning=1
+
+       json_select "jail"
+       [ $? = 0 ] || return
+       json_select "mount"
+       [ $? = 0 ] || {
+               json_select ..
+               return
+       }
+       for a in $@; do
+               json_add_string "$a" "1"
+       done
+       json_select ..
+       json_select ..
+}
+
 _procd_set_param() {
        local type="$1"; shift
 
@@ -140,7 +195,7 @@ _procd_set_param() {
                nice)
                        json_add_int "$type" "$1"
                ;;
-               user)
+               user|seccomp)
                        json_add_string "$type" "$1"
                ;;
                stdout|stderr)
@@ -367,6 +422,9 @@ _procd_wrapper \
        procd_close_instance \
        procd_open_validate \
        procd_close_validate \
+       procd_add_jail \
+       procd_add_jail_mount \
+       procd_add_jail_mount_rw \
        procd_set_param \
        procd_append_param \
        procd_add_validation \