Signed-off-by: Kevin Darbyshire-Bryant <l...@darbyshire-bryant.me.uk>
---
Base error on new 'mustjail' attribute
service/instance.c | 32 ++++++++++++++++++++++----------
service/instance.h | 1 +
2 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/service/instance.c b/service/instance.c
index e872ba0..d430d6e 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -101,6 +101,7 @@ enum {
JAIL_ATTR_RONLY,
JAIL_ATTR_MOUNT,
JAIL_ATTR_NETNS,
+ JAIL_ATTR_MUSTJAIL,
__JAIL_ATTR_MAX,
};
@@ -114,6 +115,7 @@ static const struct blobmsg_policy
jail_attr[__JAIL_ATTR_MAX] = {
[JAIL_ATTR_RONLY] = { "ronly", BLOBMSG_TYPE_BOOL },
[JAIL_ATTR_MOUNT] = { "mount", BLOBMSG_TYPE_TABLE },
[JAIL_ATTR_NETNS] = { "netns", BLOBMSG_TYPE_BOOL },
+ [JAIL_ATTR_MUSTJAIL] = { "mustjail", BLOBMSG_TYPE_BOOL },
};
struct instance_netdev {
@@ -819,20 +821,16 @@ instance_jail_parse(struct service_instance *in, struct
blob_attr *attr)
{
struct blob_attr *tb[__JAIL_ATTR_MAX];
struct jail *jail = &in->jail;
- struct stat s;
- int r;
-
- r = stat(UJAIL_BIN_PATH, &s);
- if (r < 0) {
- ERROR("unable to find %s: %m (%d)\n", UJAIL_BIN_PATH, r);
- return 0;
- }
blobmsg_parse(jail_attr, __JAIL_ATTR_MAX, tb,
blobmsg_data(attr), blobmsg_data_len(attr));
jail->argc = 2;
+ if (tb[JAIL_ATTR_MUSTJAIL]) {
+ in->must_jail = true;
+ jail->argc++;
+ }
if (tb[JAIL_ATTR_NAME]) {
jail->name = strdup(blobmsg_get_string(tb[JAIL_ATTR_NAME]));
jail->argc += 2;
@@ -885,7 +883,7 @@ instance_jail_parse(struct service_instance *in, struct
blob_attr *attr)
if (in->no_new_privs)
jail->argc++;
- return 1;
+ return true;
}
static bool
@@ -918,7 +916,8 @@ instance_config_parse(struct service_instance *in)
{
struct blob_attr *tb[__INSTANCE_ATTR_MAX];
struct blob_attr *cur, *cur2;
- int rem;
+ struct stat s;
+ int rem, r;
blobmsg_parse(instance_attr, __INSTANCE_ATTR_MAX, tb,
blobmsg_data(in->config), blobmsg_data_len(in->config));
@@ -1004,6 +1003,18 @@ instance_config_parse(struct service_instance *in)
if (!in->trace && tb[INSTANCE_ATTR_JAIL])
in->has_jail = instance_jail_parse(in, tb[INSTANCE_ATTR_JAIL]);
+ if (in->has_jail) {
+ r = stat(UJAIL_BIN_PATH, &s);
+ if (r < 0) {
+ if (in->must_jail) {
+ ERROR("Cannot jail service %s::%s. %s: %m
(%d)\n",
+ in->srv->name, in->name,
UJAIL_BIN_PATH, r);
+ return false;
+ }
+ in->has_jail = false;
+ }
+ }
+
if (tb[INSTANCE_ATTR_STDOUT] &&
blobmsg_get_bool(tb[INSTANCE_ATTR_STDOUT]))
in->_stdout.fd.fd = -1;
@@ -1146,6 +1157,7 @@ instance_init(struct service_instance *in, struct service
*s, struct blob_attr *
in->term_timeout = 5;
in->syslog_facility = LOG_DAEMON;
in->exit_code = 0;
+ in->must_jail = false;
in->_stdout.fd.fd = -2;
in->_stdout.stream.string_data = true;
diff --git a/service/instance.h b/service/instance.h
index 7d91b51..abd91ad 100644
--- a/service/instance.h
+++ b/service/instance.h
@@ -59,6 +59,7 @@ struct service_instance {
bool trace;
bool has_jail;
+ bool must_jail;
bool no_new_privs;
struct jail jail;
char *seccomp;
--
2.21.1 (Apple Git-122.3)
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
