Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- service/instance.c | 11 +++++++++++ service/instance.h | 1 + 2 files changed, 12 insertions(+)
diff --git a/service/instance.c b/service/instance.c index 586c0ee..ad0d284 100644 --- a/service/instance.c +++ b/service/instance.c @@ -49,6 +49,7 @@ enum { INSTANCE_ATTR_USER, INSTANCE_ATTR_STDOUT, INSTANCE_ATTR_STDERR, + INSTANCE_ATTR_NO_NEW_PRIVS, INSTANCE_ATTR_JAIL, INSTANCE_ATTR_TRACE, INSTANCE_ATTR_SECCOMP, @@ -71,6 +72,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = { [INSTANCE_ATTR_USER] = { "user", BLOBMSG_TYPE_STRING }, [INSTANCE_ATTR_STDOUT] = { "stdout", BLOBMSG_TYPE_BOOL }, [INSTANCE_ATTR_STDERR] = { "stderr", BLOBMSG_TYPE_BOOL }, + [INSTANCE_ATTR_NO_NEW_PRIVS] = { "no_new_privs", BLOBMSG_TYPE_BOOL }, [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE }, [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL }, [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING }, @@ -195,6 +197,9 @@ jail_run(struct service_instance *in, char **argv) argv[argc++] = in->capabilities; } + if (in->no_new_privs) + argv[argc++] = "-c"; + if (jail->procfs) argv[argc++] = "-p"; @@ -762,6 +767,9 @@ instance_config_parse(struct service_instance *in) if (tb[INSTANCE_ATTR_TRACE]) in->trace = blobmsg_get_bool(tb[INSTANCE_ATTR_TRACE]); + if (tb[INSTANCE_ATTR_NO_NEW_PRIVS]) + in->no_new_privs = blobmsg_get_bool(tb[INSTANCE_ATTR_NO_NEW_PRIVS]); + if (!in->trace && tb[INSTANCE_ATTR_SECCOMP]) { char *seccomp = blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]); struct stat s; @@ -960,6 +968,9 @@ void instance_dump(struct blob_buf *b, struct service_instance *in, int verbose) if (in->trace) blobmsg_add_u8(b, "trace", true); + if (in->no_new_privs) + blobmsg_add_u8(b, "no_new_privs", true); + if (in->seccomp) blobmsg_add_string(b, "seccomp", in->seccomp); diff --git a/service/instance.h b/service/instance.h index 80268af..0af9680 100644 --- a/service/instance.h +++ b/service/instance.h @@ -52,6 +52,7 @@ struct service_instance { bool trace; bool has_jail; + bool no_new_privs; struct jail jail; char *seccomp; char *capabilities; -- 1.9.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel