From patchwork Wed Aug 12 11:24:09 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Storchak X-Patchwork-Id: 506574 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id AD34A140081 for ; Wed, 12 Aug 2015 21:24:46 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=motGrgkZ; dkim-atps=neutral Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id A264B280261; Wed, 12 Aug 2015 13:23:54 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id A7D9D28003F for ; Wed, 12 Aug 2015 13:23:50 +0200 (CEST) X-policyd-weight: using cached result; rate: -8.5 Received: from mail-lb0-f169.google.com (mail-lb0-f169.google.com [209.85.217.169]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Wed, 12 Aug 2015 13:23:50 +0200 (CEST) Received: by lbbtg9 with SMTP id tg9so7649113lbb.1 for ; Wed, 12 Aug 2015 04:24:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=x+MoEvFdDzo5SrlpjZGgaXiu3U6RlhAt9OT/GPP/pl8=; b=motGrgkZVIQ+NUaWjPE/2u9NEql82fX8/nCYRtyefHhBDcOY+e/VgmSnaAawo70R0P bLjcfq1Xw/34yPW7JlmK++ym9/z2290R2DGQu0ZIKzwZ4KgsM8Jxkzm5VmeEfMi7Vtj0 rCS2YY7dbqsLT0tMOHCWdv3Q7NQwVrEC2x2q2GpG6BuWGf7VaCRu1IvtVay3loE5vbgA p8qllQ3kEgzTeQlwch+0+7h420oCf8wQV7F6PzWkt/OSjE7K9bp4YlxRLVZeJkbBlLzQ L6HlaIJWBlM8N9x0JxvH9zCNzop74jCXXLc2NGBnr0DqVochfsZa5ADwlBehR+0ln77k Qnow== X-Received: by 10.112.234.197 with SMTP id ug5mr17477392lbc.79.1439378671622; Wed, 12 Aug 2015 04:24:31 -0700 (PDT) Received: from devvm1.infopulse.local ([37.115.254.16]) by smtp.gmail.com with ESMTPSA id l11sm787905lbh.20.2015.08.12.04.24.29 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 12 Aug 2015 04:24:30 -0700 (PDT) From: Maxim Storchak To: openwrt-devel@lists.openwrt.org Date: Wed, 12 Aug 2015 14:24:09 +0300 Message-Id: <1439378649-4630-1-git-send-email-m.storchak@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <55CA2D4A.5020503@gmail.com> References: <55CA2D4A.5020503@gmail.com> Cc: Maxim Storchak Subject: [OpenWrt-Devel] [PATCH] procd: add helper binaries to jail X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" This allows to build jails with more than a single binary. May be used to run main program with a wrapper, f.e. ionice, or to add helper binaries for the main one (like gzip for tar with no build-in compression support). Usage: directly: ujail ... -b /usr/bin/main ... -- /bin/wrapper ... /usr/bin/main ujail ... -b /usr/bin/helper1 -b /bin/helper2 ... -- /usr/bin/main in init scripts: procd_add_jail_mount_bin /usr/bin/something /bin/helper Signed-off-by: Maxim Storchak --- package/system/procd/files/procd.sh | 18 +++++++ .../procd/patches/100-ujail-helper-binary.patch | 58 ++++++++++++++++++++++ .../procd/patches/101-service-helper-binary.patch | 15 ++++++ 3 files changed, 91 insertions(+) create mode 100644 package/system/procd/patches/100-ujail-helper-binary.patch create mode 100644 package/system/procd/patches/101-service-helper-binary.patch diff --git a/package/system/procd/files/procd.sh b/package/system/procd/files/procd.sh index e83e75c..bc9f78d 100644 --- a/package/system/procd/files/procd.sh +++ b/package/system/procd/files/procd.sh @@ -177,6 +177,23 @@ _procd_add_jail_mount_rw() { json_select .. } +_procd_add_jail_mount_bin() { + local _json_no_warning=1 + + json_select "jail" + [ $? = 0 ] || return + json_select "mount" + [ $? = 0 ] || { + json_select .. + return + } + for a in $@; do + json_add_string "$a" "2" + done + json_select .. + json_select .. +} + _procd_set_param() { local type="$1"; shift @@ -423,6 +440,7 @@ _procd_wrapper \ procd_add_jail \ procd_add_jail_mount \ procd_add_jail_mount_rw \ + procd_add_jail_mount_bin \ procd_set_param \ procd_append_param \ procd_add_validation \ diff --git a/package/system/procd/patches/100-ujail-helper-binary.patch b/package/system/procd/patches/100-ujail-helper-binary.patch new file mode 100644 index 0000000..dd7ab64 --- /dev/null +++ b/package/system/procd/patches/100-ujail-helper-binary.patch @@ -0,0 +1,58 @@ +diff --git a/jail/jail.c b/jail/jail.c +index 2bba292..22fda87 100644 +--- a/jail/jail.c ++++ b/jail/jail.c +@@ -43,7 +43,7 @@ + #include + + #define STACK_SIZE (1024 * 1024) +-#define OPT_ARGS "P:S:n:r:w:psuldo" ++#define OPT_ARGS "P:S:n:r:w:b:psuldo" + + struct extra { + struct list_head list; +@@ -260,6 +260,7 @@ static int usage(void) + fprintf(stderr, " -n \tthe name of the jail\n"); + fprintf(stderr, " -r \treadonly files that should be staged\n"); + fprintf(stderr, " -w \twriteable files that should be staged\n"); ++ fprintf(stderr, " -b \tadditional binaries that should be staged\n"); + fprintf(stderr, " -p\t\tjail has /proc\t\n"); + fprintf(stderr, " -s\t\tjail has /sys\t\n"); + fprintf(stderr, " -l\t\tjail has /dev/log\t\n"); +@@ -433,6 +434,12 @@ int main(int argc, char **argv) + + umask(022); + ++ avl_init(&libraries, avl_strcmp, false, NULL); ++ alloc_library_path("/lib64"); ++ alloc_library_path("/lib"); ++ alloc_library_path("/usr/lib"); ++ load_ldso_conf("/etc/ld.so.conf"); ++ + while ((ch = getopt(argc, argv, OPT_ARGS)) != -1) { + switch (ch) { + case 'd': +@@ -457,6 +464,11 @@ int main(int argc, char **argv) + case 'l': + add_extra(log, 0); + break; ++ case 'b': ++ if (elf_load_deps(optarg)) { ++ ERROR("failed to load dependencies for %s\n", optarg); ++ return -1; ++ } + } + } + +@@ -476,11 +488,6 @@ int main(int argc, char **argv) + if (name) + prctl(PR_SET_NAME, name, NULL, NULL, NULL); + +- avl_init(&libraries, avl_strcmp, false, NULL); +- alloc_library_path("/lib64"); +- alloc_library_path("/lib"); +- alloc_library_path("/usr/lib"); +- load_ldso_conf("/etc/ld.so.conf"); + + if (elf_load_deps(argv[optind])) { + ERROR("failed to load dependencies\n"); diff --git a/package/system/procd/patches/101-service-helper-binary.patch b/package/system/procd/patches/101-service-helper-binary.patch new file mode 100644 index 0000000..0b4a274 --- /dev/null +++ b/package/system/procd/patches/101-service-helper-binary.patch @@ -0,0 +1,15 @@ +diff --git a/service/instance.c b/service/instance.c +index 40ff021..9fec647 100644 +--- a/service/instance.c ++++ b/service/instance.c +@@ -208,7 +208,9 @@ jail_run(struct service_instance *in, char **argv) + blobmsg_list_for_each(&jail->mount, var) { + const char *type = blobmsg_data(var->data); + +- if (*type == '1') ++ if (*type == '2') ++ argv[argc++] = "-b"; ++ else if (*type == '1') + argv[argc++] = "-w"; + else + argv[argc++] = "-r";