From patchwork Wed Dec 16 22:34:02 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Dickinson <openwrt@daniel.thecshore.com>
X-Patchwork-Id: 557801
Return-Path: <openwrt-devel-bounces@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id EC42B1402BD
	for <incoming@patchwork.ozlabs.org>;
	Thu, 17 Dec 2015 09:34:30 +1100 (AEDT)
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP id 7320928419F;
	Wed, 16 Dec 2015 23:34:05 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00
	autolearn=unavailable version=3.3.2
Received: from arrakis.dune.hu (localhost [127.0.0.1])
	by arrakis.dune.hu (Postfix) with ESMTP id 6E75B283FE9
	for <openwrt-devel@lists.openwrt.org>;
	Wed, 16 Dec 2015 23:33:58 +0100 (CET)
X-policyd-weight: using cached result; rate:hard: -8.5
Received: from s1.neomailbox.net (s1.neomailbox.net [5.148.176.57])
	by arrakis.dune.hu (Postfix) with ESMTPS
	for <openwrt-devel@lists.openwrt.org>;
	Wed, 16 Dec 2015 23:33:58 +0100 (CET)
From: openwrt@daniel.thecshore.com
To: openwrt-devel@lists.openwrt.org
Date: Wed, 16 Dec 2015 17:34:02 -0500
Message-Id: <1450305242-3806-1-git-send-email-openwrt@daniel.thecshore.com>
Subject: [OpenWrt-Devel] [PATCH] package/utils/busybox: Jail sysntpd
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: 
 <https://lists.openwrt.org/cgi-bin/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: 
 <https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: openwrt-devel-bounces@lists.openwrt.org
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>

From: Daniel Dickinson <openwrt@daniel.thecshore.com>

Note that not all of procfs sysfs log and ubus may be required for actual
operation, they are just what strace reveals attempting to make accesses.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
---
 package/utils/busybox/files/sysntpd | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/utils/busybox/files/sysntpd b/package/utils/busybox/files/sysntpd
index f73bb83..e61c9fc 100755
--- a/package/utils/busybox/files/sysntpd
+++ b/package/utils/busybox/files/sysntpd
@@ -31,7 +31,11 @@ start_service() {
 	for peer in $server; do
 		procd_append_param command -p $peer
 	done
+	touch /var/run/ntpd.pid
 	procd_set_param respawn
+	procd_add_jail sysntpd procfs sysfs log ubus
+	procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf /tmp/resolv.conf /etc/hosts /etc/TZ
+	procd_add_jail_mount_rw /var/run/ntpd.pid
 	procd_close_instance
 }