Skip to content
Snippets Groups Projects
Unverified Commit 517433e8 authored by Andreas Ziegler's avatar Andreas Ziegler Committed by GitHub
Browse files

Merge pull request #3464 from neocturne/wan-dnsmasq-ujail

gluon-wan-dnsmasq privilege reduction
parents 715abd7f dc13c17a
No related branches found
No related tags found
No related merge requests found
......@@ -8,12 +8,29 @@ RESOLV_CONF_DIR=/var/gluon/wan-dnsmasq
RESOLV_CONF=$RESOLV_CONF_DIR/resolv.conf
start_service() {
mkdir -p /var/run/dnsmasq/
mkdir -p $RESOLV_CONF_DIR
touch "$RESOLV_CONF"
procd_open_instance
procd_set_param command /usr/sbin/dnsmasq -u root -i lo -p 54 -h -k -c 0 -r $RESOLV_CONF
procd_set_param command /usr/sbin/dnsmasq \
--user=dnsmasq \
--group=dnsmasq \
--interface=lo \
--port=54 \
--no-hosts \
--keep-in-foreground \
--pid-file=/var/run/dnsmasq/gluon-wan-dnsmasq.pid \
--cache-size=0 \
--resolv-file=$RESOLV_CONF
procd_set_param env LD_PRELOAD=libpacketmark.so LIBPACKETMARK_MARK=1
procd_set_param respawn 60 5 5
procd_add_jail dnsmasq log
procd_add_jail_mount $RESOLV_CONF_DIR
procd_add_jail_mount /usr/lib/libpacketmark.so
procd_add_jail_mount /etc/passwd /etc/group /etc/TZ
procd_add_jail_mount_rw /var/run/dnsmasq/
procd_close_instance
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment