snowflake: run snowflake-proxy with procd-ujail

snowflake-proxy doesn't write any files => run in read-only rootfs environment the process needs to read SSL certs but no other files => only exposed path is /etc/ssl/certificates (read-only) running as unpriviledged user with no additional capabilities => set no-new-privs bit By default procd-ujail also isolates the process by executing it in a separate new IPC and PID namespace. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
author: Daniel Golle <daniel@makrotopia.org> 2022-09-25 01:28:43 +0100
committer: Daniel Golle <daniel@makrotopia.org> 2022-09-25 01:38:09 +0100
commit: 0f3d48a3784fb495ffdfe4a83f540ad42fab89df (patch)
tree: 0c1c92fd8745aa615508bebc40385225b1e7ed39 /net/snowflake/files
parent: cf120a7effd5d13a7f705b5eb9d22410b73d71f3 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/net/snowflake/files/snowflake-proxy.init b/net/snowflake/files/snowflake-proxy.init
index 2ddfe1830..3d8b4387d 100755..100644
--- a/net/snowflake/files/snowflake-proxy.init
+++ b/net/snowflake/files/snowflake-proxy.init
@@ -14,5 +14,10 @@ start_service() {
 	procd_set_param user snowflake
 	procd_set_param group snowflake
 	procd_set_param respawn
+	[ -x /sbin/ujail ] && {
+		procd_add_jail snowflake-proxy ronly
+		procd_add_jail_mount /etc/ssl/certs
+		procd_set_param no_new_privs 1
+	}
 	procd_close_instance
 }
author	Daniel Golle <daniel@makrotopia.org>	2022-09-25 01:28:43 +0100
committer	Daniel Golle <daniel@makrotopia.org>	2022-09-25 01:38:09 +0100
commit	0f3d48a3784fb495ffdfe4a83f540ad42fab89df (patch)
tree	0c1c92fd8745aa615508bebc40385225b1e7ed39 /net/snowflake/files
parent	cf120a7effd5d13a7f705b5eb9d22410b73d71f3 (diff)