From 0f3d48a3784fb495ffdfe4a83f540ad42fab89df Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Sun, 25 Sep 2022 01:28:43 +0100
Subject: snowflake: run snowflake-proxy with procd-ujail

snowflake-proxy doesn't write any files
 => run in read-only rootfs environment

the process needs to read SSL certs but no other files
 => only exposed path is /etc/ssl/certificates (read-only)

running as unpriviledged user with no additional capabilities
 => set no-new-privs bit

By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 net/snowflake/files/snowflake-proxy.init | 5 +++++
 1 file changed, 5 insertions(+)
 mode change 100755 => 100644 net/snowflake/files/snowflake-proxy.init

(limited to 'net/snowflake/files')

diff --git a/net/snowflake/files/snowflake-proxy.init b/net/snowflake/files/snowflake-proxy.init
old mode 100755
new mode 100644
index 2ddfe1830..3d8b4387d
--- a/net/snowflake/files/snowflake-proxy.init
+++ b/net/snowflake/files/snowflake-proxy.init
@@ -14,5 +14,10 @@ start_service() {
 	procd_set_param user snowflake
 	procd_set_param group snowflake
 	procd_set_param respawn
+	[ -x /sbin/ujail ] && {
+		procd_add_jail snowflake-proxy ronly
+		procd_add_jail_mount /etc/ssl/certs
+		procd_set_param no_new_privs 1
+	}
 	procd_close_instance
 }
-- 
cgit v1.2.3