diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-05-10 15:23:30 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-07-15 20:29:55 +0200 |
| commit | d353bda9cb7d83783f7069bbf6ceea3734e0a60e (patch) | |
| tree | 83f3b90fd127966535a0beaec6c88045ff35066b | |
| parent | 01a6a3cf9df23397de36ddbcff4e7099a32e99a8 (diff) | |
- drop capabilities before starting using capsh
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | package/network/config/netifd/Makefile | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/package/network/config/netifd/Makefile b/package/network/config/netifd/Makefile index 2eaf38d580..850d191673 100644 --- a/package/network/config/netifd/Makefile +++ b/package/network/config/netifd/Makefile @@ -25,6 +25,14 @@ define Package/netifd TITLE:=OpenWrt Network Interface Configuration Daemon endef +define Package/netifd/config + config PACKAGE_netifd_capsh + bool + default 0 + select CONFIG_PACKAGE_libcap-bin + prompt "Use capsh to drop capabilities" +endef + TARGET_CFLAGS += \ -I$(STAGING_DIR)/usr/include/libnl-tiny \ -I$(STAGING_DIR)/usr/include \ @@ -40,6 +48,16 @@ define Package/netifd/install $(INSTALL_DIR) $(1)/sbin $(INSTALL_BIN) $(PKG_BUILD_DIR)/netifd $(1)/sbin/ $(CP) ./files/* $(1)/ +ifneq ($(CONFIG_PACKAGE_netifd_capsh),) + sed -i 's|^\s*proto_run_command "$$$$config" udhcpc.*$$$$|\tlocal DROP_CAPS="cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_admin,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+epi"\n\tproto_run_command "$$$$config" \\\n\t\t/usr/sbin/capsh --drop="$$$${DROP_CAPS}" -- -c \\\n\t\t"exec udhcpc -p /var/run/udhcpc-$$$$iface.pid -s /lib/netifd/dhcp.script -f -t 0 -i \\"$$$$iface\\" $$$${ipaddr:+-r $$$$ipaddr} $$$${hostname:+-x \\"hostname:$$$$hostname\\"} $$$${vendorid:+-V $$$$vendorid} $$$$clientid $$$$defaultreqopts $$$$broadcast $$$$release $$$$dhcpopts"|' $(1)/lib/netifd/proto/dhcp.sh + sed -i 's|^\s*-p /var/run/udhcpc-$$$$iface.pid \\||' $(1)/lib/netifd/proto/dhcp.sh + sed -i 's|^\s*-s /lib/netifd/dhcp.script \\||' $(1)/lib/netifd/proto/dhcp.sh + sed -i 's|^\s*-f -t 0 -i "$$$$iface" \\||' $(1)/lib/netifd/proto/dhcp.sh + sed -i 's|^\s*$$$${ipaddr:+-r $$$$ipaddr} \\||' $(1)/lib/netifd/proto/dhcp.sh + sed -i 's|^\s*$$$${hostname:+-x "hostname:$$$$hostname"} \\||' $(1)/lib/netifd/proto/dhcp.sh + sed -i 's|^\s*$$$${vendorid:+-V "$$$$vendorid"} \\||' $(1)/lib/netifd/proto/dhcp.sh + sed -i 's|^\s*$$$$clientid $$$$defaultreqopts $$$$broadcast $$$$release $$$$dhcpopts||' $(1)/lib/netifd/proto/dhcp.sh +endif $(CP) $(PKG_BUILD_DIR)/scripts/* $(1)/lib/netifd/ endef |