diff options
| author | Daniel Golle <daniel@makrotopia.org> | 2022-04-13 00:11:23 +0100 |
|---|---|---|
| committer | Daniel Golle <daniel@makrotopia.org> | 2022-04-13 03:58:53 +0100 |
| commit | eb03f03105a857a0b7310e4c93bff46aa29f3a40 (patch) | |
| tree | 7d00dadbf27a7d4523fa2ede7b30fdeb5653052b | |
| parent | 5c5e63f89ab3c0eb93e8733c196bb9b27e663c90 (diff) | |
| download | procd-eb03f03105a857a0b7310e4c93bff46aa29f3a40.tar.gz | |
jail: include necessary files for per-netns netifd instance
Up to now only proto 'static' and 'none' have been supported for
in-jail interfaces as Shell-based protocol handlers needed some more
utilities, PATH set in the environment and /var/ubus/ubus.sock to be
mounted on the per-netns-jail ubus socket.
Include files needed by shell proto handler, set PATH in env and bend
ubus socket path to get DHCP client to work for per-jail netns.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
| -rw-r--r-- | jail/netifd.c | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/jail/netifd.c b/jail/netifd.c index bb205d0..6f9cd72 100644 --- a/jail/netifd.c +++ b/jail/netifd.c @@ -46,6 +46,7 @@ static const char ubusd_path[] = "/sbin/ubusd"; static const char netifd_path[] = "/sbin/netifd"; static const char uci_net[] = "network"; +static const char ubus_sock_name[] = "ubus.sock"; static char *jail_name, *ubus_sock_path, *ubus_sock_dir, *uci_config_network = NULL; @@ -193,8 +194,8 @@ static void run_ubusd(struct uloop_timeout *t) static void run_netifd(struct uloop_timeout *t) { static struct blob_buf req; - void *ins, *in, *cmd, *jail, *setns, *setnso, *namespaces, *mount; - char *resolvconf_dir, *resolvconf, *ucimount; + void *ins, *in, *cmd, *jail, *setns, *setnso, *namespaces, *mount, *pathenv; + char *resolvconf_dir, *resolvconf, *ucimount, *ubusmount; char uci_dir[] = "/var/containers/ujail-uci-XXXXXX"; uint32_t id; @@ -222,9 +223,12 @@ static void run_netifd(struct uloop_timeout *t) if (asprintf(&ucimount, "%s:/etc/config", uci_dir) == -1) goto netifd_out_ucinetconf; - if (gen_jail_uci_network()) + if (asprintf(&ubusmount, "%s:/var/run/ubus", ubus_sock_dir) == -1) goto netifd_out_ucimount; + if (gen_jail_uci_network()) + goto netifd_out_ubusmount; + blob_buf_init(&req, 0); blobmsg_add_string(&req, "name", jail_name); ins = blobmsg_open_table(&req, "instances"); @@ -234,10 +238,12 @@ static void run_netifd(struct uloop_timeout *t) blobmsg_add_string(&req, "", netifd_path); blobmsg_add_string(&req, "", "-r"); blobmsg_add_string(&req, "", resolvconf); - blobmsg_add_string(&req, "", "-s"); - blobmsg_add_string(&req, "", ubus_sock_path); blobmsg_close_array(&req, cmd); + pathenv = blobmsg_open_table(&req, "env"); + blobmsg_add_string(&req, "PATH", "/usr/sbin:/usr/bin:/sbin:/bin"); + blobmsg_close_table(&req, pathenv); + jail = blobmsg_open_table(&req, "jail"); setns = blobmsg_open_array(&req, "setns"); @@ -252,13 +258,20 @@ static void run_netifd(struct uloop_timeout *t) blobmsg_close_array(&req, setns); mount = blobmsg_open_table(&req, "mount"); - blobmsg_add_string(&req, ubus_sock_dir, "1"); + blobmsg_add_string(&req, ubusmount, "1"); blobmsg_add_string(&req, resolvconf_dir, "1"); blobmsg_add_string(&req, ucimount, "0"); + blobmsg_add_string(&req, "/bin/cat", "0"); + blobmsg_add_string(&req, "/bin/ipcalc.sh", "0"); + blobmsg_add_string(&req, "/bin/kill", "0"); + blobmsg_add_string(&req, "/bin/ubus", "0"); blobmsg_add_string(&req, "/etc/hotplug.d", "0"); + blobmsg_add_string(&req, "/lib/functions", "0"); blobmsg_add_string(&req, "/lib/functions.sh", "0"); blobmsg_add_string(&req, "/lib/netifd", "0"); blobmsg_add_string(&req, "/lib/network", "0"); + blobmsg_add_string(&req, "/usr/bin/awk", "0"); + blobmsg_add_string(&req, "/usr/bin/killall", "0"); blobmsg_add_string(&req, "/usr/bin/logger", "0"); blobmsg_add_string(&req, "/usr/bin/jshn", "0"); blobmsg_add_string(&req, "/usr/share/libubox/jshn.sh", "0"); @@ -285,6 +298,8 @@ static void run_netifd(struct uloop_timeout *t) if (!running) blob_buf_free(&req); +netifd_out_ubusmount: + free(ubusmount); netifd_out_ucimount: free(ucimount); netifd_out_ucinetconf: @@ -326,7 +341,7 @@ static void inotify_read_handler(struct uloop_fd *u, unsigned int events) if (in->len < 4) continue; - if (!strncmp("ubus", in->name, in->len)) + if (!strncmp(ubus_sock_name, in->name, in->len)) uloop_timeout_add(&netifd_start_timeout); } } @@ -431,7 +446,7 @@ int jail_network_start(struct ubus_context *new_ctx, char *new_jail_name, pid_t goto errout_dir; } - if (asprintf(&ubus_sock_path, "%s/ubus", ubus_sock_dir) == -1) { + if (asprintf(&ubus_sock_path, "%s/%s", ubus_sock_dir, ubus_sock_name) == -1) { ret = ENOMEM; goto errout_path; } |