From 609109fa97569c16e84c52d9b6b388e441145e27 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Fri, 3 Jan 2020 21:37:53 +0200 Subject: [PATCH] transmission: add seccomp filter and improve jail Signed-off-by: Daniel Golle --- net/transmission/Makefile | 4 +- .../files/transmission-daemon.json | 74 +++++++++++++++++++ net/transmission/files/transmission.init | 25 ++++++- 3 files changed, 101 insertions(+), 2 deletions(-) create mode 100644 net/transmission/files/transmission-daemon.json diff --git a/net/transmission/Makefile b/net/transmission/Makefile index 06c45f0d7..a2e9c94d8 100644 --- a/net/transmission/Makefile +++ b/net/transmission/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=transmission PKG_VERSION:=2.94 -PKG_RELEASE:=8 +PKG_RELEASE:=9 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@GITHUB/transmission/transmission-releases/master @@ -24,6 +24,7 @@ PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/package-seccomp.mk define Package/transmission/template SUBMENU:=BitTorrent @@ -150,6 +151,7 @@ define Package/transmission-daemon-openssl/install $(INSTALL_CONF) files/transmission.config $(1)/etc/config/transmission $(INSTALL_DIR) $(1)/etc/sysctl.d/ $(INSTALL_CONF) files/transmission.sysctl $(1)/etc/sysctl.d/20-transmission.conf + $(call InstallSeccomp,$(1),./files/transmission-daemon.json) endef Package/transmission-daemon-mbedtls/install = $(Package/transmission-daemon-openssl/install) diff --git a/net/transmission/files/transmission-daemon.json b/net/transmission/files/transmission-daemon.json new file mode 100644 index 000000000..e284886de --- /dev/null +++ b/net/transmission/files/transmission-daemon.json @@ -0,0 +1,74 @@ +{ + "whitelist": [ + "accept4", + "access", + "arm_fadvise64_64", + "bind", + "brk", + "clock_gettime", + "clone", + "close", + "connect", + "epoll_create1", + "epoll_ctl", + "epoll_pwait", + "exit", + "exit_group", + "fadvise64", + "fallocate", + "fcntl", + "fcntl64", + "fstat", + "fstat64", + "fsync", + "futex", + "getdents64", + "getpeername", + "getpid", + "getsockname", + "getsockopt", + "ioctl", + "listen", + "_llseek", + "lseek", + "madvise", + "membarrier", + "mkdir", + "mmap", + "mmap2", + "mprotect", + "munmap", + "nanosleep", + "_newselect", + "open", + "pipe", + "pipe2", + "poll", + "pread64", + "prlimit64", + "pwrite64", + "read", + "readlink", + "readv", + "recvfrom", + "rename", + "rmdir", + "rt_sigaction", + "rt_sigprocmask", + "rt_sigreturn", + "select", + "sendto", + "setsockopt", + "shutdown", + "sigreturn", + "socket", + "stat", + "stat64", + "umask", + "uname", + "unlink", + "write", + "writev" + ], + "policy": 1 +} diff --git a/net/transmission/files/transmission.init b/net/transmission/files/transmission.init index 1d57db5e6..dc2038729 100644 --- a/net/transmission/files/transmission.init +++ b/net/transmission/files/transmission.init @@ -48,7 +48,7 @@ transmission() { local user local group local config_overwrite - local download_dir config_dir + local download_dir config_dir incomplete_dir incomplete_dir_enabled local mem_percentage local nice local web_home @@ -59,6 +59,8 @@ transmission() { config_get user "$cfg" 'user' config_get group "$cfg" 'group' config_get download_dir "$cfg" 'download_dir' '/var/etc/transmission' + config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission' + config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0 config_get mem_percentage "$cfg" 'mem_percentage' '50' config_get config_overwrite "$cfg" config_overwrite 1 config_get nice "$cfg" nice 0 @@ -71,11 +73,27 @@ transmission() { USE=$((MEM * mem_percentage * 10)) fi + [ -d "$download_dir" ] || { + mkdir -p "$download_dir" + chmod 0755 "$download_dir" + [ -z "$user" ] || chown -R "$user:$group" "$download_dir" + } + + [ "$incomplete_dir_enabled" = "0" ] || [ -d "$incomplete_dir" ] || { + mkdir -p "$incomplete_dir" + chmod 0755 "$incomplete_dir" + [ -z "$user" ] || chown -R "$user:$group" "$incomplete_dir" + } + config_file="$config_dir/settings.json" [ -d "$config_dir" ] || { mkdir -p "$config_dir" chmod 0755 "$config_dir" touch "$config_file" + mkdir -p "$config_dir/resume" + mkdir -p "$config_dir/torrents" + mkdir -p "$config_dir/blocklists" + [ -e "$config_dir/stats.json" ] || touch "$config_dir/stats.json" [ -z "$user" ] || chown -R "$user:$group" "$config_dir" } @@ -120,6 +138,7 @@ transmission() { procd_set_param nice "$nice" procd_set_param stderr 1 procd_set_param respawn + procd_set_param seccomp "/etc/seccomp/transmission-daemon.json" if [ -z "$USE" ]; then procd_set_param limits core="0 0" @@ -134,6 +153,10 @@ transmission() { procd_add_jail transmission log procd_add_jail_mount "$config_file" + procd_add_jail_mount_rw "$config_dir/resume" + procd_add_jail_mount_rw "$config_dir/torrents" + procd_add_jail_mount rw "$config_dir/blocklists" + procd_add_jail_mount_rw "$config_dir/stats.json" procd_add_jail_mount_rw "$download_dir" procd_close_instance }