Browse Source

transmission: add seccomp filter and improve jail

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
lilik-openwrt-22.03
Daniel Golle 5 years ago
parent
commit
609109fa97
3 changed files with 101 additions and 2 deletions
  1. +3
    -1
      net/transmission/Makefile
  2. +74
    -0
      net/transmission/files/transmission-daemon.json
  3. +24
    -1
      net/transmission/files/transmission.init

+ 3
- 1
net/transmission/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=transmission
PKG_VERSION:=2.94
PKG_RELEASE:=8
PKG_RELEASE:=9
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GITHUB/transmission/transmission-releases/master
@ -24,6 +24,7 @@ PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/package-seccomp.mk
define Package/transmission/template
SUBMENU:=BitTorrent
@ -150,6 +151,7 @@ define Package/transmission-daemon-openssl/install
$(INSTALL_CONF) files/transmission.config $(1)/etc/config/transmission
$(INSTALL_DIR) $(1)/etc/sysctl.d/
$(INSTALL_CONF) files/transmission.sysctl $(1)/etc/sysctl.d/20-transmission.conf
$(call InstallSeccomp,$(1),./files/transmission-daemon.json)
endef
Package/transmission-daemon-mbedtls/install = $(Package/transmission-daemon-openssl/install)


+ 74
- 0
net/transmission/files/transmission-daemon.json View File

@ -0,0 +1,74 @@
{
"whitelist": [
"accept4",
"access",
"arm_fadvise64_64",
"bind",
"brk",
"clock_gettime",
"clone",
"close",
"connect",
"epoll_create1",
"epoll_ctl",
"epoll_pwait",
"exit",
"exit_group",
"fadvise64",
"fallocate",
"fcntl",
"fcntl64",
"fstat",
"fstat64",
"fsync",
"futex",
"getdents64",
"getpeername",
"getpid",
"getsockname",
"getsockopt",
"ioctl",
"listen",
"_llseek",
"lseek",
"madvise",
"membarrier",
"mkdir",
"mmap",
"mmap2",
"mprotect",
"munmap",
"nanosleep",
"_newselect",
"open",
"pipe",
"pipe2",
"poll",
"pread64",
"prlimit64",
"pwrite64",
"read",
"readlink",
"readv",
"recvfrom",
"rename",
"rmdir",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"select",
"sendto",
"setsockopt",
"shutdown",
"sigreturn",
"socket",
"stat",
"stat64",
"umask",
"uname",
"unlink",
"write",
"writev"
],
"policy": 1
}

+ 24
- 1
net/transmission/files/transmission.init View File

@ -48,7 +48,7 @@ transmission() {
local user
local group
local config_overwrite
local download_dir config_dir
local download_dir config_dir incomplete_dir incomplete_dir_enabled
local mem_percentage
local nice
local web_home
@ -59,6 +59,8 @@ transmission() {
config_get user "$cfg" 'user'
config_get group "$cfg" 'group'
config_get download_dir "$cfg" 'download_dir' '/var/etc/transmission'
config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission'
config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0
config_get mem_percentage "$cfg" 'mem_percentage' '50'
config_get config_overwrite "$cfg" config_overwrite 1
config_get nice "$cfg" nice 0
@ -71,11 +73,27 @@ transmission() {
USE=$((MEM * mem_percentage * 10))
fi
[ -d "$download_dir" ] || {
mkdir -p "$download_dir"
chmod 0755 "$download_dir"
[ -z "$user" ] || chown -R "$user:$group" "$download_dir"
}
[ "$incomplete_dir_enabled" = "0" ] || [ -d "$incomplete_dir" ] || {
mkdir -p "$incomplete_dir"
chmod 0755 "$incomplete_dir"
[ -z "$user" ] || chown -R "$user:$group" "$incomplete_dir"
}
config_file="$config_dir/settings.json"
[ -d "$config_dir" ] || {
mkdir -p "$config_dir"
chmod 0755 "$config_dir"
touch "$config_file"
mkdir -p "$config_dir/resume"
mkdir -p "$config_dir/torrents"
mkdir -p "$config_dir/blocklists"
[ -e "$config_dir/stats.json" ] || touch "$config_dir/stats.json"
[ -z "$user" ] || chown -R "$user:$group" "$config_dir"
}
@ -120,6 +138,7 @@ transmission() {
procd_set_param nice "$nice"
procd_set_param stderr 1
procd_set_param respawn
procd_set_param seccomp "/etc/seccomp/transmission-daemon.json"
if [ -z "$USE" ]; then
procd_set_param limits core="0 0"
@ -134,6 +153,10 @@ transmission() {
procd_add_jail transmission log
procd_add_jail_mount "$config_file"
procd_add_jail_mount_rw "$config_dir/resume"
procd_add_jail_mount_rw "$config_dir/torrents"
procd_add_jail_mount rw "$config_dir/blocklists"
procd_add_jail_mount_rw "$config_dir/stats.json"
procd_add_jail_mount_rw "$download_dir"
procd_close_instance
}


Loading…
Cancel
Save