From be7e4f8e3f69fae3f9afeb21486934afa43acaa8 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sun, 25 Sep 2022 01:28:43 +0100 Subject: [PATCH] snowflake: run snowflake-proxy with procd-ujail snowflake-proxy doesn't write any files => run in read-only rootfs environment the process needs to read SSL certs but no other files => only exposed path is /etc/ssl/certificates (read-only) running as unpriviledged user with no additional capabilities => set no-new-privs bit By default procd-ujail also isolates the process by executing it in a separate new IPC and PID namespace. Signed-off-by: Daniel Golle (cherry picked from commit 0f3d48a3784fb495ffdfe4a83f540ad42fab89df) Signed-off-by: Nick Hainke --- net/snowflake/Makefile | 2 +- net/snowflake/files/snowflake-proxy.init | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) mode change 100755 => 100644 net/snowflake/files/snowflake-proxy.init diff --git a/net/snowflake/Makefile b/net/snowflake/Makefile index 2ceb93a67..8471acb2e 100644 --- a/net/snowflake/Makefile +++ b/net/snowflake/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=snowflake PKG_VERSION:=2.3.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=https://git.torproject.org/pluggable-transports/snowflake.git diff --git a/net/snowflake/files/snowflake-proxy.init b/net/snowflake/files/snowflake-proxy.init old mode 100755 new mode 100644 index 2ddfe1830..3d8b4387d --- a/net/snowflake/files/snowflake-proxy.init +++ b/net/snowflake/files/snowflake-proxy.init @@ -14,5 +14,10 @@ start_service() { procd_set_param user snowflake procd_set_param group snowflake procd_set_param respawn + [ -x /sbin/ujail ] && { + procd_add_jail snowflake-proxy ronly + procd_add_jail_mount /etc/ssl/certs + procd_set_param no_new_privs 1 + } procd_close_instance }