Browse Source

snowflake: run snowflake-proxy with procd-ujail

snowflake-proxy doesn't write any files
 => run in read-only rootfs environment

the process needs to read SSL certs but no other files
 => only exposed path is /etc/ssl/certificates (read-only)

running as unpriviledged user with no additional capabilities
 => set no-new-privs bit

By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0f3d48a378)
Signed-off-by: Nick Hainke <vincent@systemli.org>
lilik-openwrt-22.03
Daniel Golle 2 years ago
committed by Nick Hainke
parent
commit
be7e4f8e3f
2 changed files with 6 additions and 1 deletions
  1. +1
    -1
      net/snowflake/Makefile
  2. +5
    -0
      net/snowflake/files/snowflake-proxy.init

+ 1
- 1
net/snowflake/Makefile View File

@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=snowflake PKG_NAME:=snowflake
PKG_VERSION:=2.3.0 PKG_VERSION:=2.3.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=https://git.torproject.org/pluggable-transports/snowflake.git PKG_SOURCE_URL=https://git.torproject.org/pluggable-transports/snowflake.git


+ 5
- 0
net/snowflake/files/snowflake-proxy.init View File

@ -14,5 +14,10 @@ start_service() {
procd_set_param user snowflake procd_set_param user snowflake
procd_set_param group snowflake procd_set_param group snowflake
procd_set_param respawn procd_set_param respawn
[ -x /sbin/ujail ] && {
procd_add_jail snowflake-proxy ronly
procd_add_jail_mount /etc/ssl/certs
procd_set_param no_new_privs 1
}
procd_close_instance procd_close_instance
} }

Loading…
Cancel
Save