dnsmasq: fix more dnsmasq jail issues

* remove superflus mounts of /dev/null and /dev/urandom
 * reset EXTRA_MOUNTS at the beginning of the script
 * add mount according to ignore_hosts_dir
 * don't add mount for file which is inside a directory already in the
   EXTRA_MOUNTS list

Fixes: 59c63224e1 ("dnsmasq: rework jail mounts")
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle 2021-08-01 11:25:41 +01:00
parent 59c63224e1
commit ac4e8aa2f8
No known key found for this signature in database
GPG Key ID: 5A8F39C31C3217CA

View File

@ -10,6 +10,7 @@ ADD_LOCAL_DOMAIN=1
ADD_LOCAL_HOSTNAME=1 ADD_LOCAL_HOSTNAME=1
ADD_WAN_FQDN=0 ADD_WAN_FQDN=0
ADD_LOCAL_FQDN="" ADD_LOCAL_FQDN=""
EXTRA_MOUNT=""
BASECONFIGFILE="/var/etc/dnsmasq.conf" BASECONFIGFILE="/var/etc/dnsmasq.conf"
BASEHOSTFILE="/tmp/hosts/dhcp" BASEHOSTFILE="/tmp/hosts/dhcp"
@ -187,8 +188,22 @@ append_notinterface() {
xappend "--except-interface=$ifname" xappend "--except-interface=$ifname"
} }
ismounted() {
local filename="$1"
local dirname
for dirname in $EXTRA_MOUNT ; do
case "$filename" in
"${dirname}/"* | "${dirname}" )
return 1
;;
esac
done
return 0
}
append_addnhosts() { append_addnhosts() {
append EXTRA_MOUNT "$1" ismounted "$1" || append EXTRA_MOUNT "$1"
xappend "--addn-hosts=$1" xappend "--addn-hosts=$1"
} }
@ -927,6 +942,14 @@ dnsmasq_start()
config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "interface" append_interface
config_list_foreach "$cfg" "notinterface" append_notinterface config_list_foreach "$cfg" "notinterface" append_notinterface
} }
config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0
if [ "$ignore_hosts_dir" = "1" ]; then
xappend "--addn-hosts=$HOSTFILE"
append EXTRA_MOUNT "$HOSTFILE"
else
xappend "--addn-hosts=$(dirname $HOSTFILE)"
append EXTRA_MOUNT "$(dirname $HOSTFILE)"
fi
config_list_foreach "$cfg" "addnhosts" append_addnhosts config_list_foreach "$cfg" "addnhosts" append_addnhosts
config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain
append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases" append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases"
@ -1022,12 +1045,6 @@ dnsmasq_start()
xappend "--dhcp-broadcast=tag:needs-broadcast" xappend "--dhcp-broadcast=tag:needs-broadcast"
config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0
if [ "$ignore_hosts_dir" = "1" ]; then
xappend "--addn-hosts=$HOSTFILE"
else
xappend "--addn-hosts=$(dirname $HOSTFILE)"
fi
config_get dnsmasqconfdir "$cfg" confdir "/tmp/dnsmasq.d" config_get dnsmasqconfdir "$cfg" confdir "/tmp/dnsmasq.d"
xappend "--conf-dir=$dnsmasqconfdir" xappend "--conf-dir=$dnsmasqconfdir"
@ -1121,10 +1138,9 @@ dnsmasq_start()
procd_set_param respawn procd_set_param respawn
procd_add_jail dnsmasq ubus log procd_add_jail dnsmasq ubus log
procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
procd_add_jail_mount $EXTRA_MOUNT $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
procd_add_jail_mount /dev/null /dev/urandom
procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile