[OpenWrt-Devel] issues with service jailing

Tue Aug 11 13:13:46 EDT 2015

Hi,

I'm trying to build latest trunk with CONFIG_PROCD_JAIL_SUPPORT=y, and
it appears that ujail can't run anything in jail. The reason is that
/lib/ld-musl-mips-sf.so.1 (I have ar71xx router) is not present in jail
root. As I understand, ujail parses ELF headers of the target binary and
bind-mounts all libs into jail. All but not that one. Unfortunately I
can't fix it myself, so I'd like core devs to take a look at this issue.

Reproduction:
root at OpenWrt:~# ldd /bin/busybox
        /lib/ld-musl-mips-sf.so.1 (0x55c30000)
        librpc.so => /lib/librpc.so (0x77b8a000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77b66000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x55c30000)
root at OpenWrt:~# ls -la /lib/ld-musl-mips-sf.so.1
lrwxrwxrwx 1 root root 7 Aug 10 20:43 /lib/ld-musl-mips-sf.so.1 -> libc.so

root at OpenWrt:~# /sbin/ujail -n busybox  -P /tmp/.jail/busybox --
/bin/busybox ash
jail: spawning /bin/busybox
jail: failed to spawn child /bin/busybox: No such file or directory
jail: child (2) exited: 65280
jail: namespace (3319) exited: 10

root at OpenWrt:~# /sbin/ujail -n busybox  -P /tmp/.jail/busybox -r
/lib/ld-musl-mips-sf.so.1  -- /bin/busybox ash
jail: spawning /bin/busybox
/ # /bin/busybox ls /
bin  lib  usr


One more request would be to add support for "helper" binaries. Consider
this case: I want to run transmission with idle IO priority. At the
moment procd doesn't support ionoce, so I try to run /bin/ionice -c3
/usr/bin/transmission-daemon. In this case ujail correctly creates jail
for ionice, but everything required to run transmission-daemon has to be
added by hands.
It would be nice to be able to pass single reference to a binary
(/usr/bin/transmission-daemon in this case) and have ujail automatically
pull all required libs. init subsystem should export this ability as
something like procd_add_jail_mount_bin.

Reproduction:
root at OpenWrt:~# /sbin/ujail -n busybox  -P /tmp/.jail/busybox -r
/lib/ld-musl-mips-sf.so.1  -- /bin/ionice -c3 /usr/bin/wget-ssl
jail: spawning /bin/ionice
ionice: can't execute '/usr/bin/wget-ssl': No such file or directory
jail: child (2) exited: 32512
jail: namespace (3375) exited: 10

root at OpenWrt:~# /sbin/ujail -n busybox  -P /tmp/.jail/busybox -r
/lib/ld-musl-mips-sf.so.1 -r /usr/lib/libpcre.so.1 -r
/usr/lib/libssl.so.1.0.0 -r /usr/lib/libcrypto.so.1.0.0 -r
/usr/lib/libz.so.1 -r /usr/bin/wget-ssl -- /bin/ionice -c3 /usr/bin/wget-ssl
jail: spawning /bin/ionice
wget-ssl: missing URL
Usage: wget-ssl [OPTION]... [URL]...

Try `wget-ssl --help' for more options.
jail: child (2) exited: 256
jail: namespace (3393) exited: 10


With patch applied:
root at OpenWrt:~# /tmp/ujail -n busybox -b /usr/bin/wget-ssl -b
/usr/bin/curl -b /usr/bin/tmux -P /tmp/.jail/busybox -r
/lib/ld-musl-mips-sf.so.1  -- /bin/busybox ls -1 /lib /usr/lib
jail: spawning /bin/busybox
/lib:
ld-musl-mips-sf.so.1
libblobmsg_json.so
libc.so
libgcc_s.so.1
libpreload-seccomp.so
librpc.so
libubox.so

/usr/lib:
libcrypto.so.1.0.0
libcurl.so.4
libevent-2.0.so.5
libjson-c.so.2
libncurses.so.5
libpcre.so.1
libssl.so.1.0.0
libz.so.1
jail: child (2) exited: 0
jail: namespace (4500) exited: 10


-- 
Best regards,
Maxim Storchak
mailto:m.storchak at gmail.com
-------------- next part --------------
    Signed-off-by: Maxim Storchak <m.storchak at gmail.com>

diff --git a/jail/jail.c b/jail/jail.c
index 2bba292..22fda87 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -43,7 +43,7 @@
 #include <libubox/uloop.h>
 
 #define STACK_SIZE	(1024 * 1024)
-#define OPT_ARGS	"P:S:n:r:w:psuldo"
+#define OPT_ARGS	"P:S:n:r:w:b:psuldo"
 
 struct extra {
 	struct list_head list;
@@ -260,6 +260,7 @@ static int usage(void)
 	fprintf(stderr, "  -n <name>\tthe name of the jail\n");
 	fprintf(stderr, "  -r <file>\treadonly files that should be staged\n");
 	fprintf(stderr, "  -w <file>\twriteable files that should be staged\n");
+	fprintf(stderr, "  -b <file>\tadditional binaries that should be staged\n");
 	fprintf(stderr, "  -p\t\tjail has /proc\t\n");
 	fprintf(stderr, "  -s\t\tjail has /sys\t\n");
 	fprintf(stderr, "  -l\t\tjail has /dev/log\t\n");
@@ -433,6 +434,12 @@ int main(int argc, char **argv)
 
 	umask(022);
 
+	avl_init(&libraries, avl_strcmp, false, NULL);
+	alloc_library_path("/lib64");
+	alloc_library_path("/lib");
+	alloc_library_path("/usr/lib");
+	load_ldso_conf("/etc/ld.so.conf");
+
 	while ((ch = getopt(argc, argv, OPT_ARGS)) != -1) {
 		switch (ch) {
 		case 'd':
@@ -457,6 +464,11 @@ int main(int argc, char **argv)
 		case 'l':
 			add_extra(log, 0);
 			break;
+		case 'b':
+			if (elf_load_deps(optarg)) {
+				ERROR("failed to load dependencies for %s\n", optarg);
+				return -1;
+			}
 		}
 	}
 
@@ -476,11 +488,6 @@ int main(int argc, char **argv)
 	if (name)
 		prctl(PR_SET_NAME, name, NULL, NULL, NULL);
 
-	avl_init(&libraries, avl_strcmp, false, NULL);
-	alloc_library_path("/lib64");
-	alloc_library_path("/lib");
-	alloc_library_path("/usr/lib");
-	load_ldso_conf("/etc/ld.so.conf");
 
 	if (elf_load_deps(argv[optind])) {
 		ERROR("failed to load dependencies\n");
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
