[PATCH 0/2] enable procd security features by default

Daniel Golle daniel at makrotopia.org
Thu Nov 26 22:21:39 EST 2020


On Thu, Nov 26, 2020 at 05:43:53PM +0100, Petr Štetiar wrote:
> Daniel Golle <daniel at makrotopia.org> [2020-11-07 14:17:12]:
> 
> Hi,
> 
> > Please report back
> 
> testing now the latest master on rtl8382 booted from initramfs and seeing following:
> 
>  Thu Nov 26 14:45:35 2020 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
>  Thu Nov 26 14:45:36 2020 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
>  Thu Nov 26 14:45:42 2020 user.err : jail: pivot_root(/tmp/ujail-CgOmPF, /tmp/ujail-CgOmPF/old) failed: Invalid argument
>  Thu Nov 26 14:45:42 2020 daemon.info procd: Instance dnsmasq::cfg01411c s in a crash loop 14 crashes, 0 seconds since last crash
>  Thu Nov 26 14:45:45 2020 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
>  Thu Nov 26 14:45:45 2020 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
>  Thu Nov 26 14:45:46 2020 user.err : jail: pivot_root(/tmp/ujail-kfIjBM, /tmp/ujail-kfIjBM/old) failed: Invalid argument
>  Thu Nov 26 14:45:46 2020 daemon.info procd: Instance dnsmasq::cfg01411c s in a crash loop 15 crashes, 0 seconds since last crash

Should be fixed in latest master by
commit 7fd3c68137ee0fa4c9f5e7b6f993bd09005f7964
Author: Daniel Golle <daniel at makrotopia.org>
Date:   Fri Nov 27 01:00:31 2020 +0100

    initramfs: switch to tmpfs to fix ujail
...


Examples for 3 ways of using ujail in openwrt base which should be
tested on all platforms:
dnsmasq: namespaces
busybox-ntpd: capabilities
umdns: seccomp filter

(plus uxc to manage OCI run-time containers with procd)



More information about the openwrt-devel mailing list