procd/ujail question

Daniel Golle daniel at makrotopia.org
Fri Dec 10 07:30:59 PST 2021


On Fri, Dec 10, 2021 at 04:03:34PM +0100, e9hack wrote:
> 
> Hi,
> 
> usually the files for a jailed process must be given via procd_add_jail_mount or procd_add_jail_mount_rw. It looks like that this isn't necessary for hostapd. Why not? I can't found this two parameters in '/etc/init.d/wpad'.

Using namespaces is not mandatory when using other ujail features (ie.
capabilities or seccomp can be used also without namespaces).

So hostapd doesn't use mount/filesystem namespaces at this moment but
rather only uses ujail to retain some capabilities while being run as
user and group 'network' (instead of 'root').
I choose to do it in that way because the files needed for hostapd at
run-time depend on the configuration (think: tls certificates or
credentials stored in files) which isn't known by the init script and
may also change without having to restart the process. Hence limiting
filesystem access would always conflict with configurations which are
using addtional files.

Another example is umdns which uses ujail only for setting up seccomp
filter and doesn't make use of any other ujail features.



More information about the openwrt-devel mailing list