[OpenWrt-Devel] adding seccomp and service jailing to procd

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Sat Mar 28 06:17:41 EDT 2015


On 27/03/2015 14:37, John Crispin wrote:
>
> On 27/03/2015 13:45, Etienne Champetier wrote:
>> Hi,
>>
>>
>> 2015-03-27 10:42 GMT+01:00 John Crispin <blogic at openwrt.org
>> <mailto:blogic at openwrt.org>>:
>>
>>     OpenWrt service hardening and jailing
>>     =====================================
>>
>>
>> <...>
>>  
>>
>>     If there are features that we are not aware of yet or that we forgot to
>>     list, then please let us know about them.
>>
>>     Comments and ideas are welcome ...
>>     _______________________________________________
>>

Hi John,

Thanks for the dnsmasq 'root' fix that I saw go through...not tested yet.

A thought:  Is there care needed here to cope with those configuration
options that are very obviously exposed in Luci?  For example: dnsmasq
lease file defaults to /tmp/dhcp.leases *but* I tend to move that file
to a USB storage location so it survives router reboots.  As it stands
it looks like the init script is unaware of picking up this config
option and jailing the correct file, defaulting to /tmp/dhcp.leases.   I
can really see the security benefits to 'jail' though, great idea.

Thanks for your time.

Kevin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150328/e2ff9ad1/attachment.p7s>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list