From 7777b3ad7dcaeeca5f30d92d634d6ed0bedd7fe8 Mon Sep 17 00:00:00 2001 From: Beginner <70857188+Beginner-Go@users.noreply.github.com> Date: Sun, 1 Aug 2021 17:50:30 +0800 Subject: [PATCH 1/2] dnsmasq: rework jail mounts (#7578) * split into multiple lines to improve readability * use EXTRA_MOUNT for addnhosts instead of blindly adding /tmp/hosts * remove no longer needed mount for /sbin/hotplug-call * add dhcp-script.sh dependencies (jshn, ubus) Fixes: 3a94c2ca5c ("dnsmasq: add /tmp/hosts/ to jail_mount") Fixes: aed95c4cb8 ("dnsmasq: switch to ubus-based hotplug call") Reported-by: Stijn Tintel Signed-off-by: Daniel Golle Co-authored-by: Daniel Golle --- package/network/services/dnsmasq/files/dnsmasq.init | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 9eafdb5aa..632c58e95 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -19,6 +19,7 @@ BASEDHCPSTAMPFILE="/var/run/dnsmasq" DHCPBOGUSHOSTNAMEFILE="/usr/share/dnsmasq/dhcpbogushostname.conf" RFC6761FILE="/usr/share/dnsmasq/rfc6761.conf" DHCPSCRIPT="/usr/lib/dnsmasq/dhcp-script.sh" +DHCPSCRIPT_DEPENDS="/usr/share/libubox/jshn.sh /usr/bin/jshn /bin/ubus" DNSMASQ_DHCP_VER=4 @@ -187,6 +188,7 @@ append_notinterface() { } append_addnhosts() { + append EXTRA_MOUNT "$1" xappend "--addn-hosts=$1" } @@ -1123,7 +1125,11 @@ dnsmasq_start() procd_set_param respawn procd_add_jail dnsmasq ubus log - procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE $DHCPBOGUSHOSTNAMEFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT /tmp/hosts/ + procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE + procd_add_jail_mount $EXTRA_MOUNT $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS + procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript + procd_add_jail_mount /dev/null /dev/urandom + procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile procd_close_instance From 9dc595bade3830d0393ad8fd6b2bb48101e192f4 Mon Sep 17 00:00:00 2001 From: Beginner <70857188+Beginner-Go@users.noreply.github.com> Date: Sun, 1 Aug 2021 22:26:58 +0800 Subject: [PATCH 2/2] dnsmasq: reset EXTRA_MOUNT in the right place (#7585) * dnsmasq: fix more dnsmasq jail issues * remove superflus mounts of /dev/null and /dev/urandom * reset EXTRA_MOUNTS at the beginning of the script * add mount according to ignore_hosts_dir * don't add mount for file which is inside a directory already in the EXTRA_MOUNTS list Fixes: 59c63224e1 ("dnsmasq: rework jail mounts") Reported-by: Hartmut Birr Signed-off-by: Daniel Golle * dnsmasq: reset EXTRA_MOUNT in the right place EXTRA_MOUNT variable should be reset in dnsmasq_start() rather than just once at the beginning of the script. Fixes: ac4e8aa2f8 ("dnsmasq: fix more dnsmasq jail issues") Reported-by: Hartmut Birr Signed-off-by: Daniel Golle Co-authored-by: Daniel Golle --- .../services/dnsmasq/files/dnsmasq.init | 38 +++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 632c58e95..8f610bff1 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -187,8 +187,22 @@ append_notinterface() { xappend "--except-interface=$ifname" } +ismounted() { + local filename="$1" + local dirname + for dirname in $EXTRA_MOUNT ; do + case "$filename" in + "${dirname}/"* | "${dirname}" ) + return 1 + ;; + esac + done + + return 0 +} + append_addnhosts() { - append EXTRA_MOUNT "$1" + ismounted "$1" || append EXTRA_MOUNT "$1" xappend "--addn-hosts=$1" } @@ -803,9 +817,10 @@ dnsmasq_start() config_get_bool disabled "$cfg" disabled 0 [ "$disabled" -gt 0 ] && return 0 - # reset list of DOMAINS and DNS servers (for each dnsmasq instance) + # reset list of DOMAINS, DNS servers and EXTRA mounts (for each dnsmasq instance) DNS_SERVERS="" DOMAIN="" + EXTRA_MOUNT="" CONFIGFILE="${BASECONFIGFILE}.${cfg}" CONFIGFILE_TMP="${CONFIGFILE}.$$" HOSTFILE="${BASEHOSTFILE}.${cfg}" @@ -931,6 +946,14 @@ dnsmasq_start() config_list_foreach "$cfg" "interface" append_interface config_list_foreach "$cfg" "notinterface" append_notinterface } + config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0 + if [ "$ignore_hosts_dir" = "1" ]; then + xappend "--addn-hosts=$HOSTFILE" + append EXTRA_MOUNT "$HOSTFILE" + else + xappend "--addn-hosts=$(dirname $HOSTFILE)" + append EXTRA_MOUNT "$(dirname $HOSTFILE)" + fi config_list_foreach "$cfg" "addnhosts" append_addnhosts config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases" @@ -1026,12 +1049,6 @@ dnsmasq_start() xappend "--dhcp-broadcast=tag:needs-broadcast" - config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0 - if [ "$ignore_hosts_dir" = "1" ]; then - xappend "--addn-hosts=$HOSTFILE" - else - xappend "--addn-hosts=$(dirname $HOSTFILE)" - fi config_get dnsmasqconfdir "$cfg" confdir "/tmp/dnsmasq.d" xappend "--conf-dir=$dnsmasqconfdir" @@ -1125,10 +1142,9 @@ dnsmasq_start() procd_set_param respawn procd_add_jail dnsmasq ubus log - procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE - procd_add_jail_mount $EXTRA_MOUNT $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS + procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS + procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript - procd_add_jail_mount /dev/null /dev/urandom procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile