dnsmasq: reset EXTRA_MOUNT in the right place (#7585)

* dnsmasq: fix more dnsmasq jail issues * remove superflus mounts of /dev/null and /dev/urandom * reset EXTRA_MOUNTS at the beginning of the script * add mount according to ignore_hosts_dir * don't add mount for file which is inside a directory already in the EXTRA_MOUNTS list Fixes: 59c63224e1 ("dnsmasq: rework jail mounts") Reported-by: Hartmut Birr <e9hack@gmail.com> Signed-off-by: Daniel Golle <daniel@makrotopia.org> * dnsmasq: reset EXTRA_MOUNT in the right place EXTRA_MOUNT variable should be reset in dnsmasq_start() rather than just once at the beginning of the script. Fixes: ac4e8aa2f8 ("dnsmasq: fix more dnsmasq jail issues") Reported-by: Hartmut Birr <e9hack@gmail.com> Signed-off-by: Daniel Golle <daniel@makrotopia.org> Co-authored-by: Daniel Golle <daniel@makrotopia.org>
2025-04-17 21:03:30 +00:00 · 2021-08-01 22:26:58 +08:00 · 2021-08-01 22:26:58 +08:00 · 9dc595bade
commit 9dc595bade
parent 7777b3ad7d
1 changed files with 27 additions and 11 deletions
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@ -187,8 +187,22 @@ append_notinterface() {
 	xappend "--except-interface=$ifname"
 }

+ismounted() {
+	local filename="$1"
+	local dirname
+	for dirname in $EXTRA_MOUNT ; do
+		case "$filename" in
+			"${dirname}/"* | "${dirname}" )
+				return 1
+				;;
+		esac
+	done
+
+	return 0
+}
+
 append_addnhosts() {
-	append EXTRA_MOUNT "$1"
+	ismounted "$1" || append EXTRA_MOUNT "$1"
 	xappend "--addn-hosts=$1"
 }

@ -803,9 +817,10 @@ dnsmasq_start()
 	config_get_bool disabled "$cfg" disabled 0
 	[ "$disabled" -gt 0 ] && return 0

-	# reset list of DOMAINS and DNS servers (for each dnsmasq instance)
+	# reset list of DOMAINS, DNS servers and EXTRA mounts (for each dnsmasq instance)
 	DNS_SERVERS=""
 	DOMAIN=""
+	EXTRA_MOUNT=""
 	CONFIGFILE="${BASECONFIGFILE}.${cfg}"
 	CONFIGFILE_TMP="${CONFIGFILE}.$$"
 	HOSTFILE="${BASEHOSTFILE}.${cfg}"
@ -931,6 +946,14 @@ dnsmasq_start()
 		config_list_foreach "$cfg" "interface" append_interface
 		config_list_foreach "$cfg" "notinterface" append_notinterface
 	}
+	config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0
+	if [ "$ignore_hosts_dir" = "1" ]; then
+		xappend "--addn-hosts=$HOSTFILE"
+		append EXTRA_MOUNT "$HOSTFILE"
+	else
+		xappend "--addn-hosts=$(dirname $HOSTFILE)"
+		append EXTRA_MOUNT "$(dirname $HOSTFILE)"
+	fi
 	config_list_foreach "$cfg" "addnhosts" append_addnhosts
 	config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain
 	append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases"
@ -1026,12 +1049,6 @@ dnsmasq_start()

 	xappend "--dhcp-broadcast=tag:needs-broadcast"

-	config_get_bool ignore_hosts_dir "$cfg" ignore_hosts_dir 0
-	if [ "$ignore_hosts_dir" = "1" ]; then
-		xappend "--addn-hosts=$HOSTFILE"
-	else
-		xappend "--addn-hosts=$(dirname $HOSTFILE)"
-	fi

 	config_get dnsmasqconfdir "$cfg" confdir "/tmp/dnsmasq.d"
 	xappend "--conf-dir=$dnsmasqconfdir"
@ -1125,10 +1142,9 @@ dnsmasq_start()
 	procd_set_param respawn

 	procd_add_jail dnsmasq ubus log
-	procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE
-	procd_add_jail_mount $EXTRA_MOUNT $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
+	procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
+	procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
 	procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
-	procd_add_jail_mount /dev/null /dev/urandom
 	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
 	procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile