mdns: add jail and seccomp support

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45012

package/network/services/mdns/Makefile

@@ -20,6 +20,7 @@ PKG_SOURCE_VERSION:=a5560f88bb2cddeef0ef11a12e7822b9c19a75a5
 PKG_MAINTAINER:=John Crispin <blogic@openwrt.org>
 PKG_LICENSE:=LGPL-2.1
 
+include $(INCLUDE_DIR)/package-seccomp.mk
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 
@@ -37,6 +38,7 @@ define Package/mdns/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdns $(1)/usr/sbin/
 	$(INSTALL_BIN) ./files/mdns.init $(1)/etc/init.d/mdns
 	$(INSTALL_CONF) ./files/mdns.config $(1)/etc/config/mdns
+	$(call InstallSeccomp,$(1),./files/mdns.json)
 endef
 
 $(eval $(call BuildPackage,mdns))

package/network/services/mdns/files/mdns.config

@@ -1,2 +1,3 @@
 config mdns
+	option jail 1
 	list network lan

package/network/services/mdns/files/mdns.init

@@ -35,6 +35,7 @@ start_service() {
 
 	procd_open_instance
 	procd_set_param command "$PROG"
+	procd_set_param seccomp /etc/seccomp/mdns.json
 	procd_set_param respawn
 	procd_open_trigger
 	procd_add_config_trigger "config.change" "mdns" /etc/init.d/mdns reload
@@ -43,10 +44,11 @@ start_service() {
 	done
 	procd_add_raw_trigger "instance.update" 5000 "/bin/ubus" "call" "mdns" "reload"
 	procd_close_trigger
+	[ "$(uci get mdns.@mdns[-1].jail)" = 1 ] && procd_add_jail mdns ubus log
 	procd_close_instance
 }
 
 service_started() {
-	ubus wait_for -t 5 mdns
+	ubus wait_for -t 10 mdns
 	[ $? = 0 ] && reload_service
 }

package/network/services/mdns/files/mdns.json

@@ -0,0 +1,32 @@
+{
+	"whitelist": [
+		"read",
+		"write",
+		"open",
+		"close",
+		"time",
+		"brk",
+		"ioctl",
+		"uname",
+		"bind",
+		"connect",
+		"getsockname",
+		"recvmsg",
+		"sendmsg",
+		"sendto",
+		"setsockopt",
+		"socket",
+		"poll",
+		"fcntl64",
+		"epoll_create",
+		"epoll_ctl",
+		"epoll_wait",
+		"rt_sigaction",
+		"sigreturn",
+		"rt_sigreturn",
+		"exit_group",
+		"exit",
+		"clock_gettime"
+	],
+	"policy": 1
+}