snowflake: run snowflake-proxy with procd-ujail
snowflake-proxy doesn't write any files => run in read-only rootfs environment the process needs to read SSL certs but no other files => only exposed path is /etc/ssl/certificates (read-only) running as unpriviledged user with no additional capabilities => set no-new-privs bit By default procd-ujail also isolates the process by executing it in a separate new IPC and PID namespace. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle
parent
cf120a7eff
commit
0f3d48a378
2 changed files with 6 additions and 1 deletions
|
|
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=snowflake
|
||||
PKG_VERSION:=2.3.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL=https://git.torproject.org/pluggable-transports/snowflake.git
|
||||
|
|
|
|||
5
net/snowflake/files/snowflake-proxy.init
Executable file → Normal file
5
net/snowflake/files/snowflake-proxy.init
Executable file → Normal file
|
|
@ -14,5 +14,10 @@ start_service() {
|
|||
procd_set_param user snowflake
|
||||
procd_set_param group snowflake
|
||||
procd_set_param respawn
|
||||
[ -x /sbin/ujail ] && {
|
||||
procd_add_jail snowflake-proxy ronly
|
||||
procd_add_jail_mount /etc/ssl/certs
|
||||
procd_set_param no_new_privs 1
|
||||
}
|
||||
procd_close_instance
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue