boinc: run the executable in ujail

Signed-off-by: Marc Benoit <marcb62185@gmail.com>

net/boinc/files/boinc-client.init

@@ -4,7 +4,7 @@ START=99
 USE_PROCD=1
 
 BOINCEXE_NAME=boinc_client
-BOINCDIR=/opt/boinc/
+BOINCDIR=/opt/boinc
 PRESETDIR=/usr/share/boinc
 BOINCUSR=boinc
 BOINCEXE_OPTS="--check_all_logins --redirectio --dir $BOINCDIR"
@@ -41,7 +41,7 @@ start_service() {
    # now use procd to start boinc
    procd_open_instance $BOINCEXE_NAME
 
-   procd_set_param command $BOINCEXE_NAME
+   procd_set_param command $(which $BOINCEXE_NAME)
    procd_append_param command $BOINCEXE_OPTS
    procd_set_param user $BOINCUSR
    procd_set_param limits core="unlimited"
@@ -49,5 +49,12 @@ start_service() {
    procd_set_param stderr 1
    procd_set_param pidfile $PID_FILE
 
+   procd_add_jail $BOINCEXE_NAME log requirejail
+   procd_add_jail_mount /etc/TZ
+   procd_add_jail_mount /proc/cpuinfo /proc/meminfo
+   procd_add_jail_mount /etc/ssl/certs/ca-certificates.crt
+   procd_add_jail_mount $PRESETDIR
+   procd_add_jail_mount_rw $BOINCDIR
+
    procd_close_instance
 }