snowflake: run snowflake-proxy with procd-ujail

snowflake-proxy doesn't write any files
 => run in read-only rootfs environment

the process needs to read SSL certs but no other files
 => only exposed path is /etc/ssl/certificates (read-only)

running as unpriviledged user with no additional capabilities
 => set no-new-privs bit

By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0f3d48a3784fb495ffdfe4a83f540ad42fab89df)
Signed-off-by: Nick Hainke <vincent@systemli.org>

diff --git a/net/snowflake/Makefile b/net/snowflake/Makefile
index 2ceb93a67a1d275ff4a79f39afe7daf45ccd641f..8471acb2e4a53898dba5397df5992754d2c15ede 100644 (file)
--- a/net/snowflake/Makefile
+++ b/net/snowflake/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=snowflake
 PKG_VERSION:=2.3.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=https://git.torproject.org/pluggable-transports/snowflake.git

diff --git a/net/snowflake/files/snowflake-proxy.init b/net/snowflake/files/snowflake-proxy.init
old mode 100755 (executable)
new mode 100644 (file)
index 2ddfe18..3d8b438
--- a/net/snowflake/files/snowflake-proxy.init
+++ b/net/snowflake/files/snowflake-proxy.init
@@ -14,5 +14,10 @@ start_service() {
        procd_set_param user snowflake
        procd_set_param group snowflake
        procd_set_param respawn
+       [ -x /sbin/ujail ] && {
+               procd_add_jail snowflake-proxy ronly
+               procd_add_jail_mount /etc/ssl/certs
+               procd_set_param no_new_privs 1
+       }
        procd_close_instance
 }