From fc50a7f6c9e45b0c4e2bb03fbfc42b70e23b9aa6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anton=20Luka=20=C5=A0ijanec?= Date: Sun, 24 Apr 2022 13:24:41 +0200 Subject: 0.0.22 --- src/openrc.sh | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 src/openrc.sh (limited to 'src/openrc.sh') diff --git a/src/openrc.sh b/src/openrc.sh new file mode 100755 index 0000000..192c03e --- /dev/null +++ b/src/openrc.sh @@ -0,0 +1,46 @@ +#!/sbin/openrc-run +depend() { + need net +} +# poor man's DynamicUser+TemporaryFileSystem+BindReadOnlyPaths implementation in OpenRC +command=sear.c +command_args="" +chroot=/var/run/sear.c +command_background=true +command_user="searc:searc" +pidfile=/var/run/sear.c/pid +# files read by sear.c as observed on 2022-04-17 on i386 debian: see misc/files.txt +mount_chroot() { + [ -d $1 ] && mkdir -p /var/run/sear.c$1 + [ -f $1 ] && mkdir -p /var/run/sear.c`echo $1 | rev | cut -d/ -f 2- | rev` && touch /var/run/sear.c$1 + [ -e $1 ] && mount -o nosuid,ro --bind $1 /var/run/sear.c$1 +} +start_pre() { + [ -f /etc/sear.c ] && . /etc/sear.c + export SC_PORT SC_FALLBACK SC_LOGLEVEL + checkpath --directory-truncate --directory --mode 0755 --owner root:root /var/run/sear.c + pidfile=/pid # logger runs without chroot as searc user in order to show searc instead of root in syslog. + which logger 2>&1 > /dev/null \ + && start_stop_daemon_args="--stderr-logger-before-chroot \"su searc --shell `which logger`\" --stdout-logger-before-chroot \"su searc --shell `which logger`\"" + mount_chroot /lib # a question for anyone reading this: we have now two processes on the system, one chrooted that runs sear.c and one outside of chroot that runs + mount_chroot /lib64 # logger. could the chrooted process somehow get access to the outside of the chroot by somehow communicating with his logger process? note that + mount_chroot /usr/lib # procfs is not mounted. Could it do that if procfs was to be mounted? + mount_chroot /usr/lib64 + mount_chroot /usr/bin/sear.c + mount_chroot /etc/gai.conf + mount_chroot /etc/host.conf + mount_chroot /etc/hosts + mount_chroot /etc/localtime + mount_chroot /etc/nsswitch.conf + mount_chroot /etc/resolv.conf + mount_chroot /etc/ld.so.conf + mount_chroot /etc/ld.so.conf.d + mount_chroot /etc/ld.so.cache +} +stop_post() { + nodelete=0 + for dir in `grep run/sear.c /proc/mounts | cut -d' ' -f2`; do # /var/run is usually symlink to /run, so we only grep for run/sear.c + umount $dir || nodelete=1 + done + [ $nodelete -eq 0 ] && rm -rf /var/run/sear.c +} -- cgit v1.2.3