blob: 192c03eb21446bd1d98951f754d2dc7b96df3c6e (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
#!/sbin/openrc-run
depend() {
need net
}
# poor man's DynamicUser+TemporaryFileSystem+BindReadOnlyPaths implementation in OpenRC
command=sear.c
command_args=""
chroot=/var/run/sear.c
command_background=true
command_user="searc:searc"
pidfile=/var/run/sear.c/pid
# files read by sear.c as observed on 2022-04-17 on i386 debian: see misc/files.txt
mount_chroot() {
[ -d $1 ] && mkdir -p /var/run/sear.c$1
[ -f $1 ] && mkdir -p /var/run/sear.c`echo $1 | rev | cut -d/ -f 2- | rev` && touch /var/run/sear.c$1
[ -e $1 ] && mount -o nosuid,ro --bind $1 /var/run/sear.c$1
}
start_pre() {
[ -f /etc/sear.c ] && . /etc/sear.c
export SC_PORT SC_FALLBACK SC_LOGLEVEL
checkpath --directory-truncate --directory --mode 0755 --owner root:root /var/run/sear.c
pidfile=/pid # logger runs without chroot as searc user in order to show searc instead of root in syslog.
which logger 2>&1 > /dev/null \
&& start_stop_daemon_args="--stderr-logger-before-chroot \"su searc --shell `which logger`\" --stdout-logger-before-chroot \"su searc --shell `which logger`\""
mount_chroot /lib # a question for anyone reading this: we have now two processes on the system, one chrooted that runs sear.c and one outside of chroot that runs
mount_chroot /lib64 # logger. could the chrooted process somehow get access to the outside of the chroot by somehow communicating with his logger process? note that
mount_chroot /usr/lib # procfs is not mounted. Could it do that if procfs was to be mounted?
mount_chroot /usr/lib64
mount_chroot /usr/bin/sear.c
mount_chroot /etc/gai.conf
mount_chroot /etc/host.conf
mount_chroot /etc/hosts
mount_chroot /etc/localtime
mount_chroot /etc/nsswitch.conf
mount_chroot /etc/resolv.conf
mount_chroot /etc/ld.so.conf
mount_chroot /etc/ld.so.conf.d
mount_chroot /etc/ld.so.cache
}
stop_post() {
nodelete=0
for dir in `grep run/sear.c /proc/mounts | cut -d' ' -f2`; do # /var/run is usually symlink to /run, so we only grep for run/sear.c
umount $dir || nodelete=1
done
[ $nodelete -eq 0 ] && rm -rf /var/run/sear.c
}
|