diff options
Diffstat (limited to 'repo/system/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch')
| -rw-r--r-- | repo/system/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/repo/system/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch b/repo/system/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch new file mode 100644 index 0000000..6f7ed69 --- /dev/null +++ b/repo/system/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch @@ -0,0 +1,101 @@ +From c250503412b061e69a99cfe12514e47fc06b5885 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <ariadne@dereferenced.org> +Date: Fri, 14 Feb 2020 16:02:43 +0000 +Subject: [PATCH] Add support for starting services in a specified VRF. + +The venerable iproute2 utility has recently introduced support +for executing programs in specific VRFs which are virtualized +routing tables. These are typically used to isolate different +networking planes from each other, for security or flexibility +reasons. + +Services which use the normal supervisor/start-stop-daemon +pattern can be configured by setting the vrf variable in the +/etc/conf.d tree for the service. + +This allows for things like configuring the sshd service to +run in a management VRF, which is useful for high assurance +environments where the management plane is intended to be +isolated. + +Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> +--- + sh/openrc-run.sh.in | 6 ++++++ + sh/runit.sh | 2 +- + sh/s6.sh | 2 +- + sh/start-stop-daemon.sh | 2 +- + sh/supervise-daemon.sh | 2 +- + 5 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/sh/openrc-run.sh.in b/sh/openrc-run.sh.in +index 5c84af45..a1f374b0 100644 +--- a/sh/openrc-run.sh.in ++++ b/sh/openrc-run.sh.in +@@ -236,6 +236,12 @@ if ! sourcex -e "$_conf_d/$RC_SVCNAME.$RC_RUNLEVEL"; then + fi + unset _conf_d + ++# If we are configured to run in a VRF, provide a hint for that ++RC_VRF_EXEC="" ++if [ -n "$vrf" ]; then ++ RC_VRF_EXEC="/sbin/ip vrf exec $vrf" ++fi ++ + # load service supervisor functions + sourcex "@LIBEXECDIR@/sh/runit.sh" + sourcex "@LIBEXECDIR@/sh/s6.sh" +diff --git a/sh/runit.sh b/sh/runit.sh +index 5d82c9f6..c0186a43 100644 +--- a/sh/runit.sh ++++ b/sh/runit.sh +@@ -23,7 +23,7 @@ runit_start() + local i=0 retval=1 + # it can take upto 5 seconds for runsv to start + while [ $i -lt 6 ] ; do +- if sv start "${service_link}" > /dev/null 2>&1; then ++ if ${RC_VRF_EXEC} sv start "${service_link}" > /dev/null 2>&1; then + retval=0 + break + fi +diff --git a/sh/s6.sh b/sh/s6.sh +index acbe965b..1f339703 100644 +--- a/sh/s6.sh ++++ b/sh/s6.sh +@@ -37,7 +37,7 @@ s6_start() + ln -sf "${s6_service_path}" "${s6_service_link}" + s6-svscanctl -na "${RC_SVCDIR}"/s6-scan + sleep 1.5 +- s6-svc -u "${s6_service_link}" ++ ${RC_VRF_EXEC} s6-svc -u "${s6_service_link}" + if [ -n "$s6_svwait_options_start" ]; then + s6-svwait ${s6_svwait_options_start} "${s6_service_link}" + fi +diff --git a/sh/start-stop-daemon.sh b/sh/start-stop-daemon.sh +index 2e549ae1..5e7a1b88 100644 +--- a/sh/start-stop-daemon.sh ++++ b/sh/start-stop-daemon.sh +@@ -45,7 +45,7 @@ ssd_start() + #the eval call is necessary for cases like: + # command_args="this \"is a\" test" + # to work properly. +- eval start-stop-daemon --start \ ++ eval ${RC_VRF_EXEC} start-stop-daemon --start \ + --exec $command \ + ${chroot:+--chroot} $chroot \ + ${directory:+--chdir} $directory \ +diff --git a/sh/supervise-daemon.sh b/sh/supervise-daemon.sh +index e403a789..259b8166 100644 +--- a/sh/supervise-daemon.sh ++++ b/sh/supervise-daemon.sh +@@ -24,7 +24,7 @@ supervise_start() + # The eval call is necessary for cases like: + # command_args="this \"is a\" test" + # to work properly. +- eval supervise-daemon "${RC_SVCNAME}" --start \ ++ eval ${RC_VRF_EXEC} supervise-daemon "${RC_SVCNAME}" --start \ + ${retry:+--retry} $retry \ + ${directory:+--chdir} $directory \ + ${chroot:+--chroot} $chroot \ +-- +2.33.1 + |