From 5df794e34303ed2d1832c0626291ad392a228e8c Mon Sep 17 00:00:00 2001
From: "Emily H." <battery_tag708@simplelogin.com>
Date: Tue, 30 Apr 2024 11:03:38 +0000
Subject: [PATCH] dnsproxy: add three new features

This commit adds the following features:
1. UCI support for local DNS over HTTPS/TLS/QUIC server.
2. UCI support for using private reverse DNS.
3. procd jail with CAP_NET_BIND_SERVICE, allowing
   dnsproxy to serve on standard ports directly.

Signed-off-by: Emily H. <battery_tag708@simplelogin.com>
---
 net/dnsproxy/Makefile              |  4 +++-
 net/dnsproxy/files/dnsproxy.config | 11 +++++++++++
 net/dnsproxy/files/dnsproxy.init   | 25 +++++++++++++++++++++++++
 net/dnsproxy/files/dnsproxy.json   | 17 +++++++++++++++++
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 net/dnsproxy/files/dnsproxy.json

diff --git a/net/dnsproxy/Makefile b/net/dnsproxy/Makefile
index cf5b46fcde..9149b3bc4a 100644
--- a/net/dnsproxy/Makefile
+++ b/net/dnsproxy/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsproxy
 PKG_VERSION:=0.70.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
@@ -45,6 +45,8 @@ endef
 define Package/dnsproxy/install
 	$(call GoPackage/Package/Install/Bin,$(1))
 
+	$(INSTALL_DIR) $(1)/etc/capabilities/
+	$(INSTALL_DATA) $(CURDIR)/files/dnsproxy.json $(1)/etc/capabilities/dnsproxy.json
 	$(INSTALL_DIR) $(1)/etc/config/
 	$(INSTALL_CONF) $(CURDIR)/files/dnsproxy.config $(1)/etc/config/dnsproxy
 	$(INSTALL_DIR) $(1)/etc/init.d/
diff --git a/net/dnsproxy/files/dnsproxy.config b/net/dnsproxy/files/dnsproxy.config
index 90feb94d46..ac704a7bb4 100644
--- a/net/dnsproxy/files/dnsproxy.config
+++ b/net/dnsproxy/files/dnsproxy.config
@@ -37,8 +37,19 @@ config dnsproxy 'edns'
 	option enabled '0'
 	option edns_addr ''
 
+config dnsproxy 'private_rdns'
+	option enabled '0'
+	list upstream '127.0.0.1:53'
+
 config dnsproxy 'servers'
 	list bootstrap 'tls://8.8.8.8'
 	list fallback 'tls://9.9.9.9'
 	list upstream 'tls://1.1.1.1'
 
+config dnsproxy 'tls'
+	option enabled '0'
+	option tls_crt ''
+	option tls_key ''
+	option https_port '8443'
+	option tls_port '853'
+	option quic_port '853'
diff --git a/net/dnsproxy/files/dnsproxy.init b/net/dnsproxy/files/dnsproxy.init
index fc04ac9a68..ab1382d3f1 100644
--- a/net/dnsproxy/files/dnsproxy.init
+++ b/net/dnsproxy/files/dnsproxy.init
@@ -66,6 +66,11 @@ load_config_list() {
 
 	is_empty "bogus_nxdomain" "ip_addr" || config_list_foreach "bogus_nxdomain" "ip_addr" "append_param '--bogus-nxdomain'"
 
+	is_enabled "private_rdns" "enabled" && {
+		append_param "--use-private-rdns"
+		config_list_foreach "private_rdns" "upstream" "append_param '--private-rdns-upstream'"
+	}
+
 	for i in "bootstrap" "fallback" "upstream"; do
 		is_empty "servers" "$i" || config_list_foreach "servers" "$i" "append_param '--$i'"
 	done
@@ -95,6 +100,14 @@ load_config_param() {
 		append_param "--edns"
 		append_param_arg "edns" "edns_addr" "--edns-addr"
 	}
+
+	is_enabled "tls" "enabled" && {
+		append_param_arg "tls" "tls_crt" "--tls-crt"
+		append_param_arg "tls" "tls_key" "--tls-key"
+		append_param_arg "tls" "https_port" "--https-port"
+		append_param_arg "tls" "tls_port" "--tls-port"
+		append_param_arg "tls" "quic_port" "--quic-port"
+	}
 }
 
 start_service() {
@@ -102,6 +115,11 @@ start_service() {
 
 	is_enabled "global" "enabled" || return 1
 
+	local log_file tls_crt tls_key
+	config_get log_file global log_file
+	config_get tls_crt tls tls_crt
+	config_get tls_key tls tls_key
+
 	procd_open_instance "$CONF"
 	procd_set_param command "$PROG"
 
@@ -114,6 +132,13 @@ start_service() {
 	procd_set_param stderr 1
 	procd_set_param user dnsproxy
 
+	procd_add_jail dnsproxy ronly log
+	procd_set_param capabilities "/etc/capabilities/dnsproxy.json"
+	procd_add_jail_mount "/etc/ssl/certs/ca-certificates.crt"
+	[ -z "$log_file" ] || procd_add_jail_mount_rw "$log_file"
+	[ -z "$tls_crt" ] || procd_add_jail_mount "$tls_crt"
+	[ -z "$tls_key" ] || procd_add_jail_mount "$tls_key"
+
 	procd_close_instance
 }
 
diff --git a/net/dnsproxy/files/dnsproxy.json b/net/dnsproxy/files/dnsproxy.json
new file mode 100644
index 0000000000..82eb37a361
--- /dev/null
+++ b/net/dnsproxy/files/dnsproxy.json
@@ -0,0 +1,17 @@
+{
+	"bounding": [
+		"CAP_NET_BIND_SERVICE"
+	],
+	"effective": [
+		"CAP_NET_BIND_SERVICE"
+	],
+	"ambient": [
+		"CAP_NET_BIND_SERVICE"
+	],
+	"permitted": [
+		"CAP_NET_BIND_SERVICE"
+	],
+	"inheritable": [
+		"CAP_NET_BIND_SERVICE"
+	]
+}