From 8108386ee7d215ec6315cb8f934d0300f23a19f9 Mon Sep 17 00:00:00 2001
From: Marc Benoit <marcb62185@gmail.com>
Date: Mon, 5 Sep 2022 08:31:29 -0400
Subject: [PATCH] boinc: run the executable in ujail

Signed-off-by: Marc Benoit <marcb62185@gmail.com>
---
 net/boinc/files/boinc-client.init | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/boinc/files/boinc-client.init b/net/boinc/files/boinc-client.init
index 89892da3bc..50252d0f38 100755
--- a/net/boinc/files/boinc-client.init
+++ b/net/boinc/files/boinc-client.init
@@ -4,7 +4,7 @@ START=99
 USE_PROCD=1
 
 BOINCEXE_NAME=boinc_client
-BOINCDIR=/opt/boinc/
+BOINCDIR=/opt/boinc
 PRESETDIR=/usr/share/boinc
 BOINCUSR=boinc
 BOINCEXE_OPTS="--check_all_logins --redirectio --dir $BOINCDIR"
@@ -41,7 +41,7 @@ start_service() {
    # now use procd to start boinc
    procd_open_instance $BOINCEXE_NAME
 
-   procd_set_param command $BOINCEXE_NAME
+   procd_set_param command $(which $BOINCEXE_NAME)
    procd_append_param command $BOINCEXE_OPTS
    procd_set_param user $BOINCUSR
    procd_set_param limits core="unlimited"
@@ -49,5 +49,12 @@ start_service() {
    procd_set_param stderr 1
    procd_set_param pidfile $PID_FILE
 
+   procd_add_jail $BOINCEXE_NAME log requirejail
+   procd_add_jail_mount /etc/TZ
+   procd_add_jail_mount /proc/cpuinfo /proc/meminfo
+   procd_add_jail_mount /etc/ssl/certs/ca-certificates.crt
+   procd_add_jail_mount $PRESETDIR
+   procd_add_jail_mount_rw $BOINCDIR
+
    procd_close_instance
 }