openwrt-packages

History

Daniel Golle 0f3d48a378 snowflake: run snowflake-proxy with procd-ujail snowflake-proxy doesn't write any files => run in read-only rootfs environment the process needs to read SSL certs but no other files => only exposed path is /etc/ssl/certificates (read-only) running as unpriviledged user with no additional capabilities => set no-new-privs bit By default procd-ujail also isolates the process by executing it in a separate new IPC and PID namespace. Signed-off-by: Daniel Golle <daniel@makrotopia.org>	2022-09-25 01:38:09 +01:00
..
snowflake-proxy.init	snowflake: run snowflake-proxy with procd-ujail	2022-09-25 01:38:09 +01:00

Daniel Golle 0f3d48a378 snowflake: run snowflake-proxy with procd-ujail

snowflake-proxy doesn't write any files
 => run in read-only rootfs environment

the process needs to read SSL certs but no other files
 => only exposed path is /etc/ssl/certificates (read-only)

running as unpriviledged user with no additional capabilities
 => set no-new-privs bit

By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

2022-09-25 01:38:09 +01:00

snowflake-proxy.init

snowflake: run snowflake-proxy with procd-ujail

2022-09-25 01:38:09 +01:00