openwrt-packages/net/snowflake/files
Daniel Golle 8aa01bc1d7 snowflake: run snowflake-proxy with procd-ujail
snowflake-proxy doesn't write any files
 => run in read-only rootfs environment

the process needs to read SSL certs but no other files
 => only exposed path is /etc/ssl/certificates (read-only)

running as unpriviledged user with no additional capabilities
 => set no-new-privs bit

By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0f3d48a378)
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-25 07:34:12 +02:00
..
snowflake-proxy.init snowflake: run snowflake-proxy with procd-ujail 2022-09-25 07:34:12 +02:00