Fun with jailed dnsmasq

reinerotto · November 8, 2025, 11:58am

Adding 'log-facility=/tmp/dnsmasq.log' to /etc/dnsmasq.conf will not work.
Because /tmp/dnsmasq.log not allowed for jailed dnsmasq.
Need to use 'option logfacility /tmp/dnsmasq.log' in /etc/config/dhcp, instead.
OR to edit /etc/init.d/dnsmasq, as a brutal hack.
kill -SIGUSR1 $(cat /var/run/dnsmasq/dnsmasq*.pid)
is a reliable method to crash (read: STOP) my system.
Because 'cat /var/run/dnsmasq/dnsmasq*.pid' shows me 1 ....
I guess, this is a bug in the jailing of dnsmasq in /etc/init.d/dnsmasq:
PID-file needs to be writable for jailed dnsmasq.

Suggestion for improvement: It might be a good idea, to implement user-configurable jail-options,
i.e. by provision of /etc/config/jail, and sections for each jailed process.
To allow additions to ro-acces, and rw-access, from jail.
OR, even better, to define all jail opts for the various processes in /etc/conf/jail, only, and not to hard-code in /etc/init.d.

dave14305 · November 8, 2025, 12:16pm

The whole /var/run/dnsmasq/ directory is mounted read-write in the jail.

github.com/openwrt/openwrt

package/network/services/dnsmasq/files/dnsmasq.init

412bc7e1d


      
          	local instance_ifc instance_netdev
          	config_get instance_ifc "$cfg" interface
          	[ -n "$instance_ifc" ] && network_get_device instance_netdev "$instance_ifc" &&
          		[ -n "$instance_netdev" ] && procd_set_param netdev $instance_netdev
          
          	procd_add_jail dnsmasq ubus log
          	procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
          	procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
          	procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
          	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
          	procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
          	case "$logfacility" in */*)
          		[ ! -e "$logfacility" ] && touch "$logfacility"
          		procd_add_jail_mount_rw "$logfacility"
          	esac
          	[ -e "$hostsfile" ] && procd_add_jail_mount $hostsfile
          
          	procd_close_instance
          }
          
          dnsmasq_stop()

I guess it’s just that the jailed process can’t determine its own PID to write to the file?

Also see:

reinerotto · November 8, 2025, 1:13pm

Can’t determine own PID correctly. Which would explain the “1” I can see as PID. Indicating a bug in ujail utility.

dave14305 · November 8, 2025, 1:19pm

I guess it’s considered a feature:

reinerotto · November 8, 2025, 1:29pm

… a feature. This is a joke. Documented functionality of “dnsmasq …-x /var/run/dnsmasq/dnsmasq.cfg01411c.pid” is to store dnsmasqs pid . Period. Now I see, there is option ‘ -P create PIDFILE’ available for ujail. MAY BE, this should be used in /etc/init.d/dnsmasq when jailing.

grrr2 · November 8, 2025, 2:01pm

that is quite reasonable. usually directly editing default config files is not recommended, should modify the corresponding config file under /etc/config. there is a logic in the init script to handle logfile, the default config file /etc/dnsmasq.conf is not parsed, just added to jail as-is.

reinerotto · November 8, 2025, 3:43pm

I have the same code done on a Cudy_TR1200. Which worked with 24.10.4. Most likely, because there was no jail. Porting code to Cudy_TR3000 does not work any more, because jailing, all of a sudden. With some surprises. Anyway, solution found. But some more fun:

Implementing something like log-rotate with dnsmasq, using

PID=$(ps | grep -m 1 /usr/sbin/dnsmasq | cut -d' ' -f2)

kill -SIGUSR1 $PID
mv dnsmasq.log dnsmasq-"$DATE".log
#touch /tmp/dnsmasq.log ; does not work, either
#chown dnsmasq /tmp/dnsmasq.log; does not work, either
kill -SIGUSR2 $PID

does not work. (No new logfile created, or no data written into touched file) .Because change of /tmp/dnsmasq.log (because being closed/reopened by dnsmasq) not “recognized” by jail ?

(inotify?)

Needs /etc/init.d/dnsmasq restart, instead.

grrr2 · November 8, 2025, 3:50pm

you should not treat dnsmasq service as a native dnsmasq app. it runs as a procd+ujail service not a native app, you should not directly poke with it but use the service dnsmasq command and modify the corresponding /etc/config/dhcp.

reinerotto · November 8, 2025, 4:07pm

Thre are quite a few sensible dnsmasq options, not available in /etc/config/dhcp.

Quote: The configuration is done with help of the uci-configuration file: /etc/config/dhcp, but you can use this together with the file /etc/dnsmasq.conf.

It might be a good idea, to make this jailing optional. Will try to remove ujail.

grrr2 · November 8, 2025, 4:20pm

true. but you are doing something totally different and it is not working as you expect … which will not as it is not working like that.

efahl · November 8, 2025, 4:53pm

Hmm, I've always naively just done killall -s USR1 dnsmasq to get cache info, which doesn't seem very service-like. Is there an alternative offered somewhere in the service code? I can't find anything that looks promising in the init.d files...

reinerotto · November 8, 2025, 5:31pm

All problems (bad pid, SIGUSR1, SIGUSR2) solved, after elimination of ujail. Saves some RAM, anyway (BTW: Also KERNEL_NAMESPACES dropped).

grrr2 · November 8, 2025, 7:11pm

yeah, and introduced a new attack vector. there is a reason why ujail is used. but feel free not using, it’s your router, your data after all.

system · November 18, 2025, 7:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.