projects / feed / packages.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6c5ace8)
go2rtc: jail service, add uci config
authorVladimir Ermakov <[email protected]>
Thu, 21 Aug 2025 09:01:55 +0000 (11:01 +0200)
committerGeorge Sapkin <[email protected]>
Tue, 11 Nov 2025 23:04:19 +0000 (01:04 +0200)
- Add UCI configuration to be able to switch user/group and set ulimit.
- Place daemon into jail by default, to allow bind on lower ports, such as 554 (RTSP)
- Add option to allow or deny config.yaml editing from the web interface.
- Connect stdout/err to log

Signed-off-by: Vladimir Ermakov <[email protected]>
multimedia/go2rtc/Makefile patch | blob | history
multimedia/go2rtc/files/go2rtc.conf [new file with mode: 0644] patch | blob
multimedia/go2rtc/files/go2rtc.init patch | blob | history
multimedia/go2rtc/files/go2rtc.json [new file with mode: 0644] patch | blob

diff --git a/multimedia/go2rtc/Makefile b/multimedia/go2rtc/Makefile
index 197aed6820eec4b8ec07dcfa1ee018a4a310b162..914282da8d396dcd495d29d0c1290d1959256c45 100644 (file)
--- a/multimedia/go2rtc/Makefile
+++ b/multimedia/go2rtc/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=go2rtc
 PKG_VERSION:=1.9.9
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/AlexxIT/go2rtc/tar.gz/v$(PKG_VERSION)?
@@ -37,6 +37,7 @@ endef
 
 define Package/go2rtc/conffiles
 /etc/go2rtc.yaml
+/etc/config/go2rtc
 endef
 
 define Package/go2rtc/install
@@ -46,6 +47,10 @@ define Package/go2rtc/install
        $(INSTALL_CONF) $(CURDIR)/files/go2rtc.yaml $(1)/etc/go2rtc.yaml
        $(INSTALL_DIR) $(1)/etc/init.d/
        $(INSTALL_BIN) $(CURDIR)/files/go2rtc.init $(1)/etc/init.d/go2rtc
+       $(INSTALL_DIR) $(1)/etc/capabilities/
+       $(INSTALL_DATA) $(CURDIR)/files/go2rtc.json $(1)/etc/capabilities/go2rtc.json
+       $(INSTALL_DIR) $(1)/etc/config
+       $(INSTALL_CONF) $(CURDIR)/files/go2rtc.conf $(1)/etc/config/go2rtc
 endef
 
 $(eval $(call BuildPackage,go2rtc))
diff --git a/multimedia/go2rtc/files/go2rtc.conf b/multimedia/go2rtc/files/go2rtc.conf
new file mode 100644 (file)
index 0000000..2ed2c22
--- /dev/null
+++ b/multimedia/go2rtc/files/go2rtc.conf
@@ -0,0 +1,6 @@
+config daemon 'daemon'
+       option disable_jail '0'
+       option user 'go2rtc'
+       option group 'go2rtc'
+       option limit_nofile ''
+       option allow_config_edit '0'
diff --git a/multimedia/go2rtc/files/go2rtc.init b/multimedia/go2rtc/files/go2rtc.init
index 1cc4aba83b78525f9eac86d2419bbf743751895b..c3c20ccf4ff12a0385731c9b40236b75816cccd9 100644 (file)
--- a/multimedia/go2rtc/files/go2rtc.init
+++ b/multimedia/go2rtc/files/go2rtc.init
@@ -4,14 +4,54 @@ START=99
 
 USE_PROCD=1
 PROG=/usr/bin/go2rtc
-USER=go2rtc
-GROUP=go2rtc
+CONF=go2rtc
 
 start_service() {
+       local disable_jail
+       local user
+       local group
+       local limit_nofile
+       local allow_config_edit
+       local ycfg=/etc/go2rtc.yaml
+
+       config_load "$CONF"
+       config_get_bool disable_jail daemon disable_jail 0
+       config_get user daemon user go2rtc
+       config_get group daemon group go2rtc
+       config_get limit_nofile daemon limit_nofile ''
+       config_get_bool allow_config_edit daemon allow_config_edit 0
+
+       chown "$user:$group" "$ycfg"
+       if [[ "$allow_config_edit" -ne 0 ]]; then
+               chmod 640 "$ycfg"
+       else
+               chmod 440 "$ycfg"
+       fi
+
        procd_open_instance
-       procd_set_param command "$PROG" -config /etc/go2rtc.yaml
-       procd_set_param user "$USER"
-       procd_set_param group "$GROUP"
+       procd_set_param command "$PROG" -config "$ycfg"
+       procd_set_param user "$user"
+       procd_set_param group "$group"
        procd_set_param respawn
+       procd_set_param capabilities "/etc/capabilities/go2rtc.json"
+       procd_set_param stdout 1
+       procd_set_param stderr 1
+
+       [[ -n "$limit_nofile" ]] && procd_append_param limits nofile="$limit_nofile"
+
+       if [[ "$disable_jail" -eq 0 ]]; then
+               procd_add_jail go2rtc log
+
+               procd_add_jail_mount /etc/TZ
+               procd_add_jail_mount /etc/ssl/certs
+               procd_add_jail_mount /usr/bin/ffmpeg
+
+               if [[ "$allow_config_edit" -ne 0 ]]; then
+                       procd_add_jail_mount_rw "$ycfg"
+               else
+                       procd_add_jail_mount "$ycfg"
+               fi
+       fi
+
        procd_close_instance
 }
diff --git a/multimedia/go2rtc/files/go2rtc.json b/multimedia/go2rtc/files/go2rtc.json
new file mode 100644 (file)
index 0000000..82eb37a
--- /dev/null
+++ b/multimedia/go2rtc/files/go2rtc.json
@@ -0,0 +1,17 @@
+{
+       "bounding": [
+               "CAP_NET_BIND_SERVICE"
+       ],
+       "effective": [
+               "CAP_NET_BIND_SERVICE"
+       ],
+       "ambient": [
+               "CAP_NET_BIND_SERVICE"
+       ],
+       "permitted": [
+               "CAP_NET_BIND_SERVICE"
+       ],
+       "inheritable": [
+               "CAP_NET_BIND_SERVICE"
+       ]
+}
Mirror of packages feed