From df9ee1388e59b964dfafd28310c59f62c9071932 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Mon, 22 Mar 2021 21:53:04 +0100 Subject: [PATCH] adblock: update 4.1.0-3 * add a restrictive "jail mode only" variant, just point your jail directory to your primary dns directory * update readme Signed-off-by: Dirk Brenken --- net/adblock/Makefile | 2 +- net/adblock/files/README.md | 3 +++ net/adblock/files/adblock.sh | 47 +++++++++++++++++++++++++++++++----- 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/net/adblock/Makefile b/net/adblock/Makefile index 6481a79f32..ff10162da5 100644 --- a/net/adblock/Makefile +++ b/net/adblock/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=adblock PKG_VERSION:=4.1.0 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/adblock/files/README.md b/net/adblock/files/README.md index f0f145c3fb..33b5ea00aa 100644 --- a/net/adblock/files/README.md +++ b/net/adblock/files/README.md @@ -208,6 +208,9 @@ and at the end of the file add: Adblock deposits the final blocklist 'adb_list.overall' in '/etc/kresd', no further configuration needed. Please note: The knot-resolver (kresd) is only available on Turris devices and does not support the SafeSearch functionality yet. +**Use restrictive jail modes:** +You can enable a restrictive 'adb_list.jail' to block access to all domains except those listed in the whitelist file. Usually this list will be generated as an additional list for guest or kidsafe configurations (for a separate dns server instance). If the jail directory points to your primary dns directory, adblock enables the restrice jail mode (jail mode only). + **Enable E-Mail notification via 'msmtp':** To use the email notification you have to install & configure the package 'msmtp'. Modify the file '/etc/msmtprc': diff --git a/net/adblock/files/adblock.sh b/net/adblock/files/adblock.sh index 0177a793b7..731310e99a 100755 --- a/net/adblock/files/adblock.sh +++ b/net/adblock/files/adblock.sh @@ -281,10 +281,9 @@ f_dns() f_log "err" "dns backend not found, please set 'adb_dns' manually" fi - if [ "${adb_dns}" != "raw" ] && { [ "${adb_dnsdir}" = "${adb_tmpbase}" ] || [ "${adb_dnsdir}" = "${adb_backupdir}" ] || \ - [ "${adb_dnsdir}" = "${adb_reportdir}" ] || [ "${adb_dnsdir}" = "${adb_jaildir}" ]; } + if [ "${adb_dns}" != "raw" ] && { [ "${adb_dnsdir}" = "${adb_tmpbase}" ] || [ "${adb_dnsdir}" = "${adb_backupdir}" ] || [ "${adb_dnsdir}" = "${adb_reportdir}" ]; } then - f_log "err" "dns directory '${adb_dnsdir}' has been misconfigured, it must not point to the 'adb_tmpbase', 'adb_backupdir', 'adb_reportdir' or 'adb_jaildir'" + f_log "err" "dns directory '${adb_dnsdir}' has been misconfigured, it must not point to the 'adb_tmpbase', 'adb_backupdir', 'adb_reportdir'" fi if [ "${adb_action}" = "start" ] && [ -z "${adb_trigger}" ] @@ -686,7 +685,7 @@ f_list() case "${mode}" in "blacklist"|"whitelist") src_name="${mode}" - if [ "${src_name}" = "blacklist" ] && [ -s "${adb_blacklist}" ] + if [ "${src_name}" = "blacklist" ] && [ -f "${adb_blacklist}" ] then rset="/^([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}" "${adb_awk}" "${rset}" "${adb_blacklist}" | \ @@ -694,7 +693,7 @@ f_list() "${adb_sort}" ${adb_srtopts} -u "${adb_tmpdir}/tmp.raw.${src_name}" 2>/dev/null > "${adb_tmpfile}.${src_name}" out_rc="${?}" rm -f "${adb_tmpdir}/tmp.raw.${src_name}" - elif [ "${src_name}" = "whitelist" ] && [ -s "${adb_whitelist}" ] + elif [ "${src_name}" = "whitelist" ] && [ -f "${adb_whitelist}" ] then rset="/^([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}" "${adb_awk}" "${rset}" "${adb_whitelist}" > "${adb_tmpdir}/tmp.raw.${src_name}" @@ -976,6 +975,13 @@ f_switch() then f_env printf "${adb_dnsheader}" > "${adb_dnsdir}/${adb_dnsfile}" + if [ "${adb_jail}" = "1" ] && [ "${adb_jaildir}" = "${adb_dnsdir}" ] + then + printf "${adb_dnsheader}" > "${adb_jaildir}/${adb_dnsjail}" + elif [ -f "${adb_dnsdir}/${adb_dnsjail}" ] + then + rm -f "${adb_dnsdir}/${adb_dnsjail}" + fi f_count done="true" elif [ "${mode}" = "resume" ] && [ "${status}" = "paused" ] @@ -1125,7 +1131,13 @@ f_jsnup() json_get_var runtime "last_run" fi fi - sources="$(printf "%s\n" ${adb_sources} | "${adb_sort}" | "${adb_awk}" '{ORS=" ";print $0}')" + if [ "${adb_jail}" = "1" ] && [ "${adb_jaildir}" = "${adb_dnsdir}" ] + then + adb_cnt="0" + sources="restrictive_jail" + else + sources="$(printf "%s\n" ${adb_sources} | "${adb_sort}" | "${adb_awk}" '{ORS=" ";print $0}')" + fi > "${adb_rtfile}" json_load_file "${adb_rtfile}" >/dev/null 2>&1 @@ -1198,6 +1210,29 @@ f_main() ( f_list "${entry}" "${entry}" )& done + if [ "${adb_dns}" != "raw" ] && [ "${adb_jail}" = "1" ] && [ "${adb_jaildir}" = "${adb_dnsdir}" ] + then + printf "${adb_dnsheader}" > "${adb_dnsdir}/${adb_dnsfile}" + chown "${adb_dnsuser}" "${adb_jaildir}/${adb_dnsjail}" 2>/dev/null + f_dnsup + if [ "${?}" = "0" ] + then + if [ "${adb_action}" != "resume" ] + then + f_jsnup "enabled" + fi + f_log "info" "restrictive jail mode enabled successfully (${adb_sysver})" + else + f_log "err" "dns backend restart in jail mode failed" + fi + f_rmtemp + return + elif [ -f "${adb_dnsdir}/${adb_dnsjail}" ] + then + rm -f "${adb_dnsdir}/${adb_dnsjail}" + f_dnsup + fi + # safe search preparation # if [ "${adb_safesearch}" = "1" ] && [ "${adb_dnssafesearch}" != "0" ] -- 2.30.2