From 39c0f26c33e491bf34520c52aa7d8303c0596c72 Mon Sep 17 00:00:00 2001
From: kenzok8 <kenzok8@users.noreply.github.com>
Date: Tue, 22 Oct 2024 00:24:01 +0800
Subject: [PATCH] update 2024-10-22 00:24:01

---
 luci-app-mihomo/Makefile          |  2 +-
 mihomo/Makefile                   | 15 ++++------
 mihomo/files/capabilities.json    | 47 -------------------------------
 mihomo/files/mihomo.init          |  9 ++----
 mihomo/files/nftables/hijack.nft  | 17 +++++++++--
 mihomo/files/scripts/constants.sh |  2 +-
 6 files changed, 24 insertions(+), 68 deletions(-)
 delete mode 100644 mihomo/files/capabilities.json

diff --git a/luci-app-mihomo/Makefile b/luci-app-mihomo/Makefile
index 4ec97e119..92c028b06 100644
--- a/luci-app-mihomo/Makefile
+++ b/luci-app-mihomo/Makefile
@@ -1,6 +1,6 @@
 include $(TOPDIR)/rules.mk
 
-PKG_VERSION:=1.8.7
+PKG_VERSION:=1.9.0
 
 LUCI_TITLE:=LuCI Support for mihomo
 LUCI_DEPENDS:=+luci-base +mihomo
diff --git a/mihomo/Makefile b/mihomo/Makefile
index 8f84fdc5d..9113cf8e4 100644
--- a/mihomo/Makefile
+++ b/mihomo/Makefile
@@ -5,9 +5,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/MetaCubeX/mihomo.git
-PKG_SOURCE_DATE:=2024-10-19
-PKG_SOURCE_VERSION:=95af5f7325fcd9c945b3ad52e617e6ee5ae12d50
-PKG_MIRROR_HASH:=bf8168695e5d6a595dfaa7aab7fcfb9cd70ccc8ff1f7e08ef103104c020e4863
+PKG_SOURCE_DATE:=2024-10-20
+PKG_SOURCE_VERSION:=3e966e82c793ca99e3badc84bf3f2907b100edae
+PKG_MIRROR_HASH:=e6e06037239e50a9d458e530b53b5b745224db8f1fafa9c2aa3a61eb6e91e783
 
 PKG_LICENSE:=MIT
 PKG_MAINTAINER:=Joseph Mory <morytyann@gmail.com>
@@ -16,7 +16,7 @@ PKG_BUILD_DEPENDS:=golang/host
 PKG_BUILD_PARALLEL:=1
 PKG_BUILD_FLAGS:=no-mips16
 
-PKG_BUILD_VERSION:=alpha-95af5f7
+PKG_BUILD_VERSION:=alpha-3e966e8
 PKG_BUILD_TIME:=$(shell date -u -Iseconds)
 
 GO_PKG:=github.com/metacubex/mihomo
@@ -31,8 +31,8 @@ define Package/mihomo
   CATEGORY:=Network
   TITLE:=A rule based proxy in Go.
   URL:=https://wiki.metacubex.one
-  DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle +curl +yq firewall4 +kmod-nft-tproxy +ip-full +kmod-tun +procd-ujail
-  USERID:=mihomo=7890:mihomo=7890
+  DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle +curl +yq firewall4 +ip-full +kmod-inet-diag +kmod-nft-tproxy +kmod-tun
+  USERID:=root:mihomo=7890
 endef
 
 define Package/mihomo/description
@@ -79,9 +79,6 @@ define Package/mihomo/install
 	$(INSTALL_BIN) $(CURDIR)/files/uci-defaults/init.sh $(1)/etc/uci-defaults/99_init_mihomo
 	$(INSTALL_BIN) $(CURDIR)/files/uci-defaults/migrate.sh $(1)/etc/uci-defaults/99_migrate_mihomo
 
-	$(INSTALL_DIR) $(1)/etc/capabilities
-	$(INSTALL_DATA) $(CURDIR)/files/capabilities.json $(1)/etc/capabilities/mihomo.json
-
 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
 	$(INSTALL_DATA) $(CURDIR)/files/mihomo.upgrade $(1)/lib/upgrade/keep.d/mihomo
 endef
diff --git a/mihomo/files/capabilities.json b/mihomo/files/capabilities.json
deleted file mode 100644
index 7e765aa47..000000000
--- a/mihomo/files/capabilities.json
+++ /dev/null
@@ -1,47 +0,0 @@
-{
-    "permitted": [
-        "CAP_FOWNER",
-        "CAP_DAC_OVERRIDE",
-        "CAP_DAC_READ_SEARCH",
-        "CAP_SYS_PTRACE",
-        "CAP_NET_ADMIN",
-        "CAP_NET_BIND_SERVICE",
-        "CAP_NET_RAW"
-    ],
-    "effective": [
-        "CAP_FOWNER",
-        "CAP_DAC_OVERRIDE",
-        "CAP_DAC_READ_SEARCH",
-        "CAP_SYS_PTRACE",
-        "CAP_NET_ADMIN",
-        "CAP_NET_BIND_SERVICE",
-        "CAP_NET_RAW"
-    ],
-    "bounding": [
-        "CAP_FOWNER",
-        "CAP_DAC_OVERRIDE",
-        "CAP_DAC_READ_SEARCH",
-        "CAP_SYS_PTRACE",
-        "CAP_NET_ADMIN",
-        "CAP_NET_BIND_SERVICE",
-        "CAP_NET_RAW"
-    ],
-    "inheritable": [
-        "CAP_FOWNER",
-        "CAP_DAC_OVERRIDE",
-        "CAP_DAC_READ_SEARCH",
-        "CAP_SYS_PTRACE",
-        "CAP_NET_ADMIN",
-        "CAP_NET_BIND_SERVICE",
-        "CAP_NET_RAW"
-    ],
-    "ambient": [
-        "CAP_FOWNER",
-        "CAP_DAC_OVERRIDE",
-        "CAP_DAC_READ_SEARCH",
-        "CAP_SYS_PTRACE",
-        "CAP_NET_ADMIN",
-        "CAP_NET_BIND_SERVICE",
-        "CAP_NET_RAW"
-    ]
-}
\ No newline at end of file
diff --git a/mihomo/files/mihomo.init b/mihomo/files/mihomo.init
index 65abdf038..54d6a715b 100644
--- a/mihomo/files/mihomo.init
+++ b/mihomo/files/mihomo.init
@@ -246,12 +246,6 @@ start_service() {
 	procd_set_param limits core="unlimited"
 	procd_set_param limits nofile="1048576 1048576"
 
-	procd_add_jail mihomo requirejail procfs
-	procd_add_jail_mount "$PROG" /etc/TZ /etc/localtime /etc/hosts /etc/ssl/certs
-	procd_add_jail_mount_rw "$RUN_DIR" "$LOG_DIR" /dev/net
-	procd_set_param capabilities /etc/capabilities/mihomo.json
-	procd_set_param no_new_privs 1
-
 	procd_close_instance
 	# transparent proxy
 	if [ "$transparent_proxy" == 1 ]; then
@@ -305,9 +299,10 @@ start_service() {
 				ip -6 rule add pref "$UDP_RULE_PREF" fwmark "$FW_MARK/$FW_MARK_MASK" ipproto udp table "$udp_route_table"
 			fi
 		fi
-		nft -f "$HIJACK_NFT" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D MIHOMO_USER="$MIHOMO_USER" -D TUN_DEVICE="$TUN_DEVICE" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port"
+		nft -f "$HIJACK_NFT" -D FW_MARK="$FW_MARK" -D FW_MARK_MASK="$FW_MARK_MASK" -D TUN_DEVICE="$TUN_DEVICE" -D DNS_PORT="$dns_port" -D REDIR_PORT="$redir_port" -D TPROXY_PORT="$tproxy_port"
 		nft -f "$RESERVED_IP_NFT"
 		nft -f "$RESERVED_IP6_NFT"
+		nft add element inet "$FW_TABLE" bypass_group \{ "$MIHOMO_GROUP" \}
 		nft add element inet "$FW_TABLE" fake_ip \{ "$fake_ip_range" \}
 		# dns hijack
 		if [ "$ipv4_dns_hijack" == 1 ]; then
diff --git a/mihomo/files/nftables/hijack.nft b/mihomo/files/nftables/hijack.nft
index 699d7e766..4cc55544b 100644
--- a/mihomo/files/nftables/hijack.nft
+++ b/mihomo/files/nftables/hijack.nft
@@ -1,6 +1,17 @@
 #!/usr/sbin/nft -f
 
 table inet mihomo {
+	set bypass_group {
+		type gid
+		flags interval
+		auto-merge
+		elements = {
+			ntp,
+			dnsmasq,
+			logd
+		}
+	}
+
 	set dns_hijack_nfproto {
 		type nf_proto
 		flags interval
@@ -63,7 +74,7 @@ table inet mihomo {
 	}
 
 	chain router_dns_hijack {
-		meta skuid $MIHOMO_USER counter return
+		meta skgid @bypass_group counter return
 		meta nfproto @dns_hijack_nfproto meta l4proto { tcp, udp } th dport 53 oifname lo counter redirect to :$DNS_PORT
 	}
 
@@ -157,7 +168,7 @@ table inet mihomo {
 
 	chain nat_output {
 		type nat hook output priority filter; policy accept;
-		meta skuid $MIHOMO_USER counter return
+		meta skgid @bypass_group counter return
 		fib daddr type local counter return
 		ct direction reply counter return
 		ip daddr @reserved_ip counter return
@@ -185,7 +196,7 @@ table inet mihomo {
 
 	chain mangle_output {
 		type route hook output priority mangle; policy accept;
-		meta skuid $MIHOMO_USER counter return
+		meta skgid @bypass_group counter return
 		fib daddr type local counter return
 		ct direction reply counter return
 		ip daddr @reserved_ip counter return
diff --git a/mihomo/files/scripts/constants.sh b/mihomo/files/scripts/constants.sh
index 97d2e1713..22b43aed3 100644
--- a/mihomo/files/scripts/constants.sh
+++ b/mihomo/files/scripts/constants.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # permission
-MIHOMO_USER="mihomo"
+MIHOMO_USER="root"
 MIHOMO_GROUP="mihomo"
 
 # routing