support wireless interfaces for --net

author: netblue30 <netblue30@yahoo.com> 2018-06-09 07:57:32 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-06-09 07:57:32 -0400
commit: e62246a8a3e0e795a37535f9e41dffdfdfa9f77a (patch)
tree: 28b8c0b1667fd0170fa113c1bec90046a15ce6da
parent: AppArmor: allow dbus access by default (diff)
download: firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.gz
firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.zst
firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.zip
4 files changed, 82 insertions, 10 deletions
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h
index 71299852d..fcbb3cd84 100644
--- a/src/fnet/fnet.h
+++ b/src/fnet/fnet.h
@@ -20,12 +20,12 @@
 #ifndef FNET_H
 #define FNET_H
+#include "../include/common.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
 #include <stdarg.h>
-#include "../include/common.h"
 // main.c
 extern int arg_quiet;
@@ -34,6 +34,7 @@ extern void fmessage(char* fmt, ...); // TODO: this function is duplicated in sr
 // veth.c
 int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
 int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
+int net_create_ipvlan(const char *dev, const char *parent, unsigned pid);
 int net_move_interface(const char *dev, unsigned pid);
 // interface.c
diff --git a/src/fnet/main.c b/src/fnet/main.c
index 6f149b497..3832cfaef 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -18,6 +18,9 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "fnet.h"
+#include <sys/types.h>
+#include <sys/stat.h>
 int arg_quiet = 0;
 void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/firejail/util.c
@@ -86,7 +89,15 @@ printf("\n");
                net_if_up(argv[3]);
        }
        else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) {
-                net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
+                // use ipvlan for wireless devices
+                struct stat s;
+                char *fname;
+                if (asprintf(&fname, "/sys/class/net/%s/wireless", argv[4]) == -1)
+                        errExit("asprintf");
+                if (stat(fname, &s) == 0) // wireless
+                        net_create_ipvlan(argv[3], argv[4], atoi(argv[5]));
+                else // regular ethernet
+                        net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
        }
        else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) {
                char *dev = argv[3];
diff --git a/src/fnet/veth.c b/src/fnet/veth.c
index c971943a7..fb4f3dc31 100644
--- a/src/fnet/veth.c
+++ b/src/fnet/veth.c
@@ -165,8 +165,66 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
        addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4);
        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
-//      req.n.nlmsg_len += sizeof(struct ifinfomsg);
+        linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;
+        // send message
+        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
+                exit(2);
+        rtnl_close(&rth);
+        return 0;
+}
+int net_create_ipvlan(const char *dev, const char *parent, unsigned pid) {
+        int len;
+        struct iplink_req req;
+        assert(dev);
+        assert(parent);
+        if (rtnl_open(&rth, 0) < 0) {
+                fprintf(stderr, "cannot open netlink\n");
+                exit(1);
+        }
+        memset(&req, 0, sizeof(req));
+        req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
+        req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL;
+        req.n.nlmsg_type = RTM_NEWLINK;
+        req.i.ifi_family = 0;
+        // find parent ifindex
+        int parent_ifindex = if_nametoindex(parent);
+        if (parent_ifindex <= 0) {
+                fprintf(stderr, "Error: cannot find network device %s\n", parent);
+                exit(1);
+        }
+        // add parent
+        addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4);
+        // add new interface name
+        len = strlen(dev) + 1;
+        addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len);
+        // place the interface in child namespace
+        addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
+        // add  link info for the new interface
+        struct rtattr *linkinfo = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "ipvlan", strlen("ipvlan"));
+        // set macvlan bridge mode
+        struct rtattr * data = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0);
+        int macvlan_type = IPVLAN_MODE_L2;
+        addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 2);
+        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
+//      req.n.nlmsg_len += sizeof(struct ifinfomsg);
        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
        linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;
@@ -180,6 +238,7 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
        return 0;
 }
 // move the interface dev in namespace of program pid
 // when the interface is moved, netlink does not preserve interface configuration
 int net_move_interface(const char *dev, unsigned pid) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1a90f403c..7d3cc89d8 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -710,7 +710,8 @@ $ firejail \-\-list
 $
 .TP
 \fB\-\-mac=address
-Assign MAC addresses to the last network interface defined by a \-\-net option.
+Assign MAC addresses to the last network interface defined by a \-\-net option. This option
+is not supported for wireless interfaces.
 .br
 .br
@@ -769,7 +770,7 @@ Enable a new network namespace and connect it to this bridge interface.
 Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned
 automatically to the sandbox. The IP address is verified using ARP before assignment. The address
 configured as default gateway is the bridge device IP address. Up to four \-\-net
-bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
+options can be specified.
 .br
 .br
@@ -786,22 +787,22 @@ $ sudo ifconfig br1 10.10.30.1/24
 $ firejail \-\-net=br0 \-\-net=br1
 .TP
-\fB\-\-net=ethernet_interface
+\fB\-\-net=ethernet_interface|wireless_interface
 Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan
+to this ethernet interface using the standard Linux macvlan|ipvaln
 driver. Unless specified with option \-\-ip and \-\-defaultgw, an
 IP address and a default gateway will be assigned automatically
 to the sandbox. The IP address is verified using ARP before
 assignment. The address configured as default gateway is the
-default gateway of the host. Up to four \-\-net devices can
+default gateway of the host. Up to four \-\-net options can be specified.
-be defined. Mixing bridge and macvlan devices is allowed.
-Note: wlan devices are not supported for this option.
 .br
 .br
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
+.br
+$ firejail \-\-net=wlan0 firefox
 .TP
 \fB\-\-net=none
author	netblue30 <netblue30@yahoo.com>	2018-06-09 07:57:32 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-06-09 07:57:32 -0400
commit	e62246a8a3e0e795a37535f9e41dffdfdfa9f77a (patch)
tree	28b8c0b1667fd0170fa113c1bec90046a15ce6da
parent	AppArmor: allow dbus access by default (diff)
download	firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.gz firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.zst firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.zip