mainline merge: adding --net.print command for compatibility with Firetools

7 files changed, 76 insertions, 53 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 3e55139b3..00c6cd8f3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -376,6 +376,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
 void net_dns_print(pid_t pid);
 void network_main(pid_t child);
+void net_print(pid_t pid);
 
 // network.c
 int check_ip46_address(const char *addr);
@@ -500,6 +501,7 @@ void disable_file_or_dir(const char *fname);
 void disable_file_path(const char *path, const char *file);
 int safe_fd(const char *path, int flags);
 int invalid_sandbox(const pid_t pid);
+void enter_network_namespace(pid_t pid);
 
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
 // The return value points to a static area, and will be overwritten by subsequent calls.
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bc5360ba7..f5acaa603 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -524,6 +524,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 else
                         exit_err_feature("networking");
         }
+        else if (strncmp(argv[i], "--net.print=", 12) == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        // extract pid or sandbox name
+                        pid_t pid = require_pid(argv[i] + 12);
+                        net_print(pid);
+                        exit(0);
+                }
+                else
+                        exit_err_feature("networking");
+        }
 #endif
         else if (strncmp(argv[i], "--join=", 7) == 0) {
                 if (checkcfg(CFG_JOIN) || getuid() == 0) {
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 8fbd11bba..ed2d019ab 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -132,63 +132,12 @@ void netfilter6(const char *fname) {
 void netfilter_print(pid_t pid, int ipv6) {
         EUID_ASSERT();
 
-        // verify sandbox
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (!comm) {
-                fprintf(stderr, "Error: cannot find sandbox\n");
-                exit(1);
-        }
-
-        // check for firejail sandbox
-        if (strcmp(comm, "firejail") != 0) {
-                fprintf(stderr, "Error: cannot find sandbox\n");
-                exit(1);
-        }
-        free(comm);
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
-                        exit(1);
-                }
-        }
-
-        // check network namespace
-        char *name;
-        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
-                errExit("asprintf");
-        struct stat s;
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
-                exit(1);
-        }
-
-        // join the network namespace
-        pid_t child;
-        if (find_child(pid, &child) == 1) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-
-        if (invalid_sandbox(child)) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-
-        EUID_ROOT();
-        if (join_namespace(child, "net")) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
+        enter_network_namespace(pid);
 
         // find iptables executable
         char *iptables = NULL;
 //      char *iptables_restore = NULL;
+        struct stat s;
         if (ipv6) {
                 if (stat("/sbin/ip6tables", &s) == 0)
                         iptables = "/sbin/ip6tables";
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index e3c750767..17f242d91 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -372,3 +372,9 @@ void network_main(pid_t child) {
 
         free(cstr);
 }
+
+void net_print(pid_t pid) {
+        EUID_ASSERT();
+        enter_network_namespace(pid);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET, "printif");
+}
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 740128273..5a48638a7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -102,6 +102,7 @@ static char *usage_str =
         "    --net=ethernet_interface - enable network namespaces and connect to this\n"
         "\tEthernet interface.\n"
         "    --net=none - enable a new, unconnected network namespace.\n"
+        "    --net.print=name|pid - print network interface configuration.\n"
         "    --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n"
         "    --netfilter.print=name|pid - print the firewall.\n"
         "    --netfilter6=filename - enable IPv6 firewall.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 6c1a89b56..112307ebc 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1128,3 +1128,41 @@ int invalid_sandbox(const pid_t pid) {
 
         return 0;
 }
+
+void enter_network_namespace(pid_t pid) {
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid_t child = switch_to_child(pid);
+
+        // now check if the pid belongs to a firejail sandbox
+        if (invalid_sandbox(child)) {
+                fprintf(stderr, "Error: no valid sandbox\n");
+                exit(1);
+        }
+
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
+                        exit(1);
+                }
+        }
+
+        // check network namespace
+        char *name;
+        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(name, &s) == -1) {
+                fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
+                exit(1);
+        }
+
+        // join the namespace
+        EUID_ROOT();
+        if (join_namespace(child, "net")) {
+                fprintf(stderr, "Error: cannot join the network namespace\n");
+                exit(1);
+        }
+}
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1686dddc2..bb5c8d10a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -781,6 +781,23 @@ Note: \-\-net=none can crash the application on some platforms.
 In these cases, it can be replaced with \-\-protocol=unix.
 
 .TP
+\fB\-\-net.print=name|pid
+If a new network namespace is enabled, print network interface configuration for the sandbox specified by name or PID. Example:
+.br
+
+.br
+$ firejail --net.print=browser
+.br
+Switching to pid 1853, the first child process inside the sandbox
+.br
+Interface  MAC               IP            Mask        Status
+.br
+lo                           127.0.0.1     255.0.0.0     UP
+.br
+eth0-1852  5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
+.br
+
+.TP
 \fB\-\-netfilter
 Enable a default firewall if a new network namespace is created inside the sandbox.
 This option has no effect for sandboxes using the system network namespace.