diff options
author | netblue30 <netblue30@yahoo.com> | 2016-04-19 11:28:19 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-04-19 11:28:19 -0400 |
commit | 0d5453fc72da34081f22caf191ff31a22be52af8 (patch) | |
tree | 763e59f9e403ccb31f41aeac97b908ba2985cb8b | |
parent | google-play-music-desktop-player.profile (diff) | |
download | firejail-0d5453fc72da34081f22caf191ff31a22be52af8.tar.gz firejail-0d5453fc72da34081f22caf191ff31a22be52af8.tar.zst firejail-0d5453fc72da34081f22caf191ff31a22be52af8.zip |
networking profile file support
-rw-r--r-- | src/firejail/main.c | 24 | ||||
-rw-r--r-- | src/firejail/profile.c | 121 | ||||
-rw-r--r-- | test/net-profile.profile | 10 | ||||
-rwxr-xr-x | test/net_profile.exp | 73 | ||||
-rwxr-xr-x | test/test.sh | 3 | ||||
-rw-r--r-- | todo | 2 |
6 files changed, 220 insertions, 13 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b51ba2e65..15720b4c6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1542,17 +1542,17 @@ int main(int argc, char **argv) { | |||
1542 | Bridge *br = last_bridge_configured(); | 1542 | Bridge *br = last_bridge_configured(); |
1543 | if (br == NULL) { | 1543 | if (br == NULL) { |
1544 | fprintf(stderr, "Error: no network device configured\n"); | 1544 | fprintf(stderr, "Error: no network device configured\n"); |
1545 | return 1; | 1545 | exit(1); |
1546 | } | 1546 | } |
1547 | if (mac_not_zero(br->macsandbox)) { | 1547 | if (mac_not_zero(br->macsandbox)) { |
1548 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | 1548 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); |
1549 | return 1; | 1549 | exit(1); |
1550 | } | 1550 | } |
1551 | 1551 | ||
1552 | // read the address | 1552 | // read the address |
1553 | if (atomac(argv[i] + 6, br->macsandbox)) { | 1553 | if (atomac(argv[i] + 6, br->macsandbox)) { |
1554 | fprintf(stderr, "Error: invalid MAC address\n"); | 1554 | fprintf(stderr, "Error: invalid MAC address\n"); |
1555 | return 1; | 1555 | exit(1); |
1556 | } | 1556 | } |
1557 | } | 1557 | } |
1558 | else { | 1558 | else { |
@@ -1566,12 +1566,12 @@ int main(int argc, char **argv) { | |||
1566 | Bridge *br = last_bridge_configured(); | 1566 | Bridge *br = last_bridge_configured(); |
1567 | if (br == NULL) { | 1567 | if (br == NULL) { |
1568 | fprintf(stderr, "Error: no network device configured\n"); | 1568 | fprintf(stderr, "Error: no network device configured\n"); |
1569 | return 1; | 1569 | exit(1); |
1570 | } | 1570 | } |
1571 | 1571 | ||
1572 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | 1572 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { |
1573 | fprintf(stderr, "Error: invalid mtu value\n"); | 1573 | fprintf(stderr, "Error: invalid mtu value\n"); |
1574 | return 1; | 1574 | exit(1); |
1575 | } | 1575 | } |
1576 | } | 1576 | } |
1577 | else { | 1577 | else { |
@@ -1585,11 +1585,11 @@ int main(int argc, char **argv) { | |||
1585 | Bridge *br = last_bridge_configured(); | 1585 | Bridge *br = last_bridge_configured(); |
1586 | if (br == NULL) { | 1586 | if (br == NULL) { |
1587 | fprintf(stderr, "Error: no network device configured\n"); | 1587 | fprintf(stderr, "Error: no network device configured\n"); |
1588 | return 1; | 1588 | exit(1); |
1589 | } | 1589 | } |
1590 | if (br->arg_ip_none || br->ipsandbox) { | 1590 | if (br->arg_ip_none || br->ipsandbox) { |
1591 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 1591 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
1592 | return 1; | 1592 | exit(1); |
1593 | } | 1593 | } |
1594 | 1594 | ||
1595 | // configure this IP address for the last bridge defined | 1595 | // configure this IP address for the last bridge defined |
@@ -1598,7 +1598,7 @@ int main(int argc, char **argv) { | |||
1598 | else { | 1598 | else { |
1599 | if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1599 | if (atoip(argv[i] + 5, &br->ipsandbox)) { |
1600 | fprintf(stderr, "Error: invalid IP address\n"); | 1600 | fprintf(stderr, "Error: invalid IP address\n"); |
1601 | return 1; | 1601 | exit(1); |
1602 | } | 1602 | } |
1603 | } | 1603 | } |
1604 | } | 1604 | } |
@@ -1613,11 +1613,11 @@ int main(int argc, char **argv) { | |||
1613 | Bridge *br = last_bridge_configured(); | 1613 | Bridge *br = last_bridge_configured(); |
1614 | if (br == NULL) { | 1614 | if (br == NULL) { |
1615 | fprintf(stderr, "Error: no network device configured\n"); | 1615 | fprintf(stderr, "Error: no network device configured\n"); |
1616 | return 1; | 1616 | exit(1); |
1617 | } | 1617 | } |
1618 | if (br->arg_ip_none || br->ip6sandbox) { | 1618 | if (br->arg_ip_none || br->ip6sandbox) { |
1619 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 1619 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
1620 | return 1; | 1620 | exit(1); |
1621 | } | 1621 | } |
1622 | 1622 | ||
1623 | // configure this IP address for the last bridge defined | 1623 | // configure this IP address for the last bridge defined |
@@ -1625,7 +1625,7 @@ int main(int argc, char **argv) { | |||
1625 | br->ip6sandbox = argv[i] + 6; | 1625 | br->ip6sandbox = argv[i] + 6; |
1626 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1626 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { |
1627 | // fprintf(stderr, "Error: invalid IP address\n"); | 1627 | // fprintf(stderr, "Error: invalid IP address\n"); |
1628 | // return 1; | 1628 | // exit(1); |
1629 | // } | 1629 | // } |
1630 | } | 1630 | } |
1631 | else { | 1631 | else { |
@@ -1639,7 +1639,7 @@ int main(int argc, char **argv) { | |||
1639 | if (checkcfg(CFG_NETWORK)) { | 1639 | if (checkcfg(CFG_NETWORK)) { |
1640 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { | 1640 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { |
1641 | fprintf(stderr, "Error: invalid IP address\n"); | 1641 | fprintf(stderr, "Error: invalid IP address\n"); |
1642 | return 1; | 1642 | exit(1); |
1643 | } | 1643 | } |
1644 | } | 1644 | } |
1645 | else { | 1645 | else { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 6ded0ca2f..7ff7c7926 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -319,7 +319,126 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
319 | return 0; | 319 | return 0; |
320 | } | 320 | } |
321 | 321 | ||
322 | 322 | ||
323 | // from here | ||
324 | else if (strncmp(ptr, "mac ", 4) == 0) { | ||
325 | #ifdef HAVE_NETWORK | ||
326 | if (checkcfg(CFG_NETWORK)) { | ||
327 | Bridge *br = last_bridge_configured(); | ||
328 | if (br == NULL) { | ||
329 | fprintf(stderr, "Error: no network device configured\n"); | ||
330 | exit(1); | ||
331 | } | ||
332 | |||
333 | if (mac_not_zero(br->macsandbox)) { | ||
334 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | ||
335 | exit(1); | ||
336 | } | ||
337 | |||
338 | // read the address | ||
339 | if (atomac(ptr + 4, br->macsandbox)) { | ||
340 | fprintf(stderr, "Error: invalid MAC address\n"); | ||
341 | exit(1); | ||
342 | } | ||
343 | } | ||
344 | else | ||
345 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
346 | #endif | ||
347 | return 0; | ||
348 | } | ||
349 | |||
350 | else if (strncmp(ptr, "mtu ", 4) == 0) { | ||
351 | #ifdef HAVE_NETWORK | ||
352 | if (checkcfg(CFG_NETWORK)) { | ||
353 | Bridge *br = last_bridge_configured(); | ||
354 | if (br == NULL) { | ||
355 | fprintf(stderr, "Error: no network device configured\n"); | ||
356 | exit(1); | ||
357 | } | ||
358 | |||
359 | if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | ||
360 | fprintf(stderr, "Error: invalid mtu value\n"); | ||
361 | exit(1); | ||
362 | } | ||
363 | } | ||
364 | else | ||
365 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
366 | #endif | ||
367 | return 0; | ||
368 | } | ||
369 | |||
370 | else if (strncmp(ptr, "ip ", 3) == 0) { | ||
371 | #ifdef HAVE_NETWORK | ||
372 | if (checkcfg(CFG_NETWORK)) { | ||
373 | Bridge *br = last_bridge_configured(); | ||
374 | if (br == NULL) { | ||
375 | fprintf(stderr, "Error: no network device configured\n"); | ||
376 | exit(1); | ||
377 | } | ||
378 | if (br->arg_ip_none || br->ipsandbox) { | ||
379 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
380 | exit(1); | ||
381 | } | ||
382 | |||
383 | // configure this IP address for the last bridge defined | ||
384 | if (strcmp(ptr + 3, "none") == 0) | ||
385 | br->arg_ip_none = 1; | ||
386 | else { | ||
387 | if (atoip(ptr + 3, &br->ipsandbox)) { | ||
388 | fprintf(stderr, "Error: invalid IP address\n"); | ||
389 | exit(1); | ||
390 | } | ||
391 | } | ||
392 | } | ||
393 | else | ||
394 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
395 | #endif | ||
396 | return 0; | ||
397 | } | ||
398 | |||
399 | else if (strncmp(ptr, "ip6 ", 4) == 0) { | ||
400 | #ifdef HAVE_NETWORK | ||
401 | if (checkcfg(CFG_NETWORK)) { | ||
402 | Bridge *br = last_bridge_configured(); | ||
403 | if (br == NULL) { | ||
404 | fprintf(stderr, "Error: no network device configured\n"); | ||
405 | exit(1); | ||
406 | } | ||
407 | if (br->arg_ip_none || br->ip6sandbox) { | ||
408 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
409 | exit(1); | ||
410 | } | ||
411 | |||
412 | // configure this IP address for the last bridge defined | ||
413 | // todo: verify ipv6 syntax | ||
414 | br->ip6sandbox = ptr + 4; | ||
415 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | ||
416 | // fprintf(stderr, "Error: invalid IP address\n"); | ||
417 | // exit(1); | ||
418 | // } | ||
419 | |||
420 | } | ||
421 | else | ||
422 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
423 | #endif | ||
424 | return 0; | ||
425 | } | ||
426 | |||
427 | else if (strncmp(ptr, "defaultgw ", 10) == 0) { | ||
428 | #ifdef HAVE_NETWORK | ||
429 | if (checkcfg(CFG_NETWORK)) { | ||
430 | Bridge *br = last_bridge_configured(); | ||
431 | if (atoip(ptr + 10, &cfg.defaultgw)) { | ||
432 | fprintf(stderr, "Error: invalid IP address\n"); | ||
433 | exit(1); | ||
434 | } | ||
435 | } | ||
436 | else | ||
437 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
438 | #endif | ||
439 | return 0; | ||
440 | } | ||
441 | |||
323 | if (strncmp(ptr, "protocol ", 9) == 0) { | 442 | if (strncmp(ptr, "protocol ", 9) == 0) { |
324 | #ifdef HAVE_SECCOMP | 443 | #ifdef HAVE_SECCOMP |
325 | if (checkcfg(CFG_SECCOMP)) | 444 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/test/net-profile.profile b/test/net-profile.profile new file mode 100644 index 000000000..05052b6dc --- /dev/null +++ b/test/net-profile.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | net br0 | ||
2 | mac 00:11:22:33:44:55 | ||
3 | mtu 1000 | ||
4 | net br1 | ||
5 | ip 10.10.30.50 | ||
6 | net br2 | ||
7 | ip 10.10.40.100 | ||
8 | net br3 | ||
9 | defaultgw 10.10.20.2 | ||
10 | |||
diff --git a/test/net_profile.exp b/test/net_profile.exp new file mode 100755 index 000000000..37043c906 --- /dev/null +++ b/test/net_profile.exp | |||
@@ -0,0 +1,73 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | # check eth0 | ||
8 | send -- "firejail --profile=net-profile.profile\r" | ||
9 | expect { | ||
10 | timeout {puts "TESTING ERROR 0.0\n";exit} | ||
11 | "eth0" | ||
12 | } | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
15 | "00:11:22:33:44:55" | ||
16 | } | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
19 | "10.10.20" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 0.2\n";exit} | ||
23 | "255.255.255.248" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 0.3\n";exit} | ||
27 | "UP" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 0.4\n";exit} | ||
31 | "Child process initialized" | ||
32 | } | ||
33 | sleep 2 | ||
34 | |||
35 | send -- "ip route show\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 1\n";exit} | ||
38 | "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" | ||
39 | } | ||
40 | |||
41 | send -- "ip route show\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 2\n";exit} | ||
44 | "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" | ||
45 | } | ||
46 | |||
47 | |||
48 | # check default gw | ||
49 | send -- "ip route show\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 3\n";exit} | ||
52 | "default via 10.10.20.2 dev eth0" | ||
53 | } | ||
54 | |||
55 | # check mtu | ||
56 | send -- "ip link show\r" | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 4\n";exit} | ||
59 | "eth0" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 5\n";exit} | ||
63 | "mtu 1000" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6\n";exit} | ||
67 | "state UP" | ||
68 | } | ||
69 | |||
70 | sleep 1 | ||
71 | |||
72 | puts "\nall done\n" | ||
73 | |||
diff --git a/test/test.sh b/test/test.sh index c6fe4f299..961b48807 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -10,6 +10,9 @@ echo "TESTING: cpu.print (cpu-print.exp)" | |||
10 | echo "TESTING: failing under VirtualBox where there is only one CPU" | 10 | echo "TESTING: failing under VirtualBox where there is only one CPU" |
11 | ./cpu-print.exp | 11 | ./cpu-print.exp |
12 | 12 | ||
13 | echo "TESTING: network profile (net_profile.exp)" | ||
14 | ./net_profile.exp | ||
15 | |||
13 | echo "TESTING: bandwidth (bandwidth.exp)" | 16 | echo "TESTING: bandwidth (bandwidth.exp)" |
14 | ./bandwidth.exp | 17 | ./bandwidth.exp |
15 | 18 | ||
@@ -80,3 +80,5 @@ https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/ | |||
80 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl | 80 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl |
81 | 81 | ||
82 | 12. check for --chroot why .config/pulse dir is not created | 82 | 12. check for --chroot why .config/pulse dir is not created |
83 | |||
84 | 13. print error line number for profile files in profile_check_line() | ||