ipv6 support

10 files changed, 194 insertions, 3 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 15110607d..6b497559d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -215,7 +215,9 @@ extern int arg_rlimit_sigpending;// rlimit sigpending
 extern int arg_nogroups;        // disable supplementary groups
 extern int arg_noroot;          // create a new user namespace and disable root user
 extern int arg_netfilter;       // enable netfilter
+extern int arg_netfilter6;      // enable netfilter6
 extern char *arg_netfilter_file;        // netfilter file
+extern char *arg_netfilter6_file;       // netfilter file
 extern int arg_doubledash;      // double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7b493a351..246ee4bba 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -77,7 +77,9 @@ int arg_rlimit_sigpending = 0;			// rlimit fsize
 int arg_nogroups = 0;                           // disable supplementary groups
 int arg_noroot = 0;                             // create a new user namespace and disable root user
 int arg_netfilter;                              // enable netfilter
+int arg_netfilter6;                             // enable netfilter6
 char *arg_netfilter_file = NULL;                        // netfilter file
+char *arg_netfilter6_file = NULL;               // netfilter6 file
 int arg_doubledash = 0;                 // double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
@@ -1147,6 +1149,11 @@ int main(int argc, char **argv) {
                         arg_netfilter_file = argv[i] + 12;
                         check_netfilter_file(arg_netfilter_file);
                 }
+                else if (strncmp(argv[i], "--netfilter6=", 13) == 0) {
+                        arg_netfilter6 = 1;
+                        arg_netfilter6_file = argv[i] + 13;
+                        check_netfilter_file(arg_netfilter6_file);
+                }
 
                 //*************************************
                 // command
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 3f667c871..70fd8801f 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -64,7 +64,7 @@ void netfilter(const char *fname) {
                 // buffer the filter
                 struct stat s;
                 if (stat(fname, &s) == -1) {
-                        fprintf(stderr, "Error: cannot find network filter file\n");
+                        fprintf(stderr, "Error: cannot find network filter file %s\n", fname);
                         exit(1);
                 }
 
@@ -76,13 +76,13 @@ void netfilter(const char *fname) {
                 /* coverity[toctou] */
                 FILE *fp = fopen(fname, "r");
                 if (!fp) {
-                        fprintf(stderr, "Error: cannot open network filter file\n");
+                        fprintf(stderr, "Error: cannot open network filter file %s\n", fname);
                         exit(1);
                 }
 
                 size_t sz = fread(filter, 1, s.st_size, fp);
                 if ((off_t)sz != s.st_size) {
-                        fprintf(stderr, "Error: cannot read network filter file\n");
+                        fprintf(stderr, "Error: cannot read network filter file %s\n", fname);
                         exit(1);
                 }
                 fclose(fp);
@@ -164,3 +164,108 @@ doexit:
         if (allocated)
                 free(filter);
 }
+
+void netfilter6(const char *fname) {
+        if (fname == NULL)
+                return;
+                
+        char *filter;
+
+        // buffer the filter
+        struct stat s;
+        if (stat(fname, &s) == -1) {
+                fprintf(stderr, "Error: cannot find network filter file %s\n", fname);
+                exit(1);
+        }
+
+        filter = malloc(s.st_size + 1);   // + '\0'
+        if (!filter)
+                errExit("malloc");
+        memset(filter, 0, s.st_size + 1);
+
+        /* coverity[toctou] */
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open network filter file %s\n", fname);
+                exit(1);
+        }
+
+        size_t sz = fread(filter, 1, s.st_size, fp);
+        if ((off_t)sz != s.st_size) {
+                fprintf(stderr, "Error: cannot read network filter file %s\n", fname);
+                exit(1);
+        }
+        fclose(fp);
+
+        // temporarily mount a tempfs on top of /tmp directory
+        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("mounting /tmp");
+
+        // create the filter file
+        fp = fopen("/tmp/netfilter6", "w");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
+                exit(1);
+        }
+        fprintf(fp, "%s\n", filter);
+        fclose(fp);
+
+        // find iptables command
+        char *ip6tables = NULL;
+        char *ip6tables_restore = NULL;
+        if (stat("/sbin/ip6tables", &s) == 0) {
+                ip6tables = "/sbin/ip6tables";
+                ip6tables_restore = "/sbin/ip6tables-restore";
+        }
+        else if (stat("/usr/sbin/ip6tables", &s) == 0) {
+                ip6tables = "/usr/sbin/ip6tables";
+                ip6tables_restore = "/usr/sbin/ip6tables-restore";
+        }
+        if (ip6tables == NULL || ip6tables_restore == NULL) {
+                fprintf(stderr, "Error: ip6tables command not found\n");
+                goto doexit;
+        }
+
+        // push filter
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                if (arg_debug)
+                        printf("Installing network filter:\n%s\n", filter);
+
+                int fd;
+                if((fd = open("/tmp/netfilter6", O_RDONLY)) == -1) {
+                        fprintf(stderr,"Error: cannot open /tmp/netfilter6\n");
+                        exit(1);
+                }
+                dup2(fd,STDIN_FILENO);
+                close(fd);
+
+                // wipe out environment variables
+                environ = NULL;
+                execl(ip6tables_restore, ip6tables_restore, NULL);
+                // it will never get here!!!
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+
+        // debug
+        if (arg_debug) {
+                child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        environ = NULL;
+                        execl(ip6tables, ip6tables, "-vL", NULL);
+                        // it will never get here!!!
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+        }
+
+doexit:
+        // unmount /tmp
+        umount("/tmp");
+        free(filter);
+}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 0f6d49868..6286bfe0f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -157,6 +157,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 check_netfilter_file(arg_netfilter_file);
                 return 0;
         }
+        else if (strncmp(ptr, "netfilter6 ", 11) == 0) {
+                arg_netfilter6 = 1;
+                arg_netfilter6_file = strdup(ptr + 11);
+                if (!arg_netfilter6_file)
+                        errExit("strdup");
+                check_netfilter_file(arg_netfilter6_file);
+                return 0;
+        }
         else if (strcmp(ptr, "net none") == 0) {
                 arg_nonetwork  = 1;
                 cfg.bridge0.configured = 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index ac0f62dab..e317579e9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -322,6 +322,9 @@ int sandbox(void* sandbox_arg) {
         if (arg_netfilter && any_bridge_configured()) { // assuming by default the client filter
                 netfilter(arg_netfilter_file);
         }
+        if (arg_netfilter6 && any_bridge_configured()) { // assuming by default the client filter
+                netfilter6(arg_netfilter6_file);
+        }
 
         // load IBUS env variables
         if (arg_nonetwork || any_bridge_configured() || any_interface_configured()) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 5eab05076..07ab04021 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -149,6 +149,9 @@ void usage(void) {
         printf("\t--netfilter=filename - enable the network filter specified by\n");
         printf("\t\tfilename in the new network namespace. The filter file format\n");
         printf("\t\tis the format of iptables-save and iptable-restore commands.\n\n");
+        printf("\t--netfilter6=filename - enable the IPv6 network filter specified by\n");
+        printf("\t\tfilename in the new network namespace. The filter file format\n");
+        printf("\t\tis the format of ip6tables-save and ip6table-restore commands.\n\n");
 
         printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
         printf("\t\tnetwork namespace.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c8dd7d786..75e962b56 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -691,6 +691,12 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\
 .br
 --net=eth0 firefox
 .TP
+\fB\-\-netfilter6=filename
+Enable the IPv6 network filter specified by filename in the new network namespace. The filter file format
+is the format of ip6tables-save and ip6table-restore commands.
+New network namespaces are created using \-\-net option. If a new network namespaces is not created,
+\-\-netfilter6 option does nothing.
+.TP
 \fB\-\-netstats
 Monitor network namespace statistics, see \fBMONITORING\fR section for more details.
 .br
diff --git a/test/ip6.exp b/test/ip6.exp
new file mode 100755
index 000000000..4dc11d3dc
--- /dev/null
+++ b/test/ip6.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --debug --noprofile --net=eth0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Installing network filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "DROP"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "DROP"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2001:db8:1f0a:3ec::2/128"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "/sbin/ifconfig\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "inet6 addr"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "2001:db8:0:f101::1/64"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Scope:Global"
+}
+
+
+puts "\nall done\n"
+
diff --git a/test/ipv6.net b/test/ipv6.net
new file mode 100644
index 000000000..cc8f22943
--- /dev/null
+++ b/test/ipv6.net
@@ -0,0 +1,8 @@
+# Generated by ip6tables-save v1.4.14 on Wed Jan 13 10:53:40 2016
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -s 2001:db8:1f0a:3ec::2/128 -j DROP
+COMMIT
+# Completed on Wed Jan 13 10:53:40 2016
diff --git a/test/test.sh b/test/test.sh
index ab288cbeb..44bb7ba99 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -256,6 +256,9 @@ echo "TESTING: read/write /dev/shm"
 echo "TESTING: quiet"
 ./quiet.exp
 
+echo "TESTING: IPv6 support"
+./ip6.exp
+
 echo "TESTING: local network"
 ./net_local.exp