Add support for joining a persistent, named network namespace.

author: Zack Weinberg <zackw@panix.com> 2017-01-20 17:38:51 -0500
committer: Zack Weinberg <zackw@panix.com> 2017-01-20 17:38:51 -0500
commit: ef37be106728613dd032a235db1add2532774fed (patch)
tree: 30f7d9d5319a76288ba8e126342b0a5222e2511d
parent: firejail/fs.c: include sys/wait.h for declaration of waitpid (diff)
download: firejail-ef37be106728613dd032a235db1add2532774fed.tar.gz
firejail-ef37be106728613dd032a235db1add2532774fed.tar.zst
firejail-ef37be106728613dd032a235db1add2532774fed.zip
5 files changed, 146 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 722d5c05e..94e66920b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -317,6 +317,7 @@ extern int arg_netfilter;	// enable netfilter
 extern int arg_netfilter6;      // enable netfilter6
 extern char *arg_netfilter_file;        // netfilter file
 extern char *arg_netfilter6_file;       // netfilter file
+extern char *arg_netns;         // "ip netns"-created network namespace to use
 extern int arg_doubledash;      // double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
@@ -560,6 +561,11 @@ void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);
+// netns.c
+void check_netns(const char *nsname);
+void netns(const char *nsname);
+void netns_mounts(const char *nsname);
 // bandwidth.c
 void bandwidth_del_run_file(pid_t pid);
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 84bf5e8e6..9c6b6e001 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_netfilter;				// enable netfilter
 int arg_netfilter6;                             // enable netfilter6
 char *arg_netfilter_file = NULL;                        // netfilter file
 char *arg_netfilter6_file = NULL;               // netfilter6 file
+char *arg_netns = NULL;                 // "ip netns"-created network namespace to use
 int arg_doubledash = 0;                 // double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
@@ -1999,6 +2000,15 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("networking");
                }
+                else if (strncmp(argv[i], "--netns=", 8) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                arg_netns = argv[i] + 8;
+                                check_netns(arg_netns);
+                        }
+                        else
+                                exit_err_feature("networking");
+                }
 #endif
                //*************************************
                // command
diff --git a/src/firejail/netns.c b/src/firejail/netns.c
new file mode 100644
index 000000000..477d56b3d
--- /dev/null
+++ b/src/firejail/netns.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+static char *netns_control_file(const char *nsname) {
+        char *rv = 0;
+        if (asprintf(&rv, "/var/run/netns/%s", nsname) <= 0)
+                errExit("asprintf");
+        return rv;
+}
+static char *netns_etc_dir(const char *nsname) {
+        char *rv = 0;
+        if (asprintf(&rv, "/etc/netns/%s", nsname) <= 0)
+                errExit("asprintf");
+        return rv;
+}
+void check_netns(const char *nsname) {
+        if (strchr(nsname, '/') || strstr(nsname, "..")) {
+                fprintf(stderr, "Error: invalid netns name %s\n", nsname);
+                exit(1);
+        }
+        invalid_filename(nsname);
+        char *control_file = netns_control_file(nsname);
+        EUID_ASSERT();
+        struct stat st;
+        if (lstat(control_file, &st)) {
+                fprintf(stderr, "Error: invalid netns '%s' (%s: %s)\n",
+                        nsname, control_file, strerror(errno));
+                exit(1);
+        }
+        if (!S_ISREG(st.st_mode)) {
+                fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n",
+                        nsname, control_file);
+                exit(1);
+        }
+        free(control_file);
+}
+void netns(const char *nsname) {
+        char *control_file = netns_control_file(nsname);
+        int nsfd = open(control_file, O_RDONLY|O_CLOEXEC);
+        if (nsfd < 0) {
+                fprintf(stderr, "Error: cannot open netns '%s' (%s: %s)\n",
+                        nsname, control_file, strerror(errno));
+                exit(1);
+        }
+        if (syscall(__NR_setns, nsfd, CLONE_NEWNET) < 0) {
+                fprintf(stderr, "Error: cannot join netns '%s': %s\n",
+                        nsname, strerror(errno));
+                exit(1);
+        }
+        close(nsfd);
+        free(control_file);
+}
+void netns_mounts(const char *nsname) {
+        char *etcdir = netns_etc_dir(nsname);
+        char *netns_name, *etc_name;
+        struct dirent *entry;
+        DIR *dir;
+        dir = opendir(etcdir);
+        if (!dir) {
+                free(etcdir);
+                return;
+        }
+        while ((entry = readdir(dir))) {
+                if (!strcmp(entry->d_name, ".") || !strcmp(entry->d_name, ".."))
+                        continue;
+                if (asprintf(&netns_name, "%s/%s", etcdir, entry->d_name) < 0 ||
+                    asprintf(&etc_name, "/etc/%s", entry->d_name) < 0)
+                        errExit("asprintf");
+                if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) {
+                        fprintf(stderr, "Warning: bind %s -> %s failed: %s\n",
+                                netns_name, etc_name, strerror(errno));
+                }
+                free(netns_name);
+                free(etc_name);
+        }
+        closedir(dir);
+        free(etcdir);
+}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 493877db3..69cb8331e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -467,6 +467,11 @@ int sandbox(void* sandbox_arg) {
                if (arg_debug)
                        printf("Network namespace enabled, only loopback interface available\n");
        }
+        else if (arg_netns) {
+                netns(arg_netns);
+                if (arg_debug)
+                        printf("Network namespace '%s' activated\n", arg_netns);
+        }
        else if (any_bridge_configured() || any_interface_configured()) {
                // configure lo and eth0...eth3
                net_if_up("lo");
@@ -729,6 +734,12 @@ int sandbox(void* sandbox_arg) {
                        EUID_ROOT();
                }
        }
+        //****************************
+        // /etc overrides from the network namespace
+        //****************************
+        if (arg_netns)
+                netns_mounts(arg_netns);
        
        //****************************
        // update /proc, /sys, /dev, /boot directorymy
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1c0f7d55b..afd8e1e4e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -761,6 +761,11 @@ Example:
 $ firejail \-\-net=none vlc
 .TP
+\fB\-\-netns=name
+Run the program in a named, persistent network namespace.  These can
+be created and configured using "ip netns".
+.TP
 \fB\-\-netfilter
 Enable a default client network filter in the new network namespace.
 New network namespaces are created using \-\-net option. If a new network namespaces is not created,
author	Zack Weinberg <zackw@panix.com>	2017-01-20 17:38:51 -0500
committer	Zack Weinberg <zackw@panix.com>	2017-01-20 17:38:51 -0500
commit	ef37be106728613dd032a235db1add2532774fed (patch)
tree	30f7d9d5319a76288ba8e126342b0a5222e2511d
parent	firejail/fs.c: include sys/wait.h for declaration of waitpid (diff)
download	firejail-ef37be106728613dd032a235db1add2532774fed.tar.gz firejail-ef37be106728613dd032a235db1add2532774fed.tar.zst firejail-ef37be106728613dd032a235db1add2532774fed.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 722d5c05e..94e66920b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -317,6 +317,7 @@ extern int arg_netfilter; // enable netfilter
317	extern int arg_netfilter6; // enable netfilter6	317	extern int arg_netfilter6; // enable netfilter6
318	extern char *arg_netfilter_file; // netfilter file	318	extern char *arg_netfilter_file; // netfilter file
319	extern char *arg_netfilter6_file; // netfilter file	319	extern char *arg_netfilter6_file; // netfilter file
		320	extern char *arg_netns; // "ip netns"-created network namespace to use
320	extern int arg_doubledash; // double dash	321	extern int arg_doubledash; // double dash
321	extern int arg_shell_none; // run the program directly without a shell	322	extern int arg_shell_none; // run the program directly without a shell
322	extern int arg_private_dev; // private dev directory	323	extern int arg_private_dev; // private dev directory
@@ -560,6 +561,11 @@ void check_netfilter_file(const char *fname);
560	void netfilter(const char *fname);	561	void netfilter(const char *fname);
561	void netfilter6(const char *fname);	562	void netfilter6(const char *fname);
562		563
		564	// netns.c
		565	void check_netns(const char *nsname);
		566	void netns(const char *nsname);
		567	void netns_mounts(const char *nsname);
		568
563	// bandwidth.c	569	// bandwidth.c
564	void bandwidth_del_run_file(pid_t pid);	570	void bandwidth_del_run_file(pid_t pid);
565	void bandwidth_pid(pid_t pid, const char command, const char dev, int down, int up);	571	void bandwidth_pid(pid_t pid, const char command, const char dev, int down, int up);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 84bf5e8e6..9c6b6e001 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_netfilter; // enable netfilter
85	int arg_netfilter6; // enable netfilter6	85	int arg_netfilter6; // enable netfilter6
86	char *arg_netfilter_file = NULL; // netfilter file	86	char *arg_netfilter_file = NULL; // netfilter file
87	char *arg_netfilter6_file = NULL; // netfilter6 file	87	char *arg_netfilter6_file = NULL; // netfilter6 file
		88	char *arg_netns = NULL; // "ip netns"-created network namespace to use
88	int arg_doubledash = 0; // double dash	89	int arg_doubledash = 0; // double dash
89	int arg_shell_none = 0; // run the program directly without a shell	90	int arg_shell_none = 0; // run the program directly without a shell
90	int arg_private_dev = 0; // private dev directory	91	int arg_private_dev = 0; // private dev directory
@@ -1999,6 +2000,15 @@ int main(int argc, char **argv) {
1999	else	2000	else
2000	exit_err_feature("networking");	2001	exit_err_feature("networking");
2001	}	2002	}
		2003
		2004	else if (strncmp(argv[i], "--netns=", 8) == 0) {
		2005	if (checkcfg(CFG_NETWORK)) {
		2006	arg_netns = argv[i] + 8;
		2007	check_netns(arg_netns);
		2008	}
		2009	else
		2010	exit_err_feature("networking");
		2011	}
2002	#endif	2012	#endif
2003	//*************************************	2013	//*************************************
2004	// command	2014	// command


diff --git a/src/firejail/netns.c b/src/firejail/netns.c new file mode 100644 index 000000000..477d56b3d --- /dev/null +++ b/src/firejail/netns.c
@@ -0,0 +1,114 @@
		1	/*
		2	* Copyright (C) 2017 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "firejail.h"
		21	#include <stdio.h>
		22	#include <string.h>
		23	#include <errno.h>
		24	#include <sys/types.h>
		25	#include <sys/mount.h>
		26	#include <sys/stat.h>
		27	#include <sys/syscall.h>
		28	#include <dirent.h>
		29	#include <fcntl.h>
		30	#include <sched.h>
		31	#include <unistd.h>
		32
		33	static char netns_control_file(const char nsname) {
		34	char *rv = 0;
		35	if (asprintf(&rv, "/var/run/netns/%s", nsname) <= 0)
		36	errExit("asprintf");
		37	return rv;
		38	}
		39
		40	static char netns_etc_dir(const char nsname) {
		41	char *rv = 0;
		42	if (asprintf(&rv, "/etc/netns/%s", nsname) <= 0)
		43	errExit("asprintf");
		44	return rv;
		45	}
		46
		47	void check_netns(const char *nsname) {
		48	if (strchr(nsname, '/') \|\| strstr(nsname, "..")) {
		49	fprintf(stderr, "Error: invalid netns name %s\n", nsname);
		50	exit(1);
		51	}
		52	invalid_filename(nsname);
		53	char *control_file = netns_control_file(nsname);
		54
		55	EUID_ASSERT();
		56
		57	struct stat st;
		58	if (lstat(control_file, &st)) {
		59	fprintf(stderr, "Error: invalid netns '%s' (%s: %s)\n",
		60	nsname, control_file, strerror(errno));
		61	exit(1);
		62	}
		63	if (!S_ISREG(st.st_mode)) {
		64	fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n",
		65	nsname, control_file);
		66	exit(1);
		67	}
		68	free(control_file);
		69	}
		70
		71	void netns(const char *nsname) {
		72	char *control_file = netns_control_file(nsname);
		73	int nsfd = open(control_file, O_RDONLY\|O_CLOEXEC);
		74	if (nsfd < 0) {
		75	fprintf(stderr, "Error: cannot open netns '%s' (%s: %s)\n",
		76	nsname, control_file, strerror(errno));
		77	exit(1);
		78	}
		79	if (syscall(__NR_setns, nsfd, CLONE_NEWNET) < 0) {
		80	fprintf(stderr, "Error: cannot join netns '%s': %s\n",
		81	nsname, strerror(errno));
		82	exit(1);
		83	}
		84	close(nsfd);
		85	free(control_file);
		86	}
		87
		88	void netns_mounts(const char *nsname) {
		89	char *etcdir = netns_etc_dir(nsname);
		90	char netns_name, etc_name;
		91	struct dirent *entry;
		92	DIR *dir;
		93
		94	dir = opendir(etcdir);
		95	if (!dir) {
		96	free(etcdir);
		97	return;
		98	}
		99	while ((entry = readdir(dir))) {
		100	if (!strcmp(entry->d_name, ".") \|\| !strcmp(entry->d_name, ".."))
		101	continue;
		102	if (asprintf(&netns_name, "%s/%s", etcdir, entry->d_name) < 0 \|\|
		103	asprintf(&etc_name, "/etc/%s", entry->d_name) < 0)
		104	errExit("asprintf");
		105	if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) {
		106	fprintf(stderr, "Warning: bind %s -> %s failed: %s\n",
		107	netns_name, etc_name, strerror(errno));
		108	}
		109	free(netns_name);
		110	free(etc_name);
		111	}
		112	closedir(dir);
		113	free(etcdir);
		114	}


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 493877db3..69cb8331e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -467,6 +467,11 @@ int sandbox(void* sandbox_arg) {
467	if (arg_debug)	467	if (arg_debug)
468	printf("Network namespace enabled, only loopback interface available\n");	468	printf("Network namespace enabled, only loopback interface available\n");
469	}	469	}
		470	else if (arg_netns) {
		471	netns(arg_netns);
		472	if (arg_debug)
		473	printf("Network namespace '%s' activated\n", arg_netns);
		474	}
470	else if (any_bridge_configured() \|\| any_interface_configured()) {	475	else if (any_bridge_configured() \|\| any_interface_configured()) {
471	// configure lo and eth0...eth3	476	// configure lo and eth0...eth3
472	net_if_up("lo");	477	net_if_up("lo");
@@ -729,6 +734,12 @@ int sandbox(void* sandbox_arg) {
729	EUID_ROOT();	734	EUID_ROOT();
730	}	735	}
731	}	736	}
		737
		738	//****************************
		739	// /etc overrides from the network namespace
		740	//****************************
		741	if (arg_netns)
		742	netns_mounts(arg_netns);
732		743
733	//****************************	744	//****************************
734	// update /proc, /sys, /dev, /boot directorymy	745	// update /proc, /sys, /dev, /boot directorymy


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1c0f7d55b..afd8e1e4e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -761,6 +761,11 @@ Example:
761	$ firejail \-\-net=none vlc	761	$ firejail \-\-net=none vlc
762		762
763	.TP	763	.TP
		764	\fB\-\-netns=name
		765	Run the program in a named, persistent network namespace. These can
		766	be created and configured using "ip netns".
		767
		768	.TP
764	\fB\-\-netfilter	769	\fB\-\-netfilter
765	Enable a default client network filter in the new network namespace.	770	Enable a default client network filter in the new network namespace.
766	New network namespaces are created using \-\-net option. If a new network namespaces is not created,	771	New network namespaces are created using \-\-net option. If a new network namespaces is not created,