adding --net.print command line option

9 files changed, 96 insertions, 56 deletions

diff --git a/README.md b/README.md
index 047fcbe20..b560b9b1b 100644
--- a/README.md
+++ b/README.md
@@ -98,9 +98,9 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 
 `````
-# Current development version: 0.9.57
+## Current development version: 0.9.57
 
-# New Long Term Support (LTS) version
+## New Long Term Support (LTS) version
 
 We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old.
 The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely
@@ -128,7 +128,22 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low
 
 The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase
 
-# New profiles:
+## New commands:
+`````
+      --net.print=name|pid
+              If a new network namespace is enabled, print network interface
+              configuration  for the sandbox specified by name or PID. Exam‐
+              ple:
+
+              $ firejail --net.print=browser
+              Switching to pid 1853, the  first  child  process  inside  the
+              sandbox
+              Interface  MAC               IP            Mask        Status
+              lo                           127.0.0.1     255.0.0.0     UP
+              eth0-1852  5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
+`````
+
+## New profiles:
 
 QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min,
 bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep,
diff --git a/RELNOTES b/RELNOTES
index 09bdeb18f..ee5a24e86 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.56.1) baseline; urgency=low
   * work in progress
   * --disable-mnt rework
+  * --net.print command
   * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms
   * new profiles: devilspie, devilspie2, easystroke, github-desktop, min
   * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2d96863c5..7f6ed2586 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -416,6 +416,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
 void net_dns_print(pid_t pid);
 void network_main(pid_t child);
+void net_print(pid_t pid);
 
 // network.c
 int check_ip46_address(const char *addr);
@@ -547,6 +548,7 @@ void disable_file_or_dir(const char *fname);
 void disable_file_path(const char *path, const char *file);
 int safe_fd(const char *path, int flags);
 int invalid_sandbox(const pid_t pid);
+void enter_network_namespace(pid_t pid);
 
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
 // The return value points to a static area, and will be overwritten by subsequent calls.
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 29e3df7c6..23d9a1d51 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -592,6 +592,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 else
                         exit_err_feature("networking");
         }
+        else if (strncmp(argv[i], "--net.print=", 12) == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        // extract pid or sandbox name
+                        pid_t pid = require_pid(argv[i] + 12);
+                        net_print(pid);
+                        exit(0);
+                }
+                else
+                        exit_err_feature("networking");
+        }
 #endif
 #ifdef HAVE_FILE_TRANSFER
         else if (strncmp(argv[i], "--get=", 6) == 0) {
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 8fbd11bba..ed2d019ab 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -132,63 +132,12 @@ void netfilter6(const char *fname) {
 void netfilter_print(pid_t pid, int ipv6) {
         EUID_ASSERT();
 
-        // verify sandbox
-        EUID_ROOT();
-        char *comm = pid_proc_comm(pid);
-        EUID_USER();
-        if (!comm) {
-                fprintf(stderr, "Error: cannot find sandbox\n");
-                exit(1);
-        }
-
-        // check for firejail sandbox
-        if (strcmp(comm, "firejail") != 0) {
-                fprintf(stderr, "Error: cannot find sandbox\n");
-                exit(1);
-        }
-        free(comm);
-
-        // check privileges for non-root users
-        uid_t uid = getuid();
-        if (uid != 0) {
-                uid_t sandbox_uid = pid_get_uid(pid);
-                if (uid != sandbox_uid) {
-                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
-                        exit(1);
-                }
-        }
-
-        // check network namespace
-        char *name;
-        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
-                errExit("asprintf");
-        struct stat s;
-        if (stat(name, &s) == -1) {
-                fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
-                exit(1);
-        }
-
-        // join the network namespace
-        pid_t child;
-        if (find_child(pid, &child) == 1) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-
-        if (invalid_sandbox(child)) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
-
-        EUID_ROOT();
-        if (join_namespace(child, "net")) {
-                fprintf(stderr, "Error: cannot join the network namespace\n");
-                exit(1);
-        }
+        enter_network_namespace(pid);
 
         // find iptables executable
         char *iptables = NULL;
 //      char *iptables_restore = NULL;
+        struct stat s;
         if (ipv6) {
                 if (stat("/sbin/ip6tables", &s) == 0)
                         iptables = "/sbin/ip6tables";
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index cdb4c6514..4dee07219 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -372,3 +372,10 @@ void network_main(pid_t child) {
 
         free(cstr);
 }
+
+void net_print(pid_t pid) {
+        EUID_ASSERT();
+
+        enter_network_namespace(pid);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET_MAIN, "printif");
+}
\ No newline at end of file
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b8f8b4f2f..84bc22571 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -115,6 +115,7 @@ static char *usage_str =
         "    --net=ethernet_interface - enable network namespaces and connect to this\n"
         "\tEthernet interface.\n"
         "    --net=none - enable a new, unconnected network namespace.\n"
+        "    --net.print=name|pid - print network interface configuration.\n"
         "    --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n"
         "    --netfilter.print=name|pid - print the firewall.\n"
         "    --netfilter6=filename - enable IPv6 firewall.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 866ef4653..47b237911 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1225,3 +1225,41 @@ int invalid_sandbox(const pid_t pid) {
 
         return 0;
 }
+
+void enter_network_namespace(pid_t pid) {
+        // in case the pid is that of a firejail process, use the pid of the first child process
+        pid_t child = switch_to_child(pid);
+
+        // now check if the pid belongs to a firejail sandbox
+        if (invalid_sandbox(child)) {
+                fprintf(stderr, "Error: no valid sandbox\n");
+                exit(1);
+        }
+
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
+                        exit(1);
+                }
+        }
+
+        // check network namespace
+        char *name;
+        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(name, &s) == -1) {
+                fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
+                exit(1);
+        }
+
+        // join the namespace
+        EUID_ROOT();
+        if (join_namespace(child, "net")) {
+                fprintf(stderr, "Error: cannot join the network namespace\n");
+                exit(1);
+        }
+}
\ No newline at end of file
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f7d18536d..9eb290fef 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -849,6 +849,23 @@ Note: \-\-net=none can crash the application on some platforms.
 In these cases, it can be replaced with \-\-protocol=unix.
 
 .TP
+\fB\-\-net.print=name|pid
+If a new network namespace is enabled, print network interface configuration for the sandbox specified by name or PID. Example:
+.br
+
+.br
+$ firejail --net.print=browser
+.br
+Switching to pid 1853, the first child process inside the sandbox
+.br
+Interface  MAC               IP            Mask        Status
+.br
+lo                           127.0.0.1     255.0.0.0     UP
+.br
+eth0-1852  5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
+.br
+
+.TP
 \fB\-\-netfilter
 Enable a default firewall if a new network namespace is created inside the sandbox.
 This option has no effect for sandboxes using the system network namespace.