Wait for link-local address for DHCPv6

dhclient -6 fails if the interface to be configures has no link-local address.
This is especially problematic when only DHCPv6 is used
(e.g., --ip=none --ip6=dhcp), because the wait for a DHCPv4 lease is usually
ample time for the LL address to become available on the IPv6 link.
The LL address must not be tenative.

Therefore, this patch implements waiting for a non-tentative link-local
address in fnet for DHCPv6 configured interfaces.

The command fnet waitll <if> waits for an LL address on the interface <if>.

Currently, the maximum waiting time is 30 seconds,
and the kernel is polled through rtnetlink every 500 milliseconds.
These values seem sufficient for virtual bridged networks,
e.g., libvirt NAT networks.

1 files changed, 16 insertions, 0 deletions

diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index c9bbb4d8f..7ce9a2b18 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -117,6 +117,21 @@ static void dhcp_start_dhclient(const Dhclient *client) {
   *(client->pid) = dhcp_read_pidfile(client);
 }
 
+static void dhcp_waitll(const char *ifname) {
+  sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, PATH_FNET, "waitll", ifname);
+}
+
+static void dhcp_waitll_all() {
+  if (cfg.bridge0.arg_ip6_dhcp)
+    dhcp_waitll(cfg.bridge0.devsandbox);
+  if (cfg.bridge1.arg_ip6_dhcp)
+    dhcp_waitll(cfg.bridge1.devsandbox);
+  if (cfg.bridge2.arg_ip6_dhcp)
+    dhcp_waitll(cfg.bridge2.devsandbox);
+  if (cfg.bridge3.arg_ip6_dhcp)
+    dhcp_waitll(cfg.bridge3.devsandbox);
+}
+
 void dhcp_start(void) {
   if (!any_dhcp())
     return;
@@ -131,6 +146,7 @@ void dhcp_start(void) {
       printf("Running dhclient -4 in the background as pid %ld\n", (long) dhclient4_pid);
   }
   if (any_ip6_dhcp()) {
+    dhcp_waitll_all();
     dhcp_start_dhclient(&dhclient6);
     if (arg_debug)
       printf("Running dhclient -6 in the background as pid %ld\n", (long) dhclient6_pid);