diff options
author | Kristóf Marussy <kris7topher@gmail.com> | 2019-12-30 00:04:04 +0100 |
---|---|---|
committer | Kristóf Marussy <kris7topher@gmail.com> | 2019-12-30 16:56:47 +0100 |
commit | ce3c1988578f6b18488a91132d355cf13a37e522 (patch) | |
tree | 3898a7fe71c84eb2ef1374b67404d760c637d5de /src/firejail/firejail.h | |
parent | Add capability filter for network services, additive filter (diff) | |
download | firejail-ce3c1988578f6b18488a91132d355cf13a37e522.tar.gz firejail-ce3c1988578f6b18488a91132d355cf13a37e522.tar.zst firejail-ce3c1988578f6b18488a91132d355cf13a37e522.zip |
Run dhclient inside the sandbox
* In order to ensure that network interfaces are already configured when
the sandboxed launches, we run dhclient in forking mode (no -d switch),
which makes the dhclient command exit when it successfully acquired a lease.
The dhclient daemon process keeps running in the background.
* We read the pid file for dhclient to find out the pid of the daemon process.
Because dhclient only writes the pid file in the child process potentially
after the forking parent process exits, there is some handling for possible
race conditions.
* All lease files and pid files are under /run/firejail/dhclient/
* The v4 and v6 dhclient has a separate lease as recommended.
* The v4 client is set to generate a DUID, which is also used by the v6 client
so that the server can associate the two leases if needed.
* /etc/resolv.conf is created in the sandbox just like with the --dns option,
by mirroring /etc. When DHCP is used, /etc/resolv.conf is normally empty so
that dhclient can overwrite it the nameservers from the DHCP server.
Current limitations:
* The dhclient processes in the background are not terminated properly
(by SIGTERM or dhclient -x), nor is the DHCP lease released (by dclient -r).
The reason for this is that firejail drops all capabilities and privileges
before the application in the sandbox is launched, which makes it impossible
to launch dhclient to release the lease or kill the dhclient processes still
running with the effective user id of root. Instead the dhclient daemons
die with the sandbox. According to the dhclient man page, releasing the lease
is not required by the DHCP specification, so this is not a problem, however
some ISPs may require releasing leases.
A possible workaround would be to fork another process upon sandbox
initialization that invokes dhclient -r when the sandbox is ready to exit.
This would require communication with the main firejail process through
a pipe, while keeping and required privileges. As this would add some
complexity but the benefits have limited applicability (compatibility with
esoteric DHCP server configurations), I chose not to implement this.
* When only an IPv6 address is requested, the interface may possible not have
a link-local address when we run dhclient. This causes dhclient -6 fail,
since DHCPv6 uses link-local addressing instead of layer 2 addressing,
see e.g., https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783387
In a future commit, waiting for a link-local address will be added.
Diffstat (limited to 'src/firejail/firejail.h')
-rw-r--r-- | src/firejail/firejail.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0311968c3..4beae587e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -812,6 +812,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
812 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin | 812 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin |
813 | #define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin | 813 | #define SBOX_STDIN_FROM_FILE (1 << 6) // open file and redirect it to stdin |
814 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon | 814 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon |
815 | #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services | ||
815 | 816 | ||
816 | // run sbox | 817 | // run sbox |
817 | int sbox_run(unsigned filter, int num, ...); | 818 | int sbox_run(unsigned filter, int num, ...); |
@@ -827,4 +828,9 @@ void set_profile_run_file(pid_t pid, const char *fname); | |||
827 | // dbus.c | 828 | // dbus.c |
828 | void dbus_disable(void); | 829 | void dbus_disable(void); |
829 | 830 | ||
831 | // dhcp.c | ||
832 | extern pid_t dhclient4_pid; | ||
833 | extern pid_t dhclient6_pid; | ||
834 | void dhcp_start(void); | ||
835 | |||
830 | #endif | 836 | #endif |