netfilter rework

author: netblue30 <netblue30@yahoo.com> 2016-11-28 10:36:04 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-11-28 10:36:04 -0500
commit: d0c1fcfa273d323a26aa8477130e176dc2435bf5 (patch)
tree: 5c0823ed12cabf602ace114a12b53fb3b2872b99 /src/firejail/netfilter.c
parent: cleanup (diff)
download: firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.tar.gz
firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.tar.zst
firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.zip
1 files changed, 45 insertions, 188 deletions
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 43f08e45b..ef4915f15 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -61,59 +61,6 @@ void check_netfilter_file(const char *fname) {
 void netfilter(const char *fname) {
-        // default filter
-        char *filter = client_filter;
-        // custom filter
-        int allocated = 0;
-        if (netfilter_default)
-                fname = netfilter_default;
-        if (fname) {
-                assert(fname);
-                
-                // open filter file
-                int fd = open(fname, O_RDONLY);
-                if (fd == -1)
-                        goto errexit;
-                int size = lseek(fd, 0, SEEK_END);
-                if (size == -1)
-                        goto errexit;
-                if (lseek(fd, 0 , SEEK_SET) == -1)
-                        goto errexit;
-                
-                // read filter
-                filter = malloc(size + 1);        // + '\0'
-                if (filter == NULL)
-                        goto errexit;
-                memset(filter, 0, size + 1);
-                int rd = 0;
-                while (rd < size) {
-                        int rv = read(fd, (unsigned char *) filter + rd, size - rd);
-                        if (rv == -1) {
-                                close(fd);
-                                goto errexit;
-                        }
-                        rd += rv;
-                }
-                
-                // close file
-                close(fd);
-                allocated = 1;
-        }
-        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mounting /tmp");
-        // create the filter file
-        FILE *fp = fopen("/tmp/netfilter", "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open /tmp/netfilter file\n");
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
        // find iptables command
        struct stat s;
        char *iptables = NULL;
@@ -127,113 +74,49 @@ void netfilter(const char *fname) {
                iptables_restore = "/usr/sbin/iptables-restore";
        }
        if (iptables == NULL || iptables_restore == NULL) {
-                fprintf(stderr, "Error: iptables command not found\n");
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
-                goto doexit;
+                return;
        }
-        // push filter
+        // read filter
-        pid_t child = fork();
+        char *filter = client_filter;
-        if (child < 0)
+        int allocated = 0;
-                errExit("fork");
+        if (netfilter_default)
-        if (child == 0) {
+                fname = netfilter_default;
-                if (arg_debug)
+        if (fname) {
-                        printf("Installing network filter:\n%s\n", filter);
+                filter = read_text_file_or_exit(fname);
+                allocated = 1;
-                int fd;
-                if((fd = open("/tmp/netfilter", O_RDONLY)) == -1) {
-                        fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
-                        exit(1);
-                }
-                dup2(fd,STDIN_FILENO);
-                // wipe out environment variables
-                clearenv();     
-                execl(iptables_restore, iptables_restore, NULL);
-                perror("execl");
-                _exit(1);
        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-        // debug
+        // create the filter file
-        if (arg_debug) {
+        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-                child = fork();
+        if (!fp) {
-                if (child < 0)
+                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
-                        errExit("fork");
+                exit(1);
-                if (child == 0) {
-                        // elevate privileges in order to get grsecurity working
-                        if (setreuid(0, 0))
-                                errExit("setreuid");
-                        if (setregid(0, 0))
-                                errExit("setregid");
-                        environ = NULL;
-                        assert(getenv("LD_PRELOAD") == NULL);   
-                        execl(iptables, iptables, "-vL", NULL);
-                        perror("execl");
-                        _exit(1);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
        }
+        fprintf(fp, "%s\n", filter);
+        fclose(fp);
-doexit:
+        // push filter
-        // unmount /tmp
+        if (arg_debug)
-        umount("/tmp");
+                printf("Installing network filter:\n%s\n", filter);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
+        unlink(SBOX_STDIN_FILE);
+        // debug
+        if (arg_debug) 
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
        if (allocated)
                free(filter);
        return;
-errexit:
-        fprintf(stderr, "Error: cannot read network filter %s\n", fname);
-        exit(1);
 }
 void netfilter6(const char *fname) {
        if (fname == NULL)
                return;
                
-        char *filter;
-        // open filter file
-        int fd = open(fname, O_RDONLY);
-        if (fd == -1)
-                goto errexit;
-        int size = lseek(fd, 0, SEEK_END);
-        if (size == -1)
-                goto errexit;
-        if (lseek(fd, 0 , SEEK_SET) == -1)
-                goto errexit;
-        
-        // read filter
-        filter = malloc(size + 1);        // + '\0'
-        if (filter == NULL)
-                goto errexit;
-        memset(filter, 0, size + 1);
-        int rd = 0;
-        while (rd < size) {
-                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
-                if (rv == -1)
-                        goto errexit;
-                rd += rv;
-        }
-        
-        // close file
-        close(fd);
-        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mounting /tmp");
-        // create the filter file
-        FILE *fp = fopen("/tmp/netfilter6", "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
        // find iptables command
        char *ip6tables = NULL;
        char *ip6tables_restore = NULL;
@@ -247,56 +130,30 @@ void netfilter6(const char *fname) {
                ip6tables_restore = "/usr/sbin/ip6tables-restore";
        }
        if (ip6tables == NULL || ip6tables_restore == NULL) {
-                fprintf(stderr, "Error: ip6tables command not found\n");
+                fprintf(stderr, "Error: ip6tables command not found, netfilter6 not configured\n");
-                goto doexit;
+                return;
        }
-        // push filter
+        // create the filter file
-        pid_t child = fork();
+        char *filter = read_text_file_or_exit(fname);
-        if (child < 0)
+        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-                errExit("fork");
+        if (!fp) {
-        if (child == 0) {
+                fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
-                if (arg_debug)
+                exit(1);
-                        printf("Installing network filter:\n%s\n", filter);
-                int fd;
-                if((fd = open("/tmp/netfilter6", O_RDONLY)) == -1) {
-                        fprintf(stderr,"Error: cannot open /tmp/netfilter6\n");
-                        exit(1);
-                }
-                dup2(fd,STDIN_FILENO);
-                // wipe out environment variables
-                clearenv();     
-                execl(ip6tables_restore, ip6tables_restore, NULL);
-                perror("execl");
-                _exit(1);
        }
-        // wait for the child to finish
+        fprintf(fp, "%s\n", filter);
-        waitpid(child, NULL, 0);
+        fclose(fp);
+        // push filter
+        if (arg_debug)
+                printf("Installing network filter:\n%s\n", filter);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
+        unlink(SBOX_STDIN_FILE);
+        
        // debug
-        if (arg_debug) {
+        if (arg_debug)
-                child = fork();
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL");
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        clearenv();     
-                        execl(ip6tables, ip6tables, "-vL", NULL);
-                        perror("execl");
-                        _exit(1);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-        }
-doexit:
-        // unmount /tmp
-        umount("/tmp");
        free(filter);
        return;
-        
-errexit:
-        fprintf(stderr, "Error: cannot read network filter %s\n", fname);
-        exit(1);
 }
author	netblue30 <netblue30@yahoo.com>	2016-11-28 10:36:04 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-11-28 10:36:04 -0500
commit	d0c1fcfa273d323a26aa8477130e176dc2435bf5 (patch)
tree	5c0823ed12cabf602ace114a12b53fb3b2872b99 /src/firejail/netfilter.c
parent	cleanup (diff)
download	firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.tar.gz firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.tar.zst firejail-d0c1fcfa273d323a26aa8477130e176dc2435bf5.zip

diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 43f08e45b..ef4915f15 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c
@@ -61,59 +61,6 @@ void check_netfilter_file(const char *fname) {
61		61
62		62
63	void netfilter(const char *fname) {	63	void netfilter(const char *fname) {
64	// default filter
65	char *filter = client_filter;
66
67	// custom filter
68	int allocated = 0;
69	if (netfilter_default)
70	fname = netfilter_default;
71	if (fname) {
72	assert(fname);
73
74	// open filter file
75	int fd = open(fname, O_RDONLY);
76	if (fd == -1)
77	goto errexit;
78	int size = lseek(fd, 0, SEEK_END);
79	if (size == -1)
80	goto errexit;
81	if (lseek(fd, 0 , SEEK_SET) == -1)
82	goto errexit;
83
84	// read filter
85	filter = malloc(size + 1); // + '\0'
86	if (filter == NULL)
87	goto errexit;
88	memset(filter, 0, size + 1);
89	int rd = 0;
90	while (rd < size) {
91	int rv = read(fd, (unsigned char *) filter + rd, size - rd);
92	if (rv == -1) {
93	close(fd);
94	goto errexit;
95	}
96	rd += rv;
97	}
98
99	// close file
100	close(fd);
101	allocated = 1;
102	}
103
104	// temporarily mount a tempfs on top of /tmp directory
105	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
106	errExit("mounting /tmp");
107
108	// create the filter file
109	FILE *fp = fopen("/tmp/netfilter", "w");
110	if (!fp) {
111	fprintf(stderr, "Error: cannot open /tmp/netfilter file\n");
112	exit(1);
113	}
114	fprintf(fp, "%s\n", filter);
115	fclose(fp);
116
117	// find iptables command	64	// find iptables command
118	struct stat s;	65	struct stat s;
119	char *iptables = NULL;	66	char *iptables = NULL;
@@ -127,113 +74,49 @@ void netfilter(const char *fname) {
127	iptables_restore = "/usr/sbin/iptables-restore";	74	iptables_restore = "/usr/sbin/iptables-restore";
128	}	75	}
129	if (iptables == NULL \|\| iptables_restore == NULL) {	76	if (iptables == NULL \|\| iptables_restore == NULL) {
130	fprintf(stderr, "Error: iptables command not found\n");	77	fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
131	goto doexit;	78	return;
132	}	79	}
133		80
134	// push filter	81	// read filter
135	pid_t child = fork();	82	char *filter = client_filter;
136	if (child < 0)	83	int allocated = 0;
137	errExit("fork");	84	if (netfilter_default)
138	if (child == 0) {	85	fname = netfilter_default;
139	if (arg_debug)	86	if (fname) {
140	printf("Installing network filter:\n%s\n", filter);	87	filter = read_text_file_or_exit(fname);
141		88	allocated = 1;
142	int fd;
143	if((fd = open("/tmp/netfilter", O_RDONLY)) == -1) {
144	fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
145	exit(1);
146	}
147	dup2(fd,STDIN_FILENO);
148
149	// wipe out environment variables
150	clearenv();
151	execl(iptables_restore, iptables_restore, NULL);
152	perror("execl");
153	_exit(1);
154	}	89	}
155	// wait for the child to finish
156	waitpid(child, NULL, 0);
157		90
158	// debug	91	// create the filter file
159	if (arg_debug) {	92	FILE *fp = fopen(SBOX_STDIN_FILE, "w");
160	child = fork();	93	if (!fp) {
161	if (child < 0)	94	fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
162	errExit("fork");	95	exit(1);
163	if (child == 0) {
164	// elevate privileges in order to get grsecurity working
165	if (setreuid(0, 0))
166	errExit("setreuid");
167	if (setregid(0, 0))
168	errExit("setregid");
169	environ = NULL;
170	assert(getenv("LD_PRELOAD") == NULL);
171	execl(iptables, iptables, "-vL", NULL);
172	perror("execl");
173	_exit(1);
174	}
175	// wait for the child to finish
176	waitpid(child, NULL, 0);
177	}	96	}
		97	fprintf(fp, "%s\n", filter);
		98	fclose(fp);
		99
178		100
179	doexit:	101	// push filter
180	// unmount /tmp	102	if (arg_debug)
181	umount("/tmp");	103	printf("Installing network filter:\n%s\n", filter);
		104	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP \| SBOX_STDIN_FROM_FILE, 1, iptables_restore);
		105	unlink(SBOX_STDIN_FILE);
		106
		107	// debug
		108	if (arg_debug)
		109	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 2, iptables, "-vL");
182		110
183	if (allocated)	111	if (allocated)
184	free(filter);	112	free(filter);
185	return;	113	return;
186
187	errexit:
188	fprintf(stderr, "Error: cannot read network filter %s\n", fname);
189	exit(1);
190	}	114	}
191		115
192	void netfilter6(const char *fname) {	116	void netfilter6(const char *fname) {
193	if (fname == NULL)	117	if (fname == NULL)
194	return;	118	return;
195		119
196	char *filter;
197
198	// open filter file
199	int fd = open(fname, O_RDONLY);
200	if (fd == -1)
201	goto errexit;
202	int size = lseek(fd, 0, SEEK_END);
203	if (size == -1)
204	goto errexit;
205	if (lseek(fd, 0 , SEEK_SET) == -1)
206	goto errexit;
207
208	// read filter
209	filter = malloc(size + 1); // + '\0'
210	if (filter == NULL)
211	goto errexit;
212	memset(filter, 0, size + 1);
213	int rd = 0;
214	while (rd < size) {
215	int rv = read(fd, (unsigned char *) filter + rd, size - rd);
216	if (rv == -1)
217	goto errexit;
218	rd += rv;
219	}
220
221	// close file
222	close(fd);
223
224	// temporarily mount a tempfs on top of /tmp directory
225	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
226	errExit("mounting /tmp");
227
228	// create the filter file
229	FILE *fp = fopen("/tmp/netfilter6", "w");
230	if (!fp) {
231	fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
232	exit(1);
233	}
234	fprintf(fp, "%s\n", filter);
235	fclose(fp);
236
237	// find iptables command	120	// find iptables command
238	char *ip6tables = NULL;	121	char *ip6tables = NULL;
239	char *ip6tables_restore = NULL;	122	char *ip6tables_restore = NULL;
@@ -247,56 +130,30 @@ void netfilter6(const char *fname) {
247	ip6tables_restore = "/usr/sbin/ip6tables-restore";	130	ip6tables_restore = "/usr/sbin/ip6tables-restore";
248	}	131	}
249	if (ip6tables == NULL \|\| ip6tables_restore == NULL) {	132	if (ip6tables == NULL \|\| ip6tables_restore == NULL) {
250	fprintf(stderr, "Error: ip6tables command not found\n");	133	fprintf(stderr, "Error: ip6tables command not found, netfilter6 not configured\n");
251	goto doexit;	134	return;
252	}	135	}
253		136
254	// push filter	137	// create the filter file
255	pid_t child = fork();	138	char *filter = read_text_file_or_exit(fname);
256	if (child < 0)	139	FILE *fp = fopen(SBOX_STDIN_FILE, "w");
257	errExit("fork");	140	if (!fp) {
258	if (child == 0) {	141	fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n");
259	if (arg_debug)	142	exit(1);
260	printf("Installing network filter:\n%s\n", filter);
261
262	int fd;
263	if((fd = open("/tmp/netfilter6", O_RDONLY)) == -1) {
264	fprintf(stderr,"Error: cannot open /tmp/netfilter6\n");
265	exit(1);
266	}
267	dup2(fd,STDIN_FILENO);
268
269	// wipe out environment variables
270	clearenv();
271	execl(ip6tables_restore, ip6tables_restore, NULL);
272	perror("execl");
273	_exit(1);
274	}	143	}
275	// wait for the child to finish	144	fprintf(fp, "%s\n", filter);
276	waitpid(child, NULL, 0);	145	fclose(fp);
277		146
		147	// push filter
		148	if (arg_debug)
		149	printf("Installing network filter:\n%s\n", filter);
		150	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP \| SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
		151	unlink(SBOX_STDIN_FILE);
		152
278	// debug	153	// debug
279	if (arg_debug) {	154	if (arg_debug)
280	child = fork();	155	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 2, ip6tables, "-vL");
281	if (child < 0)
282	errExit("fork");
283	if (child == 0) {
284	clearenv();
285	execl(ip6tables, ip6tables, "-vL", NULL);
286	perror("execl");
287	_exit(1);
288	}
289	// wait for the child to finish
290	waitpid(child, NULL, 0);
291	}
292		156
293	doexit:
294	// unmount /tmp
295	umount("/tmp");
296	free(filter);	157	free(filter);
297	return;	158	return;
298
299	errexit:
300	fprintf(stderr, "Error: cannot read network filter %s\n", fname);
301	exit(1);
302	}	159	}