network code split

5 files changed, 559 insertions, 0 deletions

diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
new file mode 100644
index 000000000..1bfb4c68d
--- /dev/null
+++ b/src/fnet/Makefile.in
@@ -0,0 +1,43 @@
+all: fnet
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -f *.o fnet
+
+distclean: clean
+        rm -fr Makefile
+
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h
new file mode 100644
index 000000000..58efbbed5
--- /dev/null
+++ b/src/fnet/fnet.h
@@ -0,0 +1,40 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNET_H
+#define FNET_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "../include/common.h"
+
+// veth.c
+int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
+int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
+int net_move_interface(const char *dev, unsigned pid);
+
+// interface.c
+void net_bridge_add_interface(const char *bridge, const char *dev);
+void net_if_up(const char *ifname);
+int net_get_mtu(const char *ifname);
+void net_set_mtu(const char *ifname, int mtu);
+
+#endif
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
new file mode 100644
index 000000000..b1903dd46
--- /dev/null
+++ b/src/fnet/interface.c
@@ -0,0 +1,183 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "fnet.h"
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netdb.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <net/route.h>
+#include <linux/if_bridge.h>
+
+// add a veth device to a bridge
+void net_bridge_add_interface(const char *bridge, const char *dev) {
+        if (strlen(bridge) > IFNAMSIZ) {
+                fprintf(stderr, "Error fnet: invalid network device name %s\n", bridge);
+                exit(1);
+        }
+
+        // somehow adding the interface to the bridge resets MTU on bridge device!!!
+        // workaround: restore MTU on the bridge device
+        // todo: put a real fix in
+        int mtu1 = net_get_mtu(bridge);
+
+        struct ifreq ifr;
+        int err;
+        int ifindex = if_nametoindex(dev);
+
+        if (ifindex <= 0)
+                errExit("if_nametoindex");
+
+        int sock;
+        if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+                errExit("socket");
+
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+#ifdef SIOCBRADDIF
+        ifr.ifr_ifindex = ifindex;
+        err = ioctl(sock, SIOCBRADDIF, &ifr);
+        if (err < 0)
+#endif
+        {
+                unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 };
+
+                ifr.ifr_data = (char *) args;
+                err = ioctl(sock, SIOCDEVPRIVATE, &ifr);
+        }
+        (void) err;
+        close(sock);
+
+        int mtu2 = net_get_mtu(bridge);
+        if (mtu1 != mtu2) {
+                net_set_mtu(bridge, mtu1);
+        }
+}
+
+
+// bring interface up
+void net_if_up(const char *ifname) {
+        if (strlen(ifname) > IFNAMSIZ) {
+                fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
+                exit(1);
+        }
+        
+        int sock = socket(AF_INET,SOCK_DGRAM,0);
+        if (sock < 0)
+                errExit("socket");
+
+        // get the existing interface flags
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_addr.sa_family = AF_INET;
+
+        // read the existing flags
+        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
+                close(sock);
+                printf("Error fnet: cannot bring up interface %s\n", ifname);
+                errExit("ioctl");
+        }
+
+        ifr.ifr_flags |= IFF_UP;
+
+        // set the new flags
+        if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
+                close(sock);
+                printf("Error fnet: cannot bring up interface %s\n", ifname);
+                errExit("ioctl");
+        }
+
+        // checking
+        // read the existing flags
+        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
+                close(sock);
+                printf("Error fnet: cannot bring up interface %s\n", ifname);
+                errExit("ioctl");
+        }
+
+        // wait not more than 500ms for the interface to come up
+        int cnt = 0;
+        while (cnt < 50) {
+                usleep(10000);                    // sleep 10ms
+
+                // read the existing flags
+                if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
+                        close(sock);
+                        printf("Error fnet: cannot bring up interface %s\n", ifname);
+                        errExit("ioctl");
+                }
+                if (ifr.ifr_flags & IFF_RUNNING)
+                        break;
+                cnt++;
+        }
+
+        close(sock);
+}
+
+int net_get_mtu(const char *ifname) {
+        int mtu = 0;
+        if (strlen(ifname) > IFNAMSIZ) {
+                fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
+                exit(1);
+        }
+
+        int s;
+        struct ifreq ifr;
+
+        if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+                errExit("socket");
+
+        memset(&ifr, 0, sizeof(ifr));
+        ifr.ifr_addr.sa_family = AF_INET;
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0)
+                mtu = ifr.ifr_mtu;
+        close(s);
+        
+        
+        return mtu;
+}
+
+void net_set_mtu(const char *ifname, int mtu) {
+        if (strlen(ifname) > IFNAMSIZ) {
+                fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
+                exit(1);
+        }
+
+        int s;
+        struct ifreq ifr;
+
+        if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+                errExit("socket");
+
+        memset(&ifr, 0, sizeof(ifr));
+        ifr.ifr_addr.sa_family = AF_INET;
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_mtu = mtu;
+        if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0)
+                fprintf(stderr, "Warning fnet: cannot set mtu for interface %s\n", ifname);
+        close(s);
+}
+
+
diff --git a/src/fnet/main.c b/src/fnet/main.c
new file mode 100644
index 000000000..ae780c2ea
--- /dev/null
+++ b/src/fnet/main.c
@@ -0,0 +1,63 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/prctl.h>
+#include <linux/capability.h>
+
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfnet create veth dev1 dev2 bridge child\n");
+        printf("\tfnet create macvlan dev parent child\n");
+        printf("\tfnet moveif dev proc\n");
+}
+
+int main(int argc, char **argv) {
+        if (argc < 2)
+                return 1;
+
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+        else if (argc == 7 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "veth") == 0) {
+                // create veth pair and move one end in the the namespace
+                net_create_veth(argv[3], argv[4], atoi(argv[6]));
+                
+                // connect the ohter veth end to the bridge ...
+                net_bridge_add_interface(argv[5], argv[3]);
+
+                // ... and bring it  up
+                net_if_up(argv[3]);
+        }
+        else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) {
+                net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
+        }
+        else if (argc == 4 && strcmp(argv[1], "moveif") == 0) {
+                net_move_interface(argv[2], atoi(argv[3]));
+        }
+        else {
+                fprintf(stderr, "Error fnet: invalid arguments\n");
+                return 1;
+        }
+
+        return 0;
+}
diff --git a/src/fnet/veth.c b/src/fnet/veth.c
new file mode 100644
index 000000000..d06bc9256
--- /dev/null
+++ b/src/fnet/veth.c
@@ -0,0 +1,230 @@
+/* code based on iproute2 ip/iplink.c, modified to be included in firejail project
+ *
+ * Original source code:
+ * 
+ * Information:
+ *     http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
+ * 
+ * Download:
+ *     http://www.kernel.org/pub/linux/utils/net/iproute2/
+ * 
+ * Repository:
+ *     git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
+ * 
+ * License: GPL v2
+ *
+ * Original copyright header
+ *
+ * iplink.c             "ip link".
+ *
+ *              This program is free software; you can redistribute it and/or
+ *              modify it under the terms of the GNU General Public License
+ *              as published by the Free Software Foundation; either version
+ *              2 of the License, or (at your option) any later version.
+ *
+ * Authors:     Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
+ *
+ */
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "fnet.h"
+#include "../include/libnetlink.h"
+#include <linux/veth.h>
+#include <net/if.h>
+
+struct iplink_req
+{
+        struct nlmsghdr         n;
+        struct ifinfomsg        i;
+        char                    buf[1024];
+};
+
+static struct rtnl_handle rth = { .fd = -1 };
+
+int net_create_veth(const char *dev, const char *nsdev, unsigned pid) {
+        int len;
+        struct iplink_req req;
+
+        assert(dev);
+        assert(nsdev);
+        assert(pid);
+
+        if (rtnl_open(&rth, 0) < 0) {
+                fprintf(stderr, "cannot open netlink\n");
+                exit(1);
+        }
+
+        memset(&req, 0, sizeof(req));
+
+        req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
+        req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL;
+        req.n.nlmsg_type = RTM_NEWLINK;
+        req.i.ifi_family = 0;
+
+        if (dev) {
+                len = strlen(dev) + 1;
+                addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len);
+        }
+
+        struct rtattr *linkinfo = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "veth", strlen("veth"));
+
+        struct rtattr * data = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0);
+
+        struct rtattr * peerdata = NLMSG_TAIL(&req.n);
+        addattr_l (&req.n, sizeof(req), VETH_INFO_PEER, NULL, 0);
+        req.n.nlmsg_len += sizeof(struct ifinfomsg);
+
+        // place the link in the child namespace
+        addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
+
+        if (nsdev) {
+                int len = strlen(nsdev) + 1;
+                addattr_l(&req.n, sizeof(req), IFLA_IFNAME, nsdev, len);
+        }
+        peerdata->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)peerdata;
+
+        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
+        linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;
+
+        // send message
+        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
+                exit(2);
+
+        return 0;
+}
+
+
+int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
+        int len;
+        struct iplink_req req;
+        assert(dev);
+        assert(parent);
+
+        if (rtnl_open(&rth, 0) < 0) {
+                fprintf(stderr, "cannot open netlink\n");
+                exit(1);
+        }
+
+        memset(&req, 0, sizeof(req));
+
+        req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
+        req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL;
+        req.n.nlmsg_type = RTM_NEWLINK;
+        req.i.ifi_family = 0;
+        
+        // find parent ifindex
+        int parent_ifindex = if_nametoindex(parent);
+        if (parent_ifindex <= 0) {
+                fprintf(stderr, "Error: cannot find network device %s\n", parent);
+                exit(1);
+        }                       
+
+        // add parent
+        addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4);
+
+        // add new interface name
+        len = strlen(dev) + 1;
+        addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len);
+        
+        // place the interface in child namespace
+        addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
+
+
+        // add  link info for the new interface
+        struct rtattr *linkinfo = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "macvlan", strlen("macvlan"));
+
+        // set macvlan bridge mode
+        struct rtattr * data = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0);
+        int macvlan_type = MACVLAN_MODE_BRIDGE;
+        addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4);
+
+        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
+//      req.n.nlmsg_len += sizeof(struct ifinfomsg);
+
+
+        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
+        linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;
+
+        // send message
+        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
+                exit(2);
+
+        return 0;
+}
+
+// move the interface dev in namespace of program pid
+// when the interface is moved, netlink does not preserve interface configuration
+int net_move_interface(const char *dev, unsigned pid) {
+        struct iplink_req req;
+        assert(dev);
+
+        if (rtnl_open(&rth, 0) < 0) {
+                fprintf(stderr, "cannot open netlink\n");
+                exit(1);
+        }
+
+        memset(&req, 0, sizeof(req));
+
+        req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
+        req.n.nlmsg_flags = NLM_F_REQUEST;
+        req.n.nlmsg_type = RTM_NEWLINK;
+        req.i.ifi_family = 0;
+        
+        // find ifindex
+        int ifindex = if_nametoindex(dev);
+        if (ifindex <= 0) {
+                fprintf(stderr, "Error: cannot find interface %s\n", dev);
+                exit(1);
+        }
+        req.i.ifi_index = ifindex;
+                                
+        // place the interface in child namespace
+        addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
+
+        // send message
+        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
+                exit(2);
+
+        return 0;
+}
+
+/*
+int main(int argc, char **argv) {
+        printf("Hello\n");
+
+
+        char *dev = argv[3];
+        char *nsdev = argv[8];
+        unsigned pid;
+        sscanf(argv[10], "%u", &pid);
+
+
+        net_create_veth(dev, nsdev, pid);
+
+        return 0;
+}
+*/
\ No newline at end of file