support wireless interfaces for --net

author: netblue30 <netblue30@yahoo.com> 2018-06-09 07:57:32 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-06-09 07:57:32 -0400
commit: e62246a8a3e0e795a37535f9e41dffdfdfa9f77a (patch)
tree: 28b8c0b1667fd0170fa113c1bec90046a15ce6da /src/fnet
parent: AppArmor: allow dbus access by default (diff)
download: firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.gz
firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.zst
firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.zip
3 files changed, 74 insertions, 3 deletions
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h
index 71299852d..fcbb3cd84 100644
--- a/src/fnet/fnet.h
+++ b/src/fnet/fnet.h
@@ -20,12 +20,12 @@
 #ifndef FNET_H
 #define FNET_H
+#include "../include/common.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
 #include <stdarg.h>
-#include "../include/common.h"
 // main.c
 extern int arg_quiet;
@@ -34,6 +34,7 @@ extern void fmessage(char* fmt, ...); // TODO: this function is duplicated in sr
 // veth.c
 int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
 int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
+int net_create_ipvlan(const char *dev, const char *parent, unsigned pid);
 int net_move_interface(const char *dev, unsigned pid);
 // interface.c
diff --git a/src/fnet/main.c b/src/fnet/main.c
index 6f149b497..3832cfaef 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -18,6 +18,9 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "fnet.h"
+#include <sys/types.h>
+#include <sys/stat.h>
 int arg_quiet = 0;
 void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/firejail/util.c
@@ -86,7 +89,15 @@ printf("\n");
                net_if_up(argv[3]);
        }
        else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) {
-                net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
+                // use ipvlan for wireless devices
+                struct stat s;
+                char *fname;
+                if (asprintf(&fname, "/sys/class/net/%s/wireless", argv[4]) == -1)
+                        errExit("asprintf");
+                if (stat(fname, &s) == 0) // wireless
+                        net_create_ipvlan(argv[3], argv[4], atoi(argv[5]));
+                else // regular ethernet
+                        net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
        }
        else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) {
                char *dev = argv[3];
diff --git a/src/fnet/veth.c b/src/fnet/veth.c
index c971943a7..fb4f3dc31 100644
--- a/src/fnet/veth.c
+++ b/src/fnet/veth.c
@@ -165,8 +165,66 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
        addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4);
        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
-//      req.n.nlmsg_len += sizeof(struct ifinfomsg);
+        linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;
+        // send message
+        if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
+                exit(2);
+        rtnl_close(&rth);
+        return 0;
+}
+int net_create_ipvlan(const char *dev, const char *parent, unsigned pid) {
+        int len;
+        struct iplink_req req;
+        assert(dev);
+        assert(parent);
+        if (rtnl_open(&rth, 0) < 0) {
+                fprintf(stderr, "cannot open netlink\n");
+                exit(1);
+        }
+        memset(&req, 0, sizeof(req));
+        req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
+        req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL;
+        req.n.nlmsg_type = RTM_NEWLINK;
+        req.i.ifi_family = 0;
+        // find parent ifindex
+        int parent_ifindex = if_nametoindex(parent);
+        if (parent_ifindex <= 0) {
+                fprintf(stderr, "Error: cannot find network device %s\n", parent);
+                exit(1);
+        }
+        // add parent
+        addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4);
+        // add new interface name
+        len = strlen(dev) + 1;
+        addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len);
+        // place the interface in child namespace
+        addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
+        // add  link info for the new interface
+        struct rtattr *linkinfo = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "ipvlan", strlen("ipvlan"));
+        // set macvlan bridge mode
+        struct rtattr * data = NLMSG_TAIL(&req.n);
+        addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0);
+        int macvlan_type = IPVLAN_MODE_L2;
+        addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 2);
+        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
+//      req.n.nlmsg_len += sizeof(struct ifinfomsg);
        data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data;
        linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo;
@@ -180,6 +238,7 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
        return 0;
 }
 // move the interface dev in namespace of program pid
 // when the interface is moved, netlink does not preserve interface configuration
 int net_move_interface(const char *dev, unsigned pid) {
author	netblue30 <netblue30@yahoo.com>	2018-06-09 07:57:32 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-06-09 07:57:32 -0400
commit	e62246a8a3e0e795a37535f9e41dffdfdfa9f77a (patch)
tree	28b8c0b1667fd0170fa113c1bec90046a15ce6da /src/fnet
parent	AppArmor: allow dbus access by default (diff)
download	firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.gz firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.zst firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.zip

diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index 71299852d..fcbb3cd84 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h
@@ -20,12 +20,12 @@
20	#ifndef FNET_H	20	#ifndef FNET_H
21	#define FNET_H	21	#define FNET_H
22		22
		23	#include "../include/common.h"
23	#include <stdio.h>	24	#include <stdio.h>
24	#include <stdlib.h>	25	#include <stdlib.h>
25	#include <string.h>	26	#include <string.h>
26	#include <assert.h>	27	#include <assert.h>
27	#include <stdarg.h>	28	#include <stdarg.h>
28	#include "../include/common.h"
29		29
30	// main.c	30	// main.c
31	extern int arg_quiet;	31	extern int arg_quiet;
@@ -34,6 +34,7 @@ extern void fmessage(char* fmt, ...); // TODO: this function is duplicated in sr
34	// veth.c	34	// veth.c
35	int net_create_veth(const char dev, const char nsdev, unsigned pid);	35	int net_create_veth(const char dev, const char nsdev, unsigned pid);
36	int net_create_macvlan(const char dev, const char parent, unsigned pid);	36	int net_create_macvlan(const char dev, const char parent, unsigned pid);
		37	int net_create_ipvlan(const char dev, const char parent, unsigned pid);
37	int net_move_interface(const char *dev, unsigned pid);	38	int net_move_interface(const char *dev, unsigned pid);
38		39
39	// interface.c	40	// interface.c


diff --git a/src/fnet/main.c b/src/fnet/main.c index 6f149b497..3832cfaef 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c
@@ -18,6 +18,9 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "fnet.h"	20	#include "fnet.h"
		21	#include <sys/types.h>
		22	#include <sys/stat.h>
		23
21	int arg_quiet = 0;	24	int arg_quiet = 0;
22		25
23	void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/firejail/util.c	26	void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/firejail/util.c
@@ -86,7 +89,15 @@ printf("\n");
86	net_if_up(argv[3]);	89	net_if_up(argv[3]);
87	}	90	}
88	else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) {	91	else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) {
89	net_create_macvlan(argv[3], argv[4], atoi(argv[5]));	92	// use ipvlan for wireless devices
		93	struct stat s;
		94	char *fname;
		95	if (asprintf(&fname, "/sys/class/net/%s/wireless", argv[4]) == -1)
		96	errExit("asprintf");
		97	if (stat(fname, &s) == 0) // wireless
		98	net_create_ipvlan(argv[3], argv[4], atoi(argv[5]));
		99	else // regular ethernet
		100	net_create_macvlan(argv[3], argv[4], atoi(argv[5]));
90	}	101	}
91	else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) {	102	else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) {
92	char *dev = argv[3];	103	char *dev = argv[3];


diff --git a/src/fnet/veth.c b/src/fnet/veth.c index c971943a7..fb4f3dc31 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c
@@ -165,8 +165,66 @@ int net_create_macvlan(const char dev, const char parent, unsigned pid) {
165	addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4);	165	addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4);
166		166
167	data->rta_len = (void )NLMSG_TAIL(&req.n) - (void )data;	167	data->rta_len = (void )NLMSG_TAIL(&req.n) - (void )data;
168	// req.n.nlmsg_len += sizeof(struct ifinfomsg);	168	linkinfo->rta_len = (void )NLMSG_TAIL(&req.n) - (void )linkinfo;
		169
		170	// send message
		171	if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0)
		172	exit(2);
		173
		174	rtnl_close(&rth);
169		175
		176	return 0;
		177	}
		178
		179	int net_create_ipvlan(const char dev, const char parent, unsigned pid) {
		180	int len;
		181	struct iplink_req req;
		182	assert(dev);
		183	assert(parent);
		184
		185	if (rtnl_open(&rth, 0) < 0) {
		186	fprintf(stderr, "cannot open netlink\n");
		187	exit(1);
		188	}
		189
		190	memset(&req, 0, sizeof(req));
		191
		192	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
		193	req.n.nlmsg_flags = NLM_F_REQUEST\|NLM_F_CREATE\|NLM_F_EXCL;
		194	req.n.nlmsg_type = RTM_NEWLINK;
		195	req.i.ifi_family = 0;
		196
		197	// find parent ifindex
		198	int parent_ifindex = if_nametoindex(parent);
		199	if (parent_ifindex <= 0) {
		200	fprintf(stderr, "Error: cannot find network device %s\n", parent);
		201	exit(1);
		202	}
		203
		204	// add parent
		205	addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4);
		206
		207	// add new interface name
		208	len = strlen(dev) + 1;
		209	addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len);
		210
		211	// place the interface in child namespace
		212	addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
		213
		214
		215	// add link info for the new interface
		216	struct rtattr *linkinfo = NLMSG_TAIL(&req.n);
		217	addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0);
		218	addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "ipvlan", strlen("ipvlan"));
		219
		220	// set macvlan bridge mode
		221	struct rtattr * data = NLMSG_TAIL(&req.n);
		222	addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0);
		223	int macvlan_type = IPVLAN_MODE_L2;
		224	addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 2);
		225
		226	data->rta_len = (void )NLMSG_TAIL(&req.n) - (void )data;
		227	// req.n.nlmsg_len += sizeof(struct ifinfomsg);
170		228
171	data->rta_len = (void )NLMSG_TAIL(&req.n) - (void )data;	229	data->rta_len = (void )NLMSG_TAIL(&req.n) - (void )data;
172	linkinfo->rta_len = (void )NLMSG_TAIL(&req.n) - (void )linkinfo;	230	linkinfo->rta_len = (void )NLMSG_TAIL(&req.n) - (void )linkinfo;
@@ -180,6 +238,7 @@ int net_create_macvlan(const char dev, const char parent, unsigned pid) {
180	return 0;	238	return 0;
181	}	239	}
182		240
		241
183	// move the interface dev in namespace of program pid	242	// move the interface dev in namespace of program pid
184	// when the interface is moved, netlink does not preserve interface configuration	243	// when the interface is moved, netlink does not preserve interface configuration
185	int net_move_interface(const char *dev, unsigned pid) {	244	int net_move_interface(const char *dev, unsigned pid) {