diff options
author | netblue30 <netblue30@yahoo.com> | 2018-06-09 07:57:32 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-06-09 07:57:32 -0400 |
commit | e62246a8a3e0e795a37535f9e41dffdfdfa9f77a (patch) | |
tree | 28b8c0b1667fd0170fa113c1bec90046a15ce6da /src/fnet | |
parent | AppArmor: allow dbus access by default (diff) | |
download | firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.gz firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.tar.zst firejail-e62246a8a3e0e795a37535f9e41dffdfdfa9f77a.zip |
support wireless interfaces for --net
Diffstat (limited to 'src/fnet')
-rw-r--r-- | src/fnet/fnet.h | 3 | ||||
-rw-r--r-- | src/fnet/main.c | 13 | ||||
-rw-r--r-- | src/fnet/veth.c | 61 |
3 files changed, 74 insertions, 3 deletions
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index 71299852d..fcbb3cd84 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h | |||
@@ -20,12 +20,12 @@ | |||
20 | #ifndef FNET_H | 20 | #ifndef FNET_H |
21 | #define FNET_H | 21 | #define FNET_H |
22 | 22 | ||
23 | #include "../include/common.h" | ||
23 | #include <stdio.h> | 24 | #include <stdio.h> |
24 | #include <stdlib.h> | 25 | #include <stdlib.h> |
25 | #include <string.h> | 26 | #include <string.h> |
26 | #include <assert.h> | 27 | #include <assert.h> |
27 | #include <stdarg.h> | 28 | #include <stdarg.h> |
28 | #include "../include/common.h" | ||
29 | 29 | ||
30 | // main.c | 30 | // main.c |
31 | extern int arg_quiet; | 31 | extern int arg_quiet; |
@@ -34,6 +34,7 @@ extern void fmessage(char* fmt, ...); // TODO: this function is duplicated in sr | |||
34 | // veth.c | 34 | // veth.c |
35 | int net_create_veth(const char *dev, const char *nsdev, unsigned pid); | 35 | int net_create_veth(const char *dev, const char *nsdev, unsigned pid); |
36 | int net_create_macvlan(const char *dev, const char *parent, unsigned pid); | 36 | int net_create_macvlan(const char *dev, const char *parent, unsigned pid); |
37 | int net_create_ipvlan(const char *dev, const char *parent, unsigned pid); | ||
37 | int net_move_interface(const char *dev, unsigned pid); | 38 | int net_move_interface(const char *dev, unsigned pid); |
38 | 39 | ||
39 | // interface.c | 40 | // interface.c |
diff --git a/src/fnet/main.c b/src/fnet/main.c index 6f149b497..3832cfaef 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -18,6 +18,9 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "fnet.h" | 20 | #include "fnet.h" |
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | |||
21 | int arg_quiet = 0; | 24 | int arg_quiet = 0; |
22 | 25 | ||
23 | void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/firejail/util.c | 26 | void fmessage(char* fmt, ...) { // TODO: this function is duplicated in src/firejail/util.c |
@@ -86,7 +89,15 @@ printf("\n"); | |||
86 | net_if_up(argv[3]); | 89 | net_if_up(argv[3]); |
87 | } | 90 | } |
88 | else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) { | 91 | else if (argc == 6 && strcmp(argv[1], "create") == 0 && strcmp(argv[2], "macvlan") == 0) { |
89 | net_create_macvlan(argv[3], argv[4], atoi(argv[5])); | 92 | // use ipvlan for wireless devices |
93 | struct stat s; | ||
94 | char *fname; | ||
95 | if (asprintf(&fname, "/sys/class/net/%s/wireless", argv[4]) == -1) | ||
96 | errExit("asprintf"); | ||
97 | if (stat(fname, &s) == 0) // wireless | ||
98 | net_create_ipvlan(argv[3], argv[4], atoi(argv[5])); | ||
99 | else // regular ethernet | ||
100 | net_create_macvlan(argv[3], argv[4], atoi(argv[5])); | ||
90 | } | 101 | } |
91 | else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) { | 102 | else if (argc == 7 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "interface") == 0) { |
92 | char *dev = argv[3]; | 103 | char *dev = argv[3]; |
diff --git a/src/fnet/veth.c b/src/fnet/veth.c index c971943a7..fb4f3dc31 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c | |||
@@ -165,8 +165,66 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) { | |||
165 | addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4); | 165 | addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 4); |
166 | 166 | ||
167 | data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; | 167 | data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; |
168 | // req.n.nlmsg_len += sizeof(struct ifinfomsg); | 168 | linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo; |
169 | |||
170 | // send message | ||
171 | if (rtnl_talk(&rth, &req.n, 0, 0, NULL) < 0) | ||
172 | exit(2); | ||
173 | |||
174 | rtnl_close(&rth); | ||
169 | 175 | ||
176 | return 0; | ||
177 | } | ||
178 | |||
179 | int net_create_ipvlan(const char *dev, const char *parent, unsigned pid) { | ||
180 | int len; | ||
181 | struct iplink_req req; | ||
182 | assert(dev); | ||
183 | assert(parent); | ||
184 | |||
185 | if (rtnl_open(&rth, 0) < 0) { | ||
186 | fprintf(stderr, "cannot open netlink\n"); | ||
187 | exit(1); | ||
188 | } | ||
189 | |||
190 | memset(&req, 0, sizeof(req)); | ||
191 | |||
192 | req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); | ||
193 | req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL; | ||
194 | req.n.nlmsg_type = RTM_NEWLINK; | ||
195 | req.i.ifi_family = 0; | ||
196 | |||
197 | // find parent ifindex | ||
198 | int parent_ifindex = if_nametoindex(parent); | ||
199 | if (parent_ifindex <= 0) { | ||
200 | fprintf(stderr, "Error: cannot find network device %s\n", parent); | ||
201 | exit(1); | ||
202 | } | ||
203 | |||
204 | // add parent | ||
205 | addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4); | ||
206 | |||
207 | // add new interface name | ||
208 | len = strlen(dev) + 1; | ||
209 | addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len); | ||
210 | |||
211 | // place the interface in child namespace | ||
212 | addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); | ||
213 | |||
214 | |||
215 | // add link info for the new interface | ||
216 | struct rtattr *linkinfo = NLMSG_TAIL(&req.n); | ||
217 | addattr_l(&req.n, sizeof(req), IFLA_LINKINFO, NULL, 0); | ||
218 | addattr_l(&req.n, sizeof(req), IFLA_INFO_KIND, "ipvlan", strlen("ipvlan")); | ||
219 | |||
220 | // set macvlan bridge mode | ||
221 | struct rtattr * data = NLMSG_TAIL(&req.n); | ||
222 | addattr_l(&req.n, sizeof(req), IFLA_INFO_DATA, NULL, 0); | ||
223 | int macvlan_type = IPVLAN_MODE_L2; | ||
224 | addattr_l (&req.n, sizeof(req), IFLA_INFO_KIND, &macvlan_type, 2); | ||
225 | |||
226 | data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; | ||
227 | // req.n.nlmsg_len += sizeof(struct ifinfomsg); | ||
170 | 228 | ||
171 | data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; | 229 | data->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)data; |
172 | linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo; | 230 | linkinfo->rta_len = (void *)NLMSG_TAIL(&req.n) - (void *)linkinfo; |
@@ -180,6 +238,7 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) { | |||
180 | return 0; | 238 | return 0; |
181 | } | 239 | } |
182 | 240 | ||
241 | |||
183 | // move the interface dev in namespace of program pid | 242 | // move the interface dev in namespace of program pid |
184 | // when the interface is moved, netlink does not preserve interface configuration | 243 | // when the interface is moved, netlink does not preserve interface configuration |
185 | int net_move_interface(const char *dev, unsigned pid) { | 244 | int net_move_interface(const char *dev, unsigned pid) { |