netlocker fixes

author: netblue30 <netblue30@protonmail.com> 2022-02-02 10:58:14 -0500
committer: netblue30 <netblue30@protonmail.com> 2022-02-02 10:58:14 -0500
commit: f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3 (patch)
tree: acc78a5c8591f832c25bee1f988373540993db9e /src/fnettrace
parent: Bump github/codeql-action from 1.0.29 to 1.0.30 (diff)
download: firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.tar.gz
firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.tar.zst
firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.zip
3 files changed, 103 insertions, 6 deletions
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h
index 66b7378da..b30a9f10d 100644
--- a/src/fnettrace/fnettrace.h
+++ b/src/fnettrace/fnettrace.h
@@ -23,10 +23,15 @@
 #include "../include/common.h"
 #include <unistd.h>
 #include <sys/stat.h>
+#include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <time.h>
 #include <stdarg.h>
+#include <fcntl.h>
+#include <sys/mman.h>
 //#define DEBUG 1
 #define NETLOCK_INTERVAL 60     // seconds
@@ -62,4 +67,7 @@ extern int geoip_calls;
 void load_hostnames(const char *fname);
 char* retrieve_hostname(uint32_t ip);
+// tail.c
+void tail(const char *logfile);
 #endif
 \ No newline at end of file
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index e58cc79b3..31d49d839 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -23,6 +23,7 @@
 #define MAX_BUF_SIZE (64 * 1024)
 static int arg_netfilter = 0;
+static int arg_tail = 0;
 static char *arg_log = NULL;
 typedef struct hnode_t {
@@ -574,11 +575,16 @@ void logprintf(char* fmt, ...) {
 }
 static void usage(void) {
-        printf("Usage: fnetlock [OPTIONS]\n");
+        printf("Usage: fnettrace [OPTIONS]\n");
        printf("Options:\n");
        printf("   --help, -? - this help screen\n");
        printf("   --log=filename - netlocker logfile\n");
        printf("   --netfilter - build the firewall rules and commit them.\n");
+        printf("   --tail - \"tail -f\" functionality\n");
+        printf("Examples:\n");
+        printf("   # fnettrace                              - traffic trace\n");
+        printf("   # fnettrace --netfilter --log=logfile    - netlocker, dump output in logfile\n");
+        printf("   # fnettrace --tail --log=logifile        - similar to \"tail -f logfile\"\n");
        printf("\n");
 }
@@ -599,11 +605,6 @@ int main(int argc, char **argv) {
        printf("%s\n", name);
 #endif
-        if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root to run this program\n");
-                return 1;
-        }
        for (i = 1; i < argc; i++) {
                if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
                        usage();
@@ -611,6 +612,8 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--netfilter") == 0)
                        arg_netfilter = 1;
+                else if (strcmp(argv[i], "--tail") == 0)
+                        arg_tail = 1;
                else if (strncmp(argv[i], "--log=", 6) == 0)
                        arg_log = argv[i] + 6;
                else {
@@ -619,6 +622,24 @@ int main(int argc, char **argv) {
                }
        }
+        // tail
+        if (arg_tail) {
+                if (!arg_log) {
+                        fprintf(stderr, "Error: no log file\n");
+                        usage();
+                        exit(1);
+                }
+                tail(arg_log);
+                sleep(5);
+                exit(0);
+        }
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to run this program\n");
+                return 1;
+        }
        ansi_clrscr();
        if (arg_netfilter)
                logprintf("starting network lockdown\n");
@@ -629,6 +650,11 @@ int main(int argc, char **argv) {
        run_trace();
        if (arg_netfilter) {
+                // TCP path MTU discovery will not work properly since the firewall drops all ICMP packets
+                // Instead, we use iPacketization Layer PMTUD (RFC 4821) support in Linux kernel
+                int rv = system("echo 1 > /proc/sys/net/ipv4/tcp_mtu_probing");
+                (void) rv;
                deploy_netfilter();
                sleep(3);
                if (arg_log)
diff --git a/src/fnettrace/tail.c b/src/fnettrace/tail.c
new file mode 100644
index 000000000..a910788d6
--- /dev/null
+++ b/src/fnettrace/tail.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2014-2022 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+void tail(const char *logfile) {
+        assert(logfile);
+        // wait for no more than 5 seconds for the logfile to appear in the filesystem
+        int cnt = 5;
+        while (access(logfile, R_OK) && cnt > 0)
+                cnt--;
+        if (cnt == 0)
+                exit(1);
+        off_t last_size = 0;
+        while (1) {
+                int fd = open(logfile, O_RDONLY);
+                if (fd == -1)
+                        return;
+                off_t size = lseek(fd, 0, SEEK_END);
+                if (size < 0) {
+                        close(fd);
+                        return;
+                }
+                char *content = NULL;
+                int mmapped = 0;
+                if (size && size != last_size) {
+                        content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
+                        close(fd);
+                        if (content != MAP_FAILED)
+                                mmapped = 1;
+                }
+                if (mmapped) {
+                        printf("%.*s", (int) (size - last_size), content + last_size);
+                        fflush(0);
+                        munmap(content, size);
+                        last_size = size;
+                }
+                sleep(1);
+        }
+}
author	netblue30 <netblue30@protonmail.com>	2022-02-02 10:58:14 -0500
committer	netblue30 <netblue30@protonmail.com>	2022-02-02 10:58:14 -0500
commit	f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3 (patch)
tree	acc78a5c8591f832c25bee1f988373540993db9e /src/fnettrace
parent	Bump github/codeql-action from 1.0.29 to 1.0.30 (diff)
download	firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.tar.gz firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.tar.zst firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.zip

diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h index 66b7378da..b30a9f10d 100644 --- a/src/fnettrace/fnettrace.h +++ b/src/fnettrace/fnettrace.h
@@ -23,10 +23,15 @@
23	#include "../include/common.h"	23	#include "../include/common.h"
24	#include <unistd.h>	24	#include <unistd.h>
25	#include <sys/stat.h>	25	#include <sys/stat.h>
		26	#include <sys/types.h>
26	#include <sys/socket.h>	27	#include <sys/socket.h>
27	#include <netinet/in.h>	28	#include <netinet/in.h>
28	#include <time.h>	29	#include <time.h>
29	#include <stdarg.h>	30	#include <stdarg.h>
		31	#include <fcntl.h>
		32	#include <sys/mman.h>
		33
		34
30	//#define DEBUG 1	35	//#define DEBUG 1
31		36
32	#define NETLOCK_INTERVAL 60 // seconds	37	#define NETLOCK_INTERVAL 60 // seconds
@@ -62,4 +67,7 @@ extern int geoip_calls;
62	void load_hostnames(const char *fname);	67	void load_hostnames(const char *fname);
63	char* retrieve_hostname(uint32_t ip);	68	char* retrieve_hostname(uint32_t ip);
64		69
		70	// tail.c
		71	void tail(const char *logfile);
		72
65	#endif \ No newline at end of file	73	#endif \ No newline at end of file


diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index e58cc79b3..31d49d839 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c
@@ -23,6 +23,7 @@
23	#define MAX_BUF_SIZE (64 * 1024)	23	#define MAX_BUF_SIZE (64 * 1024)
24		24
25	static int arg_netfilter = 0;	25	static int arg_netfilter = 0;
		26	static int arg_tail = 0;
26	static char *arg_log = NULL;	27	static char *arg_log = NULL;
27		28
28	typedef struct hnode_t {	29	typedef struct hnode_t {
@@ -574,11 +575,16 @@ void logprintf(char* fmt, ...) {
574	}	575	}
575		576
576	static void usage(void) {	577	static void usage(void) {
577	printf("Usage: fnetlock [OPTIONS]\n");	578	printf("Usage: fnettrace [OPTIONS]\n");
578	printf("Options:\n");	579	printf("Options:\n");
579	printf(" --help, -? - this help screen\n");	580	printf(" --help, -? - this help screen\n");
580	printf(" --log=filename - netlocker logfile\n");	581	printf(" --log=filename - netlocker logfile\n");
581	printf(" --netfilter - build the firewall rules and commit them.\n");	582	printf(" --netfilter - build the firewall rules and commit them.\n");
		583	printf(" --tail - \"tail -f\" functionality\n");
		584	printf("Examples:\n");
		585	printf(" # fnettrace - traffic trace\n");
		586	printf(" # fnettrace --netfilter --log=logfile - netlocker, dump output in logfile\n");
		587	printf(" # fnettrace --tail --log=logifile - similar to \"tail -f logfile\"\n");
582	printf("\n");	588	printf("\n");
583	}	589	}
584		590
@@ -599,11 +605,6 @@ int main(int argc, char **argv) {
599	printf("%s\n", name);	605	printf("%s\n", name);
600	#endif	606	#endif
601		607
602	if (getuid() != 0) {
603	fprintf(stderr, "Error: you need to be root to run this program\n");
604	return 1;
605	}
606
607	for (i = 1; i < argc; i++) {	608	for (i = 1; i < argc; i++) {
608	if (strcmp(argv[i], "--help") == 0 \|\| strcmp(argv[i], "-?") == 0) {	609	if (strcmp(argv[i], "--help") == 0 \|\| strcmp(argv[i], "-?") == 0) {
609	usage();	610	usage();
@@ -611,6 +612,8 @@ int main(int argc, char **argv) {
611	}	612	}
612	else if (strcmp(argv[i], "--netfilter") == 0)	613	else if (strcmp(argv[i], "--netfilter") == 0)
613	arg_netfilter = 1;	614	arg_netfilter = 1;
		615	else if (strcmp(argv[i], "--tail") == 0)
		616	arg_tail = 1;
614	else if (strncmp(argv[i], "--log=", 6) == 0)	617	else if (strncmp(argv[i], "--log=", 6) == 0)
615	arg_log = argv[i] + 6;	618	arg_log = argv[i] + 6;
616	else {	619	else {
@@ -619,6 +622,24 @@ int main(int argc, char **argv) {
619	}	622	}
620	}	623	}
621		624
		625	// tail
		626	if (arg_tail) {
		627	if (!arg_log) {
		628	fprintf(stderr, "Error: no log file\n");
		629	usage();
		630	exit(1);
		631	}
		632
		633	tail(arg_log);
		634	sleep(5);
		635	exit(0);
		636	}
		637
		638	if (getuid() != 0) {
		639	fprintf(stderr, "Error: you need to be root to run this program\n");
		640	return 1;
		641	}
		642
622	ansi_clrscr();	643	ansi_clrscr();
623	if (arg_netfilter)	644	if (arg_netfilter)
624	logprintf("starting network lockdown\n");	645	logprintf("starting network lockdown\n");
@@ -629,6 +650,11 @@ int main(int argc, char **argv) {
629		650
630	run_trace();	651	run_trace();
631	if (arg_netfilter) {	652	if (arg_netfilter) {
		653	// TCP path MTU discovery will not work properly since the firewall drops all ICMP packets
		654	// Instead, we use iPacketization Layer PMTUD (RFC 4821) support in Linux kernel
		655	int rv = system("echo 1 > /proc/sys/net/ipv4/tcp_mtu_probing");
		656	(void) rv;
		657
632	deploy_netfilter();	658	deploy_netfilter();
633	sleep(3);	659	sleep(3);
634	if (arg_log)	660	if (arg_log)


diff --git a/src/fnettrace/tail.c b/src/fnettrace/tail.c new file mode 100644 index 000000000..a910788d6 --- /dev/null +++ b/src/fnettrace/tail.c
@@ -0,0 +1,63 @@
		1	/*
		2	* Copyright (C) 2014-2022 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "fnettrace.h"
		21
		22	void tail(const char *logfile) {
		23	assert(logfile);
		24
		25	// wait for no more than 5 seconds for the logfile to appear in the filesystem
		26	int cnt = 5;
		27	while (access(logfile, R_OK) && cnt > 0)
		28	cnt--;
		29	if (cnt == 0)
		30	exit(1);
		31
		32	off_t last_size = 0;
		33
		34	while (1) {
		35	int fd = open(logfile, O_RDONLY);
		36	if (fd == -1)
		37	return;
		38
		39	off_t size = lseek(fd, 0, SEEK_END);
		40	if (size < 0) {
		41	close(fd);
		42	return;
		43	}
		44
		45	char *content = NULL;
		46	int mmapped = 0;
		47	if (size && size != last_size) {
		48	content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
		49	close(fd);
		50	if (content != MAP_FAILED)
		51	mmapped = 1;
		52	}
		53
		54	if (mmapped) {
		55	printf("%.*s", (int) (size - last_size), content + last_size);
		56	fflush(0);
		57	munmap(content, size);
		58	last_size = size;
		59	}
		60
		61	sleep(1);
		62	}
		63	}