grsecurity: more network fixes

author: netblue30 <netblue30@yahoo.com> 2016-04-04 18:02:19 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-04 18:02:19 -0400
commit: be22445915de784101f62e12add44121c788165c (patch)
tree: d6067d32fae33f8219d15fabb49c596a851b0a70 /src
parent: grsecurity: fix --list, --tree, --netstats, --top (diff)
download: firejail-be22445915de784101f62e12add44121c788165c.tar.gz
firejail-be22445915de784101f62e12add44121c788165c.tar.zst
firejail-be22445915de784101f62e12add44121c788165c.zip
4 files changed, 70 insertions, 47 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d58c6291d..e50b22b4e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -264,6 +264,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
 void net_dns_print_name(const char *name);
 void net_dns_print(pid_t pid);
+void network_main(pid_t child);
 // network.c
 void net_if_up(const char *ifname);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0e0ec094c..e86aa85ac 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1965,54 +1965,27 @@ int main(int argc, char **argv) {
                        printf("The new log directory is /proc/%d/root/var/log\n", child);
        }
        
-        EUID_ROOT();    
        if (!arg_nonetwork) {
-                // create veth pair or macvlan device
+                EUID_ROOT();    
-                if (cfg.bridge0.configured) {
+                pid_t net_child = fork();
-                        if (cfg.bridge0.macvlan == 0) {
+                if (net_child < 0)
-                                net_configure_veth_pair(&cfg.bridge0, "eth0", child);
+                        errExit("fork");
-                        }
+                if (net_child == 0) {
-                        else
+                        // elevate privileges in order to get grsecurity working
-                                net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+                        if (setreuid(0, 0))
-                }
+                                errExit("setreuid");
-                
+                        if (setregid(0, 0))
-                if (cfg.bridge1.configured) {
+                                errExit("setregid");
-                        if (cfg.bridge1.macvlan == 0)
+                        network_main(child);
-                                net_configure_veth_pair(&cfg.bridge1, "eth1", child);
+                        if (arg_debug)
-                        else
+                                printf("Host network configured\n");                    
-                                net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+                        exit(0);                        
-                }
-                
-                if (cfg.bridge2.configured) {
-                        if (cfg.bridge2.macvlan == 0)
-                                net_configure_veth_pair(&cfg.bridge2, "eth2", child);
-                        else
-                                net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
-                }
-                
-                if (cfg.bridge3.configured) {
-                        if (cfg.bridge3.macvlan == 0)
-                                net_configure_veth_pair(&cfg.bridge3, "eth3", child);
-                        else
-                                net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
-                }
-        
-                // move interfaces in sandbox
-                if (cfg.interface0.configured) {
-                        net_move_interface(cfg.interface0.dev, child);
-                }
-                if (cfg.interface1.configured) {
-                        net_move_interface(cfg.interface1.dev, child);
-                }
-                if (cfg.interface2.configured) {
-                        net_move_interface(cfg.interface2.dev, child);
-                }
-                if (cfg.interface3.configured) {
-                        net_move_interface(cfg.interface3.dev, child);
                }
+                // wait for the child to finish
+                waitpid(net_child, NULL, 0);
+                EUID_USER();
        }
-        EUID_USER();
        // close each end of the unused pipes
        close(parent_to_child_fds[0]);
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 4a5499699..71abfb53d 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -139,7 +139,6 @@ void netfilter(const char *fname) {
                        exit(1);
                }
                dup2(fd,STDIN_FILENO);
-                close(fd);
                // wipe out environment variables
                environ = NULL;
@@ -155,6 +154,11 @@ void netfilter(const char *fname) {
                if (child < 0)
                        errExit("fork");
                if (child == 0) {
+                        // elevate privileges in order to get grsecurity working
+                        if (setreuid(0, 0))
+                                errExit("setreuid");
+                        if (setregid(0, 0))
+                                errExit("setregid");
                        environ = NULL;
                        execl(iptables, iptables, "-vL", NULL);
                        // it will never get here!!!
@@ -246,7 +250,6 @@ void netfilter6(const char *fname) {
                        exit(1);
                }
                dup2(fd,STDIN_FILENO);
-                close(fd);
                // wipe out environment variables
                environ = NULL;
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index a8ebb3480..80f3bd579 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -278,3 +278,49 @@ void net_dns_print(pid_t pid) {
        free(fname);
        exit(0);
 }
+void network_main(pid_t child) {
+        // create veth pair or macvlan device
+        if (cfg.bridge0.configured) {
+                if (cfg.bridge0.macvlan == 0) {
+                        net_configure_veth_pair(&cfg.bridge0, "eth0", child);
+                }
+                else
+                        net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+        }
+        
+        if (cfg.bridge1.configured) {
+                if (cfg.bridge1.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge1, "eth1", child);
+                else
+                        net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+        }
+        
+        if (cfg.bridge2.configured) {
+                if (cfg.bridge2.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge2, "eth2", child);
+                else
+                        net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
+        }
+        
+        if (cfg.bridge3.configured) {
+                if (cfg.bridge3.macvlan == 0)
+                        net_configure_veth_pair(&cfg.bridge3, "eth3", child);
+                else
+                        net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
+        }
+        // move interfaces in sandbox
+        if (cfg.interface0.configured) {
+                net_move_interface(cfg.interface0.dev, child);
+        }
+        if (cfg.interface1.configured) {
+                net_move_interface(cfg.interface1.dev, child);
+        }
+        if (cfg.interface2.configured) {
+                net_move_interface(cfg.interface2.dev, child);
+        }
+        if (cfg.interface3.configured) {
+                net_move_interface(cfg.interface3.dev, child);
+        }
+}
author	netblue30 <netblue30@yahoo.com>	2016-04-04 18:02:19 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-04 18:02:19 -0400
commit	be22445915de784101f62e12add44121c788165c (patch)
tree	d6067d32fae33f8219d15fabb49c596a851b0a70 /src
parent	grsecurity: fix --list, --tree, --netstats, --top (diff)
download	firejail-be22445915de784101f62e12add44121c788165c.tar.gz firejail-be22445915de784101f62e12add44121c788165c.tar.zst firejail-be22445915de784101f62e12add44121c788165c.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d58c6291d..e50b22b4e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -264,6 +264,7 @@ void net_configure_veth_pair(Bridge br, const char ifname, pid_t child);
264	void net_check_cfg(void);	264	void net_check_cfg(void);
265	void net_dns_print_name(const char *name);	265	void net_dns_print_name(const char *name);
266	void net_dns_print(pid_t pid);	266	void net_dns_print(pid_t pid);
		267	void network_main(pid_t child);
267		268
268	// network.c	269	// network.c
269	void net_if_up(const char *ifname);	270	void net_if_up(const char *ifname);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 0e0ec094c..e86aa85ac 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1965,54 +1965,27 @@ int main(int argc, char **argv) {
1965	printf("The new log directory is /proc/%d/root/var/log\n", child);	1965	printf("The new log directory is /proc/%d/root/var/log\n", child);
1966	}	1966	}
1967		1967
1968
1969	EUID_ROOT();
1970	if (!arg_nonetwork) {	1968	if (!arg_nonetwork) {
1971	// create veth pair or macvlan device	1969	EUID_ROOT();
1972	if (cfg.bridge0.configured) {	1970	pid_t net_child = fork();
1973	if (cfg.bridge0.macvlan == 0) {	1971	if (net_child < 0)
1974	net_configure_veth_pair(&cfg.bridge0, "eth0", child);	1972	errExit("fork");
1975	}	1973	if (net_child == 0) {
1976	else	1974	// elevate privileges in order to get grsecurity working
1977	net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);	1975	if (setreuid(0, 0))
1978	}	1976	errExit("setreuid");
1979		1977	if (setregid(0, 0))
1980	if (cfg.bridge1.configured) {	1978	errExit("setregid");
1981	if (cfg.bridge1.macvlan == 0)	1979	network_main(child);
1982	net_configure_veth_pair(&cfg.bridge1, "eth1", child);	1980	if (arg_debug)
1983	else	1981	printf("Host network configured\n");
1984	net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);	1982	exit(0);
1985	}
1986
1987	if (cfg.bridge2.configured) {
1988	if (cfg.bridge2.macvlan == 0)
1989	net_configure_veth_pair(&cfg.bridge2, "eth2", child);
1990	else
1991	net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
1992	}
1993
1994	if (cfg.bridge3.configured) {
1995	if (cfg.bridge3.macvlan == 0)
1996	net_configure_veth_pair(&cfg.bridge3, "eth3", child);
1997	else
1998	net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
1999	}
2000
2001	// move interfaces in sandbox
2002	if (cfg.interface0.configured) {
2003	net_move_interface(cfg.interface0.dev, child);
2004	}
2005	if (cfg.interface1.configured) {
2006	net_move_interface(cfg.interface1.dev, child);
2007	}
2008	if (cfg.interface2.configured) {
2009	net_move_interface(cfg.interface2.dev, child);
2010	}
2011	if (cfg.interface3.configured) {
2012	net_move_interface(cfg.interface3.dev, child);
2013	}	1983	}
		1984
		1985	// wait for the child to finish
		1986	waitpid(net_child, NULL, 0);
		1987	EUID_USER();
2014	}	1988	}
2015	EUID_USER();
2016		1989
2017	// close each end of the unused pipes	1990	// close each end of the unused pipes
2018	close(parent_to_child_fds[0]);	1991	close(parent_to_child_fds[0]);


diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 4a5499699..71abfb53d 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c
@@ -139,7 +139,6 @@ void netfilter(const char *fname) {
139	exit(1);	139	exit(1);
140	}	140	}
141	dup2(fd,STDIN_FILENO);	141	dup2(fd,STDIN_FILENO);
142	close(fd);
143		142
144	// wipe out environment variables	143	// wipe out environment variables
145	environ = NULL;	144	environ = NULL;
@@ -155,6 +154,11 @@ void netfilter(const char *fname) {
155	if (child < 0)	154	if (child < 0)
156	errExit("fork");	155	errExit("fork");
157	if (child == 0) {	156	if (child == 0) {
		157	// elevate privileges in order to get grsecurity working
		158	if (setreuid(0, 0))
		159	errExit("setreuid");
		160	if (setregid(0, 0))
		161	errExit("setregid");
158	environ = NULL;	162	environ = NULL;
159	execl(iptables, iptables, "-vL", NULL);	163	execl(iptables, iptables, "-vL", NULL);
160	// it will never get here!!!	164	// it will never get here!!!
@@ -246,7 +250,6 @@ void netfilter6(const char *fname) {
246	exit(1);	250	exit(1);
247	}	251	}
248	dup2(fd,STDIN_FILENO);	252	dup2(fd,STDIN_FILENO);
249	close(fd);
250		253
251	// wipe out environment variables	254	// wipe out environment variables
252	environ = NULL;	255	environ = NULL;


diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index a8ebb3480..80f3bd579 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c
@@ -278,3 +278,49 @@ void net_dns_print(pid_t pid) {
278	free(fname);	278	free(fname);
279	exit(0);	279	exit(0);
280	}	280	}
		281
		282	void network_main(pid_t child) {
		283	// create veth pair or macvlan device
		284	if (cfg.bridge0.configured) {
		285	if (cfg.bridge0.macvlan == 0) {
		286	net_configure_veth_pair(&cfg.bridge0, "eth0", child);
		287	}
		288	else
		289	net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
		290	}
		291
		292	if (cfg.bridge1.configured) {
		293	if (cfg.bridge1.macvlan == 0)
		294	net_configure_veth_pair(&cfg.bridge1, "eth1", child);
		295	else
		296	net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
		297	}
		298
		299	if (cfg.bridge2.configured) {
		300	if (cfg.bridge2.macvlan == 0)
		301	net_configure_veth_pair(&cfg.bridge2, "eth2", child);
		302	else
		303	net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
		304	}
		305
		306	if (cfg.bridge3.configured) {
		307	if (cfg.bridge3.macvlan == 0)
		308	net_configure_veth_pair(&cfg.bridge3, "eth3", child);
		309	else
		310	net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
		311	}
		312
		313	// move interfaces in sandbox
		314	if (cfg.interface0.configured) {
		315	net_move_interface(cfg.interface0.dev, child);
		316	}
		317	if (cfg.interface1.configured) {
		318	net_move_interface(cfg.interface1.dev, child);
		319	}
		320	if (cfg.interface2.configured) {
		321	net_move_interface(cfg.interface2.dev, child);
		322	}
		323	if (cfg.interface3.configured) {
		324	net_move_interface(cfg.interface3.dev, child);
		325	}
		326	}