diff options
-rw-r--r-- | RELNOTES | 2 | ||||
-rwxr-xr-x | gcov.sh | 44 | ||||
-rw-r--r-- | src/firemon/firemon.c | 15 | ||||
-rw-r--r-- | src/firemon/firemon.h | 3 | ||||
-rw-r--r-- | src/firemon/interface.c | 175 | ||||
-rw-r--r-- | src/man/firemon.txt | 3 | ||||
-rwxr-xr-x | test/network/firemon-interface.exp | 28 | ||||
-rwxr-xr-x | test/network/network.sh | 3 |
8 files changed, 25 insertions, 248 deletions
@@ -4,6 +4,8 @@ firejail (0.9.73) baseline; urgency=low | |||
4 | * feature: Print the argument when failing with "too long arguments" (#5677) | 4 | * feature: Print the argument when failing with "too long arguments" (#5677) |
5 | * feature: a random hostname is assigned to each sandbox unless | 5 | * feature: a random hostname is assigned to each sandbox unless |
6 | overwritten using --hostname command | 6 | overwritten using --hostname command |
7 | * feature: add IPv6 support for --net.print option | ||
8 | * modif: remove firemon --interface option (duplicating --net.print option) | ||
7 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 9 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
8 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 10 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
9 | from containing only digits (#5578) | 11 | from containing only digits (#5578) |
@@ -21,29 +21,29 @@ rm -fr gcov-dir gcov-file | |||
21 | firejail --version | 21 | firejail --version |
22 | gcov_generate | 22 | gcov_generate |
23 | 23 | ||
24 | #make test-firecfg | grep TESTING | 24 | make test-firecfg | grep TESTING |
25 | #gcov_generate | 25 | gcov_generate |
26 | #make test-apparmor | grep TESTING | 26 | make test-apparmor | grep TESTING |
27 | #gcov_generate | 27 | gcov_generate |
28 | make test-network | grep TESTING | 28 | make test-network | grep TESTING |
29 | gcov_generate | 29 | gcov_generate |
30 | #make test-appimage | grep TESTING | 30 | make test-appimage | grep TESTING |
31 | #gcov_generate | 31 | gcov_generate |
32 | #make test-chroot | grep TESTING | 32 | make test-chroot | grep TESTING |
33 | #gcov_generate | 33 | gcov_generate |
34 | #make test-sysutils | grep TESTING | 34 | make test-sysutils | grep TESTING |
35 | #gcov_generate | 35 | gcov_generate |
36 | #make test-private-etc | grep TESTING | 36 | make test-private-etc | grep TESTING |
37 | #gcov_generate | 37 | gcov_generate |
38 | #make test-profiles | grep TESTING | 38 | make test-profiles | grep TESTING |
39 | #gcov_generate | 39 | gcov_generate |
40 | #make test-fcopy | grep TESTING | 40 | make test-fcopy | grep TESTING |
41 | #gcov_generate | 41 | gcov_generate |
42 | make test-fnetfilter | grep TESTING | 42 | make test-fnetfilter | grep TESTING |
43 | gcov_generate | 43 | gcov_generate |
44 | #make test-fs | grep TESTING | 44 | make test-fs | grep TESTING |
45 | #gcov_generate | 45 | gcov_generate |
46 | #make test-utils | grep TESTING | 46 | make test-utils | grep TESTING |
47 | #gcov_generate | 47 | gcov_generate |
48 | #make test-environment | grep TESTING | 48 | make test-environment | grep TESTING |
49 | #gcov_generate | 49 | gcov_generate |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 01167e555..d82f387ff 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -30,7 +30,6 @@ int arg_debug = 0; | |||
30 | static int arg_route = 0; | 30 | static int arg_route = 0; |
31 | static int arg_arp = 0; | 31 | static int arg_arp = 0; |
32 | static int arg_tree = 0; | 32 | static int arg_tree = 0; |
33 | static int arg_interface = 0; | ||
34 | static int arg_seccomp = 0; | 33 | static int arg_seccomp = 0; |
35 | static int arg_caps = 0; | 34 | static int arg_caps = 0; |
36 | static int arg_cpu = 0; | 35 | static int arg_cpu = 0; |
@@ -178,13 +177,6 @@ int main(int argc, char **argv) { | |||
178 | arg_seccomp = 1; | 177 | arg_seccomp = 1; |
179 | else if (strcmp(argv[i], "--caps") == 0) | 178 | else if (strcmp(argv[i], "--caps") == 0) |
180 | arg_caps = 1; | 179 | arg_caps = 1; |
181 | else if (strcmp(argv[i], "--interface") == 0) { | ||
182 | if (getuid() != 0) { | ||
183 | fprintf(stderr, "Error: you need to be root to run this command\n"); | ||
184 | exit(1); | ||
185 | } | ||
186 | arg_interface = 1; | ||
187 | } | ||
188 | #ifdef HAVE_NETWORK | 180 | #ifdef HAVE_NETWORK |
189 | else if (strcmp(argv[i], "--route") == 0) | 181 | else if (strcmp(argv[i], "--route") == 0) |
190 | arg_route = 1; | 182 | arg_route = 1; |
@@ -261,13 +253,12 @@ int main(int argc, char **argv) { | |||
261 | 253 | ||
262 | // if --name requested without other options, print all data | 254 | // if --name requested without other options, print all data |
263 | if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor && | 255 | if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor && |
264 | !arg_x11 && !arg_interface && !arg_route && !arg_arp) { | 256 | !arg_x11 && !arg_route && !arg_arp) { |
265 | arg_tree = 1; | 257 | arg_tree = 1; |
266 | arg_cpu = 1; | 258 | arg_cpu = 1; |
267 | arg_seccomp = 1; | 259 | arg_seccomp = 1; |
268 | arg_caps = 1; | 260 | arg_caps = 1; |
269 | arg_x11 = 1; | 261 | arg_x11 = 1; |
270 | arg_interface = 1; | ||
271 | arg_route = 1; | 262 | arg_route = 1; |
272 | arg_arp = 1; | 263 | arg_arp = 1; |
273 | arg_apparmor = 1; | 264 | arg_apparmor = 1; |
@@ -295,10 +286,6 @@ int main(int argc, char **argv) { | |||
295 | x11((pid_t) pid, print_procs); | 286 | x11((pid_t) pid, print_procs); |
296 | print_procs = 0; | 287 | print_procs = 0; |
297 | } | 288 | } |
298 | if (arg_interface && getuid() == 0) { | ||
299 | interface((pid_t) pid, print_procs); | ||
300 | print_procs = 0; | ||
301 | } | ||
302 | if (arg_route) { | 289 | if (arg_route) { |
303 | route((pid_t) pid, print_procs); | 290 | route((pid_t) pid, print_procs); |
304 | print_procs = 0; | 291 | print_procs = 0; |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index dae071e89..8b6e75fc3 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -57,9 +57,6 @@ void top(void) __attribute__((noreturn)); | |||
57 | // list.c | 57 | // list.c |
58 | void list(void); | 58 | void list(void); |
59 | 59 | ||
60 | // interface.c | ||
61 | void interface(pid_t pid, int print_procs); | ||
62 | |||
63 | // arp.c | 60 | // arp.c |
64 | void arp(pid_t pid, int print_procs); | 61 | void arp(pid_t pid, int print_procs); |
65 | 62 | ||
diff --git a/src/firemon/interface.c b/src/firemon/interface.c deleted file mode 100644 index a8e78133b..000000000 --- a/src/firemon/interface.c +++ /dev/null | |||
@@ -1,175 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2023 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include "../include/gcov_wrapper.h" | ||
22 | #include <sys/types.h> | ||
23 | #include <sys/wait.h> | ||
24 | #include <netdb.h> | ||
25 | #include <arpa/inet.h> | ||
26 | #include <ifaddrs.h> | ||
27 | #include <net/if.h> | ||
28 | #include <linux/connector.h> | ||
29 | #include <linux/netlink.h> | ||
30 | #include <linux/if_link.h> | ||
31 | #include <linux/sockios.h> | ||
32 | #include <sys/ioctl.h> | ||
33 | |||
34 | //#include <net/route.h> | ||
35 | //#include <linux/if_bridge.h> | ||
36 | |||
37 | // print IP addresses for all interfaces | ||
38 | static void net_ifprint(void) { | ||
39 | uint32_t ip; | ||
40 | uint32_t mask; | ||
41 | struct ifaddrs *ifaddr, *ifa; | ||
42 | |||
43 | int fd; | ||
44 | if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { | ||
45 | fprintf(stderr, "Error: cannot open AF_INET socket\n"); | ||
46 | exit(1); | ||
47 | } | ||
48 | |||
49 | if (getifaddrs(&ifaddr) == -1) | ||
50 | errExit("getifaddrs"); | ||
51 | |||
52 | // walk through the linked list | ||
53 | printf(" Link status:\n"); | ||
54 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
55 | if (ifa->ifa_addr == NULL) | ||
56 | continue; | ||
57 | |||
58 | if (ifa->ifa_addr->sa_family == AF_PACKET) { | ||
59 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) { | ||
60 | if (ifa->ifa_data != NULL) { | ||
61 | struct rtnl_link_stats *stats = ifa->ifa_data; | ||
62 | |||
63 | // extract mac address | ||
64 | struct ifreq ifr; | ||
65 | memset(&ifr, 0, sizeof(ifr)); | ||
66 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ - 1); | ||
67 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); | ||
68 | |||
69 | if (rv == 0) | ||
70 | printf(" %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n", | ||
71 | ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data)); | ||
72 | else | ||
73 | printf(" %s UP\n", ifa->ifa_name); | ||
74 | |||
75 | printf(" tx/rx: %u/%u packets, %u/%u bytes\n", | ||
76 | stats->tx_packets, stats->rx_packets, | ||
77 | stats->tx_bytes, stats->rx_bytes); | ||
78 | } | ||
79 | } | ||
80 | else | ||
81 | printf(" %s DOWN\n", ifa->ifa_name); | ||
82 | } | ||
83 | } | ||
84 | |||
85 | |||
86 | // walk through the linked list | ||
87 | printf(" IPv4 status:\n"); | ||
88 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
89 | if (ifa->ifa_addr == NULL) | ||
90 | continue; | ||
91 | |||
92 | if (ifa->ifa_addr->sa_family == AF_INET) { | ||
93 | struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask; | ||
94 | mask = ntohl(si->sin_addr.s_addr); | ||
95 | si = (struct sockaddr_in *) ifa->ifa_addr; | ||
96 | ip = ntohl(si->sin_addr.s_addr); | ||
97 | |||
98 | char *status; | ||
99 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) | ||
100 | status = "UP"; | ||
101 | else | ||
102 | status = "DOWN"; | ||
103 | |||
104 | printf(" %s %s, %d.%d.%d.%d/%u\n", | ||
105 | ifa->ifa_name, status, PRINT_IP(ip), mask2bits(mask)); | ||
106 | } | ||
107 | } | ||
108 | |||
109 | |||
110 | // walk through the linked list | ||
111 | printf(" IPv6 status:\n"); | ||
112 | for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { | ||
113 | if (ifa->ifa_addr == NULL) | ||
114 | continue; | ||
115 | |||
116 | if (ifa->ifa_addr->sa_family == AF_INET6) { | ||
117 | char host[NI_MAXHOST]; | ||
118 | int s = getnameinfo(ifa->ifa_addr, sizeof(struct sockaddr_in6), | ||
119 | host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST); | ||
120 | if (s == 0) { | ||
121 | char *ptr; | ||
122 | if ((ptr = strchr(host, '%')) != NULL) | ||
123 | *ptr = '\0'; | ||
124 | char *status; | ||
125 | if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) | ||
126 | status = "UP"; | ||
127 | else | ||
128 | status = "DOWN"; | ||
129 | |||
130 | printf(" %s %s, %s\n", ifa->ifa_name, status, host); | ||
131 | } | ||
132 | } | ||
133 | } | ||
134 | |||
135 | freeifaddrs(ifaddr); | ||
136 | close(fd); | ||
137 | } | ||
138 | |||
139 | static void print_sandbox(pid_t pid) { | ||
140 | pid_t child = fork(); | ||
141 | if (child == -1) | ||
142 | return; | ||
143 | |||
144 | if (child == 0) { | ||
145 | int rv = join_namespace(pid, "net"); | ||
146 | if (rv) | ||
147 | return; | ||
148 | net_ifprint(); | ||
149 | |||
150 | __gcov_flush(); | ||
151 | |||
152 | _exit(0); | ||
153 | } | ||
154 | |||
155 | // wait for the child to finish | ||
156 | waitpid(child, NULL, 0); | ||
157 | } | ||
158 | |||
159 | void interface(pid_t pid, int print_procs) { | ||
160 | pid_read(pid); // a pid of 0 will include all processes | ||
161 | |||
162 | // print processes | ||
163 | int i; | ||
164 | for (i = 0; i < max_pids; i++) { | ||
165 | if (pids[i].level == 1) { | ||
166 | if (print_procs || pid == 0) | ||
167 | pid_print_list(i, arg_wrap); | ||
168 | int child = find_child(i); | ||
169 | if (child != -1) { | ||
170 | print_sandbox(child); | ||
171 | } | ||
172 | } | ||
173 | } | ||
174 | printf("\n"); | ||
175 | } | ||
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 9d0785a4a..fb0cf1175 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -30,9 +30,6 @@ Print debug messages | |||
30 | \fB\-?\fR, \fB\-\-help\fR | 30 | \fB\-?\fR, \fB\-\-help\fR |
31 | Print options end exit. | 31 | Print options end exit. |
32 | .TP | 32 | .TP |
33 | \fB\-\-interface | ||
34 | Print network interface information for each sandbox. | ||
35 | .TP | ||
36 | \fB\-\-list | 33 | \fB\-\-list |
37 | List all sandboxes. | 34 | List all sandboxes. |
38 | .TP | 35 | .TP |
diff --git a/test/network/firemon-interface.exp b/test/network/firemon-interface.exp deleted file mode 100755 index 6ae57ac6a..000000000 --- a/test/network/firemon-interface.exp +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --net=br0 --ip=10.10.20.50\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firemon --interface\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "firejail --name=test --net=br0 --ip=10.10.20.50" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "eth0 UP, 10.10.20.50/24" | ||
26 | } | ||
27 | sleep 2 | ||
28 | puts "\nall done\n" | ||
diff --git a/test/network/network.sh b/test/network/network.sh index dad1ed42d..e029722ba 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -51,8 +51,5 @@ echo "TESTING: firemon arp (firemon-arp.exp)" | |||
51 | echo "TESTING: firemon route (firemon-route.exp)" | 51 | echo "TESTING: firemon route (firemon-route.exp)" |
52 | ./firemon-route.exp | 52 | ./firemon-route.exp |
53 | 53 | ||
54 | #echo "TESTING: firemon interface (firemon-interface.exp)" | ||
55 | #sudo ./firemon-interface.exp | ||
56 | |||
57 | sudo ip link set br0 down | 54 | sudo ip link set br0 down |
58 | sudo brctl delbr br0 | 55 | sudo brctl delbr br0 |