diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 63 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 7 | ||||
-rw-r--r-- | src/firejail/network_main.c | 46 |
4 files changed, 70 insertions, 47 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d58c6291d..e50b22b4e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -264,6 +264,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); | |||
264 | void net_check_cfg(void); | 264 | void net_check_cfg(void); |
265 | void net_dns_print_name(const char *name); | 265 | void net_dns_print_name(const char *name); |
266 | void net_dns_print(pid_t pid); | 266 | void net_dns_print(pid_t pid); |
267 | void network_main(pid_t child); | ||
267 | 268 | ||
268 | // network.c | 269 | // network.c |
269 | void net_if_up(const char *ifname); | 270 | void net_if_up(const char *ifname); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0e0ec094c..e86aa85ac 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1965,54 +1965,27 @@ int main(int argc, char **argv) { | |||
1965 | printf("The new log directory is /proc/%d/root/var/log\n", child); | 1965 | printf("The new log directory is /proc/%d/root/var/log\n", child); |
1966 | } | 1966 | } |
1967 | 1967 | ||
1968 | |||
1969 | EUID_ROOT(); | ||
1970 | if (!arg_nonetwork) { | 1968 | if (!arg_nonetwork) { |
1971 | // create veth pair or macvlan device | 1969 | EUID_ROOT(); |
1972 | if (cfg.bridge0.configured) { | 1970 | pid_t net_child = fork(); |
1973 | if (cfg.bridge0.macvlan == 0) { | 1971 | if (net_child < 0) |
1974 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | 1972 | errExit("fork"); |
1975 | } | 1973 | if (net_child == 0) { |
1976 | else | 1974 | // elevate privileges in order to get grsecurity working |
1977 | net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); | 1975 | if (setreuid(0, 0)) |
1978 | } | 1976 | errExit("setreuid"); |
1979 | 1977 | if (setregid(0, 0)) | |
1980 | if (cfg.bridge1.configured) { | 1978 | errExit("setregid"); |
1981 | if (cfg.bridge1.macvlan == 0) | 1979 | network_main(child); |
1982 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | 1980 | if (arg_debug) |
1983 | else | 1981 | printf("Host network configured\n"); |
1984 | net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); | 1982 | exit(0); |
1985 | } | ||
1986 | |||
1987 | if (cfg.bridge2.configured) { | ||
1988 | if (cfg.bridge2.macvlan == 0) | ||
1989 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | ||
1990 | else | ||
1991 | net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); | ||
1992 | } | ||
1993 | |||
1994 | if (cfg.bridge3.configured) { | ||
1995 | if (cfg.bridge3.macvlan == 0) | ||
1996 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | ||
1997 | else | ||
1998 | net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); | ||
1999 | } | ||
2000 | |||
2001 | // move interfaces in sandbox | ||
2002 | if (cfg.interface0.configured) { | ||
2003 | net_move_interface(cfg.interface0.dev, child); | ||
2004 | } | ||
2005 | if (cfg.interface1.configured) { | ||
2006 | net_move_interface(cfg.interface1.dev, child); | ||
2007 | } | ||
2008 | if (cfg.interface2.configured) { | ||
2009 | net_move_interface(cfg.interface2.dev, child); | ||
2010 | } | ||
2011 | if (cfg.interface3.configured) { | ||
2012 | net_move_interface(cfg.interface3.dev, child); | ||
2013 | } | 1983 | } |
1984 | |||
1985 | // wait for the child to finish | ||
1986 | waitpid(net_child, NULL, 0); | ||
1987 | EUID_USER(); | ||
2014 | } | 1988 | } |
2015 | EUID_USER(); | ||
2016 | 1989 | ||
2017 | // close each end of the unused pipes | 1990 | // close each end of the unused pipes |
2018 | close(parent_to_child_fds[0]); | 1991 | close(parent_to_child_fds[0]); |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 4a5499699..71abfb53d 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -139,7 +139,6 @@ void netfilter(const char *fname) { | |||
139 | exit(1); | 139 | exit(1); |
140 | } | 140 | } |
141 | dup2(fd,STDIN_FILENO); | 141 | dup2(fd,STDIN_FILENO); |
142 | close(fd); | ||
143 | 142 | ||
144 | // wipe out environment variables | 143 | // wipe out environment variables |
145 | environ = NULL; | 144 | environ = NULL; |
@@ -155,6 +154,11 @@ void netfilter(const char *fname) { | |||
155 | if (child < 0) | 154 | if (child < 0) |
156 | errExit("fork"); | 155 | errExit("fork"); |
157 | if (child == 0) { | 156 | if (child == 0) { |
157 | // elevate privileges in order to get grsecurity working | ||
158 | if (setreuid(0, 0)) | ||
159 | errExit("setreuid"); | ||
160 | if (setregid(0, 0)) | ||
161 | errExit("setregid"); | ||
158 | environ = NULL; | 162 | environ = NULL; |
159 | execl(iptables, iptables, "-vL", NULL); | 163 | execl(iptables, iptables, "-vL", NULL); |
160 | // it will never get here!!! | 164 | // it will never get here!!! |
@@ -246,7 +250,6 @@ void netfilter6(const char *fname) { | |||
246 | exit(1); | 250 | exit(1); |
247 | } | 251 | } |
248 | dup2(fd,STDIN_FILENO); | 252 | dup2(fd,STDIN_FILENO); |
249 | close(fd); | ||
250 | 253 | ||
251 | // wipe out environment variables | 254 | // wipe out environment variables |
252 | environ = NULL; | 255 | environ = NULL; |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index a8ebb3480..80f3bd579 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -278,3 +278,49 @@ void net_dns_print(pid_t pid) { | |||
278 | free(fname); | 278 | free(fname); |
279 | exit(0); | 279 | exit(0); |
280 | } | 280 | } |
281 | |||
282 | void network_main(pid_t child) { | ||
283 | // create veth pair or macvlan device | ||
284 | if (cfg.bridge0.configured) { | ||
285 | if (cfg.bridge0.macvlan == 0) { | ||
286 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | ||
287 | } | ||
288 | else | ||
289 | net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); | ||
290 | } | ||
291 | |||
292 | if (cfg.bridge1.configured) { | ||
293 | if (cfg.bridge1.macvlan == 0) | ||
294 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | ||
295 | else | ||
296 | net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); | ||
297 | } | ||
298 | |||
299 | if (cfg.bridge2.configured) { | ||
300 | if (cfg.bridge2.macvlan == 0) | ||
301 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | ||
302 | else | ||
303 | net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); | ||
304 | } | ||
305 | |||
306 | if (cfg.bridge3.configured) { | ||
307 | if (cfg.bridge3.macvlan == 0) | ||
308 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | ||
309 | else | ||
310 | net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); | ||
311 | } | ||
312 | |||
313 | // move interfaces in sandbox | ||
314 | if (cfg.interface0.configured) { | ||
315 | net_move_interface(cfg.interface0.dev, child); | ||
316 | } | ||
317 | if (cfg.interface1.configured) { | ||
318 | net_move_interface(cfg.interface1.dev, child); | ||
319 | } | ||
320 | if (cfg.interface2.configured) { | ||
321 | net_move_interface(cfg.interface2.dev, child); | ||
322 | } | ||
323 | if (cfg.interface3.configured) { | ||
324 | net_move_interface(cfg.interface3.dev, child); | ||
325 | } | ||
326 | } | ||