7 files changed, 137 insertions, 13 deletions
diff --git a/README.md b/README.md
index 54f16b695..6afaff8d3 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,43 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 `````
+## join command enhancements
+'''''
+       --join-filesystem=name
+              Join the mount namespace of the sandbox identified by  name.  By
+              default  a /bin/bash shell is started after joining the sandbox.
+              If a program is specified, the program is run  in  the  sandbox.
+              This  command is available only to root user.  Security filters,
+              cgroups and cpus configurations are not applied to  the  process
+              joining the sandbox.
+       --join-filesystem=pid
+              Join  the  mount  namespace of the sandbox identified by process
+              ID. By default a /bin/bash shell is started  after  joining  the
+              sandbox.   If  a program is specified, the program is run in the
+              sandbox. This command is available only to root user.   Security
+              filters,  cgroups and cpus configurations are not applied to the
+              process joining the sandbox.
+      --join-network=name
+              Join the network namespace of the sandbox identified by name. By
+              default  a /bin/bash shell is started after joining the sandbox.
+              If a program is specified, the program is run  in  the  sandbox.
+              This  command is available only to root user.  Security filters,
+              cgroups and cpus configurations are not applied to  the  process
+              joining the sandbox.
+       --join-network=pid
+              Join  the network namespace of the sandbox identified by process
+              ID. By default a /bin/bash shell is started  after  joining  the
+              sandbox.   If  a program is specified, the program is run in the
+              sandbox. This command is available only to root user.   Security
+              filters,  cgroups and cpus configurations are not applied to the
+              process joining the sandbox.
+'''''
 ## New profiles: KMail
diff --git a/RELNOTES b/RELNOTES
index 5a0289dd1..78fcd7de3 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.37) baseline; urgency=low
  * dynamic allocation of noblacklist buffer
  * --ip6 option - IPv6 support
  * added KMail profile
+  * --join command enhancement (--join-network, --join-filesystem)
 -- netblue30 <netblue30@yahoo.com>
 firejail (0.9.36) baseline; urgency=low
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 38c464735..1de38c43a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -227,6 +227,8 @@ extern int arg_scan;		// arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
 extern int arg_nosound; // disable sound
 extern int arg_quiet;           // no output for scripting
+extern int arg_join_network;    // join only the network namespace
+extern int arg_join_filesystem; // join only the mount namespace
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
diff --git a/src/firejail/join.c b/src/firejail/join.c
index ca9ec33e9..b05e25387 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -236,16 +236,26 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
                set_cgroup(cfg.cgroup);
                
        // join namespaces
-        if (join_namespace(pid, "ipc"))
+        if (arg_join_network) {
-                exit(1);
+                if (join_namespace(pid, "net"))
-        if (join_namespace(pid, "net"))
+                        exit(1);
-                exit(1);
+        }
-        if (join_namespace(pid, "pid"))
+        else if (arg_join_filesystem) {
-                exit(1);
+                if (join_namespace(pid, "mnt"))
-        if (join_namespace(pid, "uts"))
+                        exit(1);
-                exit(1);
+        }
-        if (join_namespace(pid, "mnt"))
+        else {
-                exit(1);
+                if (join_namespace(pid, "ipc"))
+                        exit(1);
+                if (join_namespace(pid, "net"))
+                        exit(1);
+                if (join_namespace(pid, "pid"))
+                        exit(1);
+                if (join_namespace(pid, "uts"))
+                        exit(1);
+                if (join_namespace(pid, "mnt"))
+                        exit(1);
+        }
        pid_t child = fork();
        if (child < 0)
@@ -256,9 +266,12 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
                if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
                        errExit("asprintf");
                        
-                int rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option
+                int rv;
-                if (rv == 0)
+                if (!arg_join_network) {
-                        printf("changing root to %s\n", rootdir);
+                        rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option
+                        if (rv == 0)
+                                printf("changing root to %s\n", rootdir);
+                }
                
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                if (chdir("/") < 0)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7d2fbba9c..58d735010 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -89,6 +89,9 @@ int arg_scan = 0;				// arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
 int arg_nosound = 0;                            // disable sound
 int arg_quiet = 0;                              // no output for scripting
+int arg_join_network = 0;                       // join only the network namespace
+int arg_join_filesystem = 0;                    // join only the mount namespace
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -394,6 +397,38 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1);
                exit(0);
        }
+        else if (strncmp(argv[i], "--join-network=", 15) == 0) {
+                logargs(argc, argv);
+                arg_join_network = 1;
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: --join-network is only available to root user\n");
+                        exit(1);
+                }
+                
+                // join sandbox by pid or by name
+                pid_t pid;
+                if (read_pid(argv[i] + 15, &pid) == 0)          
+                        join(pid, cfg.homedir, argc, argv, i + 1);
+                else
+                        join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1);
+                exit(0);
+        }
+        else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) {
+                logargs(argc, argv);
+                arg_join_filesystem = 1;
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: --join-filesystem is only available to root user\n");
+                        exit(1);
+                }
+                
+                // join sandbox by pid or by name
+                pid_t pid;
+                if (read_pid(argv[i] + 18, &pid) == 0)          
+                        join(pid, cfg.homedir, argc, argv, i + 1);
+                else
+                        join_name(argv[i] + 18, cfg.homedir, argc, argv, i + 1);
+                exit(0);
+        }
        else if (strncmp(argv[i], "--shutdown=", 11) == 0) {
                logargs(argc, argv);
                
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 3689f7b22..9197baae2 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -113,6 +113,14 @@ void usage(void) {
        printf("\t\tthe sandbox is started as root.\n\n");
        printf("\t--join=name - join the sandbox identified by name.\n\n");
        printf("\t--join=pid - join the sandbox identified by PID.\n\n");
+        printf("\t--join-filesystem=name - join the mount namespace of the sandbox\n");
+        printf("\t\tidentified by name.\n\n");
+        printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
+        printf("\t\tidentified by PID.\n\n");
+        printf("\t--join-network=name - join the network namespace of the sandbox\n");
+        printf("\t\tidentified by name.\n\n");
+        printf("\t--join-network=pid - join the network namespace of the sandbox\n");
+        printf("\t\tidentified by PID.\n\n");
        printf("\t--list - list all sandboxes.\n\n");
        printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
        printf("\t--mtu=number - set interface MTU.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 895b7a3af..66ec40ce9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -531,6 +531,34 @@ $ firejail \-\-list
 $ firejail \-\-join=3272
 .TP
+\fB\-\-join-filesystem=name
+Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+If a program is specified, the program is run in the sandbox. This command is available only to root user.
+Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
+.TP
+\fB\-\-join-filesystem=pid
+Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
+If a program is specified, the program is run in the sandbox. This command is available only to root user.
+Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
+.TP
+\fB\-\-join-network=name
+Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+If a program is specified, the program is run in the sandbox. This command is available only to root user.
+Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
+.TP
+\fB\-\-join-network=pid
+Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
+If a program is specified, the program is run in the sandbox. This command is available only to root user.
+Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
+.TP
 \fB\-\-list
 List all sandboxes, see \fBMONITORING\fR section for more details.
 .br

diff --git a/README.md b/README.md index 54f16b695..6afaff8d3 100644 --- a/README.md +++ b/README.md
@@ -52,6 +52,43 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
52		52
53	`````	53	`````
54		54
		55	## join command enhancements
		56	'''''
		57	--join-filesystem=name
		58	Join the mount namespace of the sandbox identified by name. By
		59	default a /bin/bash shell is started after joining the sandbox.
		60	If a program is specified, the program is run in the sandbox.
		61	This command is available only to root user. Security filters,
		62	cgroups and cpus configurations are not applied to the process
		63	joining the sandbox.
		64
		65	--join-filesystem=pid
		66	Join the mount namespace of the sandbox identified by process
		67	ID. By default a /bin/bash shell is started after joining the
		68	sandbox. If a program is specified, the program is run in the
		69	sandbox. This command is available only to root user. Security
		70	filters, cgroups and cpus configurations are not applied to the
		71	process joining the sandbox.
		72
		73	--join-network=name
		74	Join the network namespace of the sandbox identified by name. By
		75	default a /bin/bash shell is started after joining the sandbox.
		76	If a program is specified, the program is run in the sandbox.
		77	This command is available only to root user. Security filters,
		78	cgroups and cpus configurations are not applied to the process
		79	joining the sandbox.
		80
		81	--join-network=pid
		82	Join the network namespace of the sandbox identified by process
		83	ID. By default a /bin/bash shell is started after joining the
		84	sandbox. If a program is specified, the program is run in the
		85	sandbox. This command is available only to root user. Security
		86	filters, cgroups and cpus configurations are not applied to the
		87	process joining the sandbox.
		88
		89	'''''
		90
		91
55	## New profiles: KMail	92	## New profiles: KMail
56		93
57		94


diff --git a/RELNOTES b/RELNOTES index 5a0289dd1..78fcd7de3 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.37) baseline; urgency=low
4	* dynamic allocation of noblacklist buffer	4	* dynamic allocation of noblacklist buffer
5	* --ip6 option - IPv6 support	5	* --ip6 option - IPv6 support
6	* added KMail profile	6	* added KMail profile
		7	* --join command enhancement (--join-network, --join-filesystem)
7	-- netblue30 <netblue30@yahoo.com>	8	-- netblue30 <netblue30@yahoo.com>
8		9
9	firejail (0.9.36) baseline; urgency=low	10	firejail (0.9.36) baseline; urgency=low


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 38c464735..1de38c43a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -227,6 +227,8 @@ extern int arg_scan; // arp-scan all interfaces
227	extern int arg_whitelist; // whitelist commad	227	extern int arg_whitelist; // whitelist commad
228	extern int arg_nosound; // disable sound	228	extern int arg_nosound; // disable sound
229	extern int arg_quiet; // no output for scripting	229	extern int arg_quiet; // no output for scripting
		230	extern int arg_join_network; // join only the network namespace
		231	extern int arg_join_filesystem; // join only the mount namespace
230		232
231	extern int parent_to_child_fds[2];	233	extern int parent_to_child_fds[2];
232	extern int child_to_parent_fds[2];	234	extern int child_to_parent_fds[2];


diff --git a/src/firejail/join.c b/src/firejail/join.c index ca9ec33e9..b05e25387 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -236,16 +236,26 @@ void join(pid_t pid, const char homedir, int argc, char *argv, int index) {
236	set_cgroup(cfg.cgroup);	236	set_cgroup(cfg.cgroup);
237		237
238	// join namespaces	238	// join namespaces
239	if (join_namespace(pid, "ipc"))	239	if (arg_join_network) {
240	exit(1);	240	if (join_namespace(pid, "net"))
241	if (join_namespace(pid, "net"))	241	exit(1);
242	exit(1);	242	}
243	if (join_namespace(pid, "pid"))	243	else if (arg_join_filesystem) {
244	exit(1);	244	if (join_namespace(pid, "mnt"))
245	if (join_namespace(pid, "uts"))	245	exit(1);
246	exit(1);	246	}
247	if (join_namespace(pid, "mnt"))	247	else {
248	exit(1);	248	if (join_namespace(pid, "ipc"))
		249	exit(1);
		250	if (join_namespace(pid, "net"))
		251	exit(1);
		252	if (join_namespace(pid, "pid"))
		253	exit(1);
		254	if (join_namespace(pid, "uts"))
		255	exit(1);
		256	if (join_namespace(pid, "mnt"))
		257	exit(1);
		258	}
249		259
250	pid_t child = fork();	260	pid_t child = fork();
251	if (child < 0)	261	if (child < 0)
@@ -256,9 +266,12 @@ void join(pid_t pid, const char homedir, int argc, char *argv, int index) {
256	if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)	266	if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
257	errExit("asprintf");	267	errExit("asprintf");
258		268
259	int rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option	269	int rv;
260	if (rv == 0)	270	if (!arg_join_network) {
261	printf("changing root to %s\n", rootdir);	271	rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option
		272	if (rv == 0)
		273	printf("changing root to %s\n", rootdir);
		274	}
262		275
263	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died	276	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
264	if (chdir("/") < 0)	277	if (chdir("/") < 0)


diff --git a/src/firejail/main.c b/src/firejail/main.c index 7d2fbba9c..58d735010 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -89,6 +89,9 @@ int arg_scan = 0; // arp-scan all interfaces
89	int arg_whitelist = 0; // whitelist commad	89	int arg_whitelist = 0; // whitelist commad
90	int arg_nosound = 0; // disable sound	90	int arg_nosound = 0; // disable sound
91	int arg_quiet = 0; // no output for scripting	91	int arg_quiet = 0; // no output for scripting
		92	int arg_join_network = 0; // join only the network namespace
		93	int arg_join_filesystem = 0; // join only the mount namespace
		94
92		95
93	int parent_to_child_fds[2];	96	int parent_to_child_fds[2];
94	int child_to_parent_fds[2];	97	int child_to_parent_fds[2];
@@ -394,6 +397,38 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
394	join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1);	397	join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1);
395	exit(0);	398	exit(0);
396	}	399	}
		400	else if (strncmp(argv[i], "--join-network=", 15) == 0) {
		401	logargs(argc, argv);
		402	arg_join_network = 1;
		403	if (getuid() != 0) {
		404	fprintf(stderr, "Error: --join-network is only available to root user\n");
		405	exit(1);
		406	}
		407
		408	// join sandbox by pid or by name
		409	pid_t pid;
		410	if (read_pid(argv[i] + 15, &pid) == 0)
		411	join(pid, cfg.homedir, argc, argv, i + 1);
		412	else
		413	join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1);
		414	exit(0);
		415	}
		416	else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) {
		417	logargs(argc, argv);
		418	arg_join_filesystem = 1;
		419	if (getuid() != 0) {
		420	fprintf(stderr, "Error: --join-filesystem is only available to root user\n");
		421	exit(1);
		422	}
		423
		424	// join sandbox by pid or by name
		425	pid_t pid;
		426	if (read_pid(argv[i] + 18, &pid) == 0)
		427	join(pid, cfg.homedir, argc, argv, i + 1);
		428	else
		429	join_name(argv[i] + 18, cfg.homedir, argc, argv, i + 1);
		430	exit(0);
		431	}
397	else if (strncmp(argv[i], "--shutdown=", 11) == 0) {	432	else if (strncmp(argv[i], "--shutdown=", 11) == 0) {
398	logargs(argc, argv);	433	logargs(argc, argv);
399		434


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 3689f7b22..9197baae2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -113,6 +113,14 @@ void usage(void) {
113	printf("\t\tthe sandbox is started as root.\n\n");	113	printf("\t\tthe sandbox is started as root.\n\n");
114	printf("\t--join=name - join the sandbox identified by name.\n\n");	114	printf("\t--join=name - join the sandbox identified by name.\n\n");
115	printf("\t--join=pid - join the sandbox identified by PID.\n\n");	115	printf("\t--join=pid - join the sandbox identified by PID.\n\n");
		116	printf("\t--join-filesystem=name - join the mount namespace of the sandbox\n");
		117	printf("\t\tidentified by name.\n\n");
		118	printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
		119	printf("\t\tidentified by PID.\n\n");
		120	printf("\t--join-network=name - join the network namespace of the sandbox\n");
		121	printf("\t\tidentified by name.\n\n");
		122	printf("\t--join-network=pid - join the network namespace of the sandbox\n");
		123	printf("\t\tidentified by PID.\n\n");
116	printf("\t--list - list all sandboxes.\n\n");	124	printf("\t--list - list all sandboxes.\n\n");
117	printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");	125	printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
118	printf("\t--mtu=number - set interface MTU.\n\n");	126	printf("\t--mtu=number - set interface MTU.\n\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 895b7a3af..66ec40ce9 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -531,6 +531,34 @@ $ firejail \-\-list
531	$ firejail \-\-join=3272	531	$ firejail \-\-join=3272
532		532
533	.TP	533	.TP
		534	\fB\-\-join-filesystem=name
		535	Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
		536	If a program is specified, the program is run in the sandbox. This command is available only to root user.
		537	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
		538
		539	.TP
		540	\fB\-\-join-filesystem=pid
		541	Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
		542	If a program is specified, the program is run in the sandbox. This command is available only to root user.
		543	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
		544
		545	.TP
		546	\fB\-\-join-network=name
		547	Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
		548	If a program is specified, the program is run in the sandbox. This command is available only to root user.
		549	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
		550
		551	.TP
		552	\fB\-\-join-network=pid
		553	Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
		554	If a program is specified, the program is run in the sandbox. This command is available only to root user.
		555	Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
		556
		557
		558
		559
		560
		561	.TP
534	\fB\-\-list	562	\fB\-\-list
535	List all sandboxes, see \fBMONITORING\fR section for more details.	563	List all sandboxes, see \fBMONITORING\fR section for more details.
536	.br	564	.br