diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/network.c | 34 | ||||
-rw-r--r-- | src/firejail/network_main.c | 6 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 26 |
4 files changed, 64 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 12f792af8..3ffb2b527 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -249,6 +249,7 @@ void net_dns_print(pid_t pid); | |||
249 | 249 | ||
250 | // network.c | 250 | // network.c |
251 | void net_if_up(const char *ifname); | 251 | void net_if_up(const char *ifname); |
252 | void net_if_down(const char *ifname); | ||
252 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu); | 253 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu); |
253 | int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu); | 254 | int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu); |
254 | int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw); | 255 | int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw); |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 5f7a84a1e..ece406fc8 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -240,6 +240,40 @@ void net_if_up(const char *ifname) { | |||
240 | close(sock); | 240 | close(sock); |
241 | } | 241 | } |
242 | 242 | ||
243 | // bring interface up | ||
244 | void net_if_down(const char *ifname) { | ||
245 | if (strlen(ifname) > IFNAMSIZ) { | ||
246 | fprintf(stderr, "Error: invalid network device name %s\n", ifname); | ||
247 | exit(1); | ||
248 | } | ||
249 | |||
250 | int sock = socket(AF_INET,SOCK_DGRAM,0); | ||
251 | if (sock < 0) | ||
252 | errExit("socket"); | ||
253 | |||
254 | // get the existing interface flags | ||
255 | struct ifreq ifr; | ||
256 | memset(&ifr, 0, sizeof(ifr)); | ||
257 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | ||
258 | ifr.ifr_addr.sa_family = AF_INET; | ||
259 | |||
260 | // read the existing flags | ||
261 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { | ||
262 | close(sock); | ||
263 | errExit("ioctl"); | ||
264 | } | ||
265 | |||
266 | ifr.ifr_flags &= ~IFF_UP; | ||
267 | |||
268 | // set the new flags | ||
269 | if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { | ||
270 | close(sock); | ||
271 | errExit("ioctl"); | ||
272 | } | ||
273 | |||
274 | close(sock); | ||
275 | } | ||
276 | |||
243 | // configure interface | 277 | // configure interface |
244 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { | 278 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { |
245 | if (strlen(ifname) > IFNAMSIZ) { | 279 | if (strlen(ifname) > IFNAMSIZ) { |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index c93c47eda..66eff0b85 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -121,12 +121,12 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { | |||
121 | errExit("asprintf"); | 121 | errExit("asprintf"); |
122 | net_create_veth(dev, ifname, child); | 122 | net_create_veth(dev, ifname, child); |
123 | 123 | ||
124 | // bring up the interface | ||
125 | net_if_up(dev); | ||
126 | |||
127 | // add interface to the bridge | 124 | // add interface to the bridge |
128 | net_bridge_add_interface(br->dev, dev); | 125 | net_bridge_add_interface(br->dev, dev); |
129 | 126 | ||
127 | // bring up the interface | ||
128 | net_if_up(dev); | ||
129 | |||
130 | char *msg; | 130 | char *msg; |
131 | if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1) | 131 | if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1) |
132 | errExit("asprintf"); | 132 | errExit("asprintf"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 356807acf..25662d90e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -161,6 +161,32 @@ static void monitor_application(pid_t app_pid) { | |||
161 | if (app_pid != 0 && arg_debug) | 161 | if (app_pid != 0 && arg_debug) |
162 | printf("Sandbox monitor: monitoring %u\n", app_pid); | 162 | printf("Sandbox monitor: monitoring %u\n", app_pid); |
163 | } | 163 | } |
164 | |||
165 | #if 0 | ||
166 | // todo: find a way to shut down interfaces before closing the namespace | ||
167 | // the problem is we don't have enough privileges to shutdown interfaces in this momen | ||
168 | // shut down bridge/macvlan interfaces | ||
169 | if (any_bridge_configured()) { | ||
170 | |||
171 | if (cfg.bridge0.configured) { | ||
172 | printf("Shutting down %s\n", cfg.bridge0.devsandbox); | ||
173 | net_if_down( cfg.bridge0.devsandbox); | ||
174 | } | ||
175 | if (cfg.bridge1.configured) { | ||
176 | printf("Shutting down %s\n", cfg.bridge1.devsandbox); | ||
177 | net_if_down( cfg.bridge1.devsandbox); | ||
178 | } | ||
179 | if (cfg.bridge2.configured) { | ||
180 | printf("Shutting down %s\n", cfg.bridge2.devsandbox); | ||
181 | net_if_down( cfg.bridge2.devsandbox); | ||
182 | } | ||
183 | if (cfg.bridge3.configured) { | ||
184 | printf("Shutting down %s\n", cfg.bridge3.devsandbox); | ||
185 | net_if_down( cfg.bridge3.devsandbox); | ||
186 | } | ||
187 | usleep(20000); // 20 ms sleep | ||
188 | } | ||
189 | #endif | ||
164 | } | 190 | } |
165 | 191 | ||
166 | 192 | ||