4 files changed, 64 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 12f792af8..3ffb2b527 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -249,6 +249,7 @@ void net_dns_print(pid_t pid);
 // network.c
 void net_if_up(const char *ifname);
+void net_if_down(const char *ifname);
 void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
 int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu);
 int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 5f7a84a1e..ece406fc8 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -240,6 +240,40 @@ void net_if_up(const char *ifname) {
        close(sock);
 }
+// bring interface up
+void net_if_down(const char *ifname) {
+        if (strlen(ifname) > IFNAMSIZ) {
+                fprintf(stderr, "Error: invalid network device name %s\n", ifname);
+                exit(1);
+        }
+        
+        int sock = socket(AF_INET,SOCK_DGRAM,0);
+        if (sock < 0)
+                errExit("socket");
+        // get the existing interface flags
+        struct ifreq ifr;
+        memset(&ifr, 0, sizeof(ifr));
+        strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+        ifr.ifr_addr.sa_family = AF_INET;
+        // read the existing flags
+        if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
+                close(sock);
+                errExit("ioctl");
+        }
+        ifr.ifr_flags &= ~IFF_UP;
+        // set the new flags
+        if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
+                close(sock);
+                errExit("ioctl");
+        }
+        close(sock);
+}
 // configure interface
 void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
        if (strlen(ifname) > IFNAMSIZ) {
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index c93c47eda..66eff0b85 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -121,12 +121,12 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
                errExit("asprintf");
        net_create_veth(dev, ifname, child);
-        // bring up the interface
-        net_if_up(dev);
        // add interface to the bridge
        net_bridge_add_interface(br->dev, dev);
+        // bring up the interface
+        net_if_up(dev);
        char *msg;
        if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)
                errExit("asprintf");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 356807acf..25662d90e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -161,6 +161,32 @@ static void monitor_application(pid_t app_pid) {
                if (app_pid != 0 && arg_debug)
                        printf("Sandbox monitor: monitoring %u\n", app_pid);
        }
+#if 0
+// todo: find a way to shut down interfaces before closing the namespace
+// the problem is we don't have enough privileges to shutdown interfaces in this momen
+        // shut down bridge/macvlan interfaces
+        if (any_bridge_configured()) {
+                
+                if (cfg.bridge0.configured) {
+                        printf("Shutting down %s\n", cfg.bridge0.devsandbox);
+                        net_if_down( cfg.bridge0.devsandbox);
+                }
+                if (cfg.bridge1.configured) {
+                        printf("Shutting down %s\n", cfg.bridge1.devsandbox);
+                        net_if_down( cfg.bridge1.devsandbox);
+                }
+                if (cfg.bridge2.configured) {
+                        printf("Shutting down %s\n", cfg.bridge2.devsandbox);
+                        net_if_down( cfg.bridge2.devsandbox);
+                }
+                if (cfg.bridge3.configured) {
+                        printf("Shutting down %s\n", cfg.bridge3.devsandbox);
+                        net_if_down( cfg.bridge3.devsandbox);
+                }
+                usleep(20000);  // 20 ms sleep
+        }       
+#endif  
 }

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 12f792af8..3ffb2b527 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -249,6 +249,7 @@ void net_dns_print(pid_t pid);
249		249
250	// network.c	250	// network.c
251	void net_if_up(const char *ifname);	251	void net_if_up(const char *ifname);
		252	void net_if_down(const char *ifname);
252	void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);	253	void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
253	int net_get_if_addr(const char bridge, uint32_t ip, uint32_t mask, uint8_t mac[6], int mtu);	254	int net_get_if_addr(const char bridge, uint32_t ip, uint32_t mask, uint8_t mac[6], int mtu);
254	int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);	255	int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);


diff --git a/src/firejail/network.c b/src/firejail/network.c index 5f7a84a1e..ece406fc8 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c
@@ -240,6 +240,40 @@ void net_if_up(const char *ifname) {
240	close(sock);	240	close(sock);
241	}	241	}
242		242
		243	// bring interface up
		244	void net_if_down(const char *ifname) {
		245	if (strlen(ifname) > IFNAMSIZ) {
		246	fprintf(stderr, "Error: invalid network device name %s\n", ifname);
		247	exit(1);
		248	}
		249
		250	int sock = socket(AF_INET,SOCK_DGRAM,0);
		251	if (sock < 0)
		252	errExit("socket");
		253
		254	// get the existing interface flags
		255	struct ifreq ifr;
		256	memset(&ifr, 0, sizeof(ifr));
		257	strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
		258	ifr.ifr_addr.sa_family = AF_INET;
		259
		260	// read the existing flags
		261	if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
		262	close(sock);
		263	errExit("ioctl");
		264	}
		265
		266	ifr.ifr_flags &= ~IFF_UP;
		267
		268	// set the new flags
		269	if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
		270	close(sock);
		271	errExit("ioctl");
		272	}
		273
		274	close(sock);
		275	}
		276
243	// configure interface	277	// configure interface
244	void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {	278	void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
245	if (strlen(ifname) > IFNAMSIZ) {	279	if (strlen(ifname) > IFNAMSIZ) {


diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index c93c47eda..66eff0b85 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c
@@ -121,12 +121,12 @@ void net_configure_veth_pair(Bridge br, const char ifname, pid_t child) {
121	errExit("asprintf");	121	errExit("asprintf");
122	net_create_veth(dev, ifname, child);	122	net_create_veth(dev, ifname, child);
123		123
124	// bring up the interface
125	net_if_up(dev);
126
127	// add interface to the bridge	124	// add interface to the bridge
128	net_bridge_add_interface(br->dev, dev);	125	net_bridge_add_interface(br->dev, dev);
129		126
		127	// bring up the interface
		128	net_if_up(dev);
		129
130	char *msg;	130	char *msg;
131	if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)	131	if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)
132	errExit("asprintf");	132	errExit("asprintf");


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 356807acf..25662d90e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -161,6 +161,32 @@ static void monitor_application(pid_t app_pid) {
161	if (app_pid != 0 && arg_debug)	161	if (app_pid != 0 && arg_debug)
162	printf("Sandbox monitor: monitoring %u\n", app_pid);	162	printf("Sandbox monitor: monitoring %u\n", app_pid);
163	}	163	}
		164
		165	#if 0
		166	// todo: find a way to shut down interfaces before closing the namespace
		167	// the problem is we don't have enough privileges to shutdown interfaces in this momen
		168	// shut down bridge/macvlan interfaces
		169	if (any_bridge_configured()) {
		170
		171	if (cfg.bridge0.configured) {
		172	printf("Shutting down %s\n", cfg.bridge0.devsandbox);
		173	net_if_down( cfg.bridge0.devsandbox);
		174	}
		175	if (cfg.bridge1.configured) {
		176	printf("Shutting down %s\n", cfg.bridge1.devsandbox);
		177	net_if_down( cfg.bridge1.devsandbox);
		178	}
		179	if (cfg.bridge2.configured) {
		180	printf("Shutting down %s\n", cfg.bridge2.devsandbox);
		181	net_if_down( cfg.bridge2.devsandbox);
		182	}
		183	if (cfg.bridge3.configured) {
		184	printf("Shutting down %s\n", cfg.bridge3.devsandbox);
		185	net_if_down( cfg.bridge3.devsandbox);
		186	}
		187	usleep(20000); // 20 ms sleep
		188	}
		189	#endif
164	}	190	}
165		191
166		192