1 files changed, 114 insertions, 0 deletions
diff --git a/src/firejail/netns.c b/src/firejail/netns.c
new file mode 100644
index 000000000..477d56b3d
--- /dev/null
+++ b/src/firejail/netns.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+static char *netns_control_file(const char *nsname) {
+        char *rv = 0;
+        if (asprintf(&rv, "/var/run/netns/%s", nsname) <= 0)
+                errExit("asprintf");
+        return rv;
+}
+static char *netns_etc_dir(const char *nsname) {
+        char *rv = 0;
+        if (asprintf(&rv, "/etc/netns/%s", nsname) <= 0)
+                errExit("asprintf");
+        return rv;
+}
+void check_netns(const char *nsname) {
+        if (strchr(nsname, '/') || strstr(nsname, "..")) {
+                fprintf(stderr, "Error: invalid netns name %s\n", nsname);
+                exit(1);
+        }
+        invalid_filename(nsname);
+        char *control_file = netns_control_file(nsname);
+        EUID_ASSERT();
+        struct stat st;
+        if (lstat(control_file, &st)) {
+                fprintf(stderr, "Error: invalid netns '%s' (%s: %s)\n",
+                        nsname, control_file, strerror(errno));
+                exit(1);
+        }
+        if (!S_ISREG(st.st_mode)) {
+                fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n",
+                        nsname, control_file);
+                exit(1);
+        }
+        free(control_file);
+}
+void netns(const char *nsname) {
+        char *control_file = netns_control_file(nsname);
+        int nsfd = open(control_file, O_RDONLY|O_CLOEXEC);
+        if (nsfd < 0) {
+                fprintf(stderr, "Error: cannot open netns '%s' (%s: %s)\n",
+                        nsname, control_file, strerror(errno));
+                exit(1);
+        }
+        if (syscall(__NR_setns, nsfd, CLONE_NEWNET) < 0) {
+                fprintf(stderr, "Error: cannot join netns '%s': %s\n",
+                        nsname, strerror(errno));
+                exit(1);
+        }
+        close(nsfd);
+        free(control_file);
+}
+void netns_mounts(const char *nsname) {
+        char *etcdir = netns_etc_dir(nsname);
+        char *netns_name, *etc_name;
+        struct dirent *entry;
+        DIR *dir;
+        dir = opendir(etcdir);
+        if (!dir) {
+                free(etcdir);
+                return;
+        }
+        while ((entry = readdir(dir))) {
+                if (!strcmp(entry->d_name, ".") || !strcmp(entry->d_name, ".."))
+                        continue;
+                if (asprintf(&netns_name, "%s/%s", etcdir, entry->d_name) < 0 ||
+                    asprintf(&etc_name, "/etc/%s", entry->d_name) < 0)
+                        errExit("asprintf");
+                if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) {
+                        fprintf(stderr, "Warning: bind %s -> %s failed: %s\n",
+                                netns_name, etc_name, strerror(errno));
+                }
+                free(netns_name);
+                free(etc_name);
+        }
+        closedir(dir);
+        free(etcdir);
+}

diff --git a/src/firejail/netns.c b/src/firejail/netns.c new file mode 100644 index 000000000..477d56b3d --- /dev/null +++ b/src/firejail/netns.c
@@ -0,0 +1,114 @@
	1	/*
	2	* Copyright (C) 2017 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "firejail.h"
	21	#include <stdio.h>
	22	#include <string.h>
	23	#include <errno.h>
	24	#include <sys/types.h>
	25	#include <sys/mount.h>
	26	#include <sys/stat.h>
	27	#include <sys/syscall.h>
	28	#include <dirent.h>
	29	#include <fcntl.h>
	30	#include <sched.h>
	31	#include <unistd.h>
	32
	33	static char netns_control_file(const char nsname) {
	34	char *rv = 0;
	35	if (asprintf(&rv, "/var/run/netns/%s", nsname) <= 0)
	36	errExit("asprintf");
	37	return rv;
	38	}
	39
	40	static char netns_etc_dir(const char nsname) {
	41	char *rv = 0;
	42	if (asprintf(&rv, "/etc/netns/%s", nsname) <= 0)
	43	errExit("asprintf");
	44	return rv;
	45	}
	46
	47	void check_netns(const char *nsname) {
	48	if (strchr(nsname, '/') \|\| strstr(nsname, "..")) {
	49	fprintf(stderr, "Error: invalid netns name %s\n", nsname);
	50	exit(1);
	51	}
	52	invalid_filename(nsname);
	53	char *control_file = netns_control_file(nsname);
	54
	55	EUID_ASSERT();
	56
	57	struct stat st;
	58	if (lstat(control_file, &st)) {
	59	fprintf(stderr, "Error: invalid netns '%s' (%s: %s)\n",
	60	nsname, control_file, strerror(errno));
	61	exit(1);
	62	}
	63	if (!S_ISREG(st.st_mode)) {
	64	fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n",
	65	nsname, control_file);
	66	exit(1);
	67	}
	68	free(control_file);
	69	}
	70
	71	void netns(const char *nsname) {
	72	char *control_file = netns_control_file(nsname);
	73	int nsfd = open(control_file, O_RDONLY\|O_CLOEXEC);
	74	if (nsfd < 0) {
	75	fprintf(stderr, "Error: cannot open netns '%s' (%s: %s)\n",
	76	nsname, control_file, strerror(errno));
	77	exit(1);
	78	}
	79	if (syscall(__NR_setns, nsfd, CLONE_NEWNET) < 0) {
	80	fprintf(stderr, "Error: cannot join netns '%s': %s\n",
	81	nsname, strerror(errno));
	82	exit(1);
	83	}
	84	close(nsfd);
	85	free(control_file);
	86	}
	87
	88	void netns_mounts(const char *nsname) {
	89	char *etcdir = netns_etc_dir(nsname);
	90	char netns_name, etc_name;
	91	struct dirent *entry;
	92	DIR *dir;
	93
	94	dir = opendir(etcdir);
	95	if (!dir) {
	96	free(etcdir);
	97	return;
	98	}
	99	while ((entry = readdir(dir))) {
	100	if (!strcmp(entry->d_name, ".") \|\| !strcmp(entry->d_name, ".."))
	101	continue;
	102	if (asprintf(&netns_name, "%s/%s", etcdir, entry->d_name) < 0 \|\|
	103	asprintf(&etc_name, "/etc/%s", entry->d_name) < 0)
	104	errExit("asprintf");
	105	if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) {
	106	fprintf(stderr, "Warning: bind %s -> %s failed: %s\n",
	107	netns_name, etc_name, strerror(errno));
	108	}
	109	free(netns_name);
	110	free(etc_name);
	111	}
	112	closedir(dir);
	113	free(etcdir);
	114	}