1 files changed, 20 insertions, 15 deletions
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 907b84642..8a9c47f0e 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -23,6 +23,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <net/if.h>
+#include <stdarg.h>
 // configure bridge structure
 // - extract ip address and mask from the bridge interface
@@ -127,13 +128,11 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
        else
                dev = br->veth_name;
                
-        net_create_veth(dev, ifname, child);
+        char *cstr;
+        if (asprintf(&cstr, "%d", child) == -1)
-        // add interface to the bridge
+                errExit("asprintf");
-        net_bridge_add_interface(br->dev, dev);
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
+        free(cstr);
-        // bring up the interface
-        net_if_up(dev);
        char *msg;
        if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)
@@ -290,47 +289,53 @@ void net_dns_print(pid_t pid) {
 }
 void network_main(pid_t child) {
+        char *cstr;
+        if (asprintf(&cstr, "%d", child) == -1)
+                errExit("asprintf");
        // create veth pair or macvlan device
        if (cfg.bridge0.configured) {
                if (cfg.bridge0.macvlan == 0) {
                        net_configure_veth_pair(&cfg.bridge0, "eth0", child);
                }
                else
-                        net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
        }
        
        if (cfg.bridge1.configured) {
                if (cfg.bridge1.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge1, "eth1", child);
                else
-                        net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
        }
        
        if (cfg.bridge2.configured) {
                if (cfg.bridge2.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge2, "eth2", child);
                else
-                        net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
        }
        
        if (cfg.bridge3.configured) {
                if (cfg.bridge3.macvlan == 0)
                        net_configure_veth_pair(&cfg.bridge3, "eth3", child);
                else
-                        net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
        }
        // move interfaces in sandbox
        if (cfg.interface0.configured) {
-                net_move_interface(cfg.interface0.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
        }
        if (cfg.interface1.configured) {
-                net_move_interface(cfg.interface1.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
        }
        if (cfg.interface2.configured) {
-                net_move_interface(cfg.interface2.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
        }
        if (cfg.interface3.configured) {
-                net_move_interface(cfg.interface3.dev, child);
+                sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
        }
+        free(cstr);
 }

diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 907b84642..8a9c47f0e 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c
@@ -23,6 +23,7 @@
23	#include <sys/stat.h>	23	#include <sys/stat.h>
24	#include <unistd.h>	24	#include <unistd.h>
25	#include <net/if.h>	25	#include <net/if.h>
		26	#include <stdarg.h>
26		27
27	// configure bridge structure	28	// configure bridge structure
28	// - extract ip address and mask from the bridge interface	29	// - extract ip address and mask from the bridge interface
@@ -127,13 +128,11 @@ void net_configure_veth_pair(Bridge br, const char ifname, pid_t child) {
127	else	128	else
128	dev = br->veth_name;	129	dev = br->veth_name;
129		130
130	net_create_veth(dev, ifname, child);	131	char *cstr;
131		132	if (asprintf(&cstr, "%d", child) == -1)
132	// add interface to the bridge	133	errExit("asprintf");
133	net_bridge_add_interface(br->dev, dev);	134	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 7, PATH_FNET, "create", "veth", dev, ifname, br->dev, cstr);
134		135	free(cstr);
135	// bring up the interface
136	net_if_up(dev);
137		136
138	char *msg;	137	char *msg;
139	if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)	138	if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)
@@ -290,47 +289,53 @@ void net_dns_print(pid_t pid) {
290	}	289	}
291		290
292	void network_main(pid_t child) {	291	void network_main(pid_t child) {
		292	char *cstr;
		293	if (asprintf(&cstr, "%d", child) == -1)
		294	errExit("asprintf");
		295
293	// create veth pair or macvlan device	296	// create veth pair or macvlan device
294	if (cfg.bridge0.configured) {	297	if (cfg.bridge0.configured) {
295	if (cfg.bridge0.macvlan == 0) {	298	if (cfg.bridge0.macvlan == 0) {
296	net_configure_veth_pair(&cfg.bridge0, "eth0", child);	299	net_configure_veth_pair(&cfg.bridge0, "eth0", child);
297	}	300	}
298	else	301	else
299	net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);	302	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
300	}	303	}
301		304
302	if (cfg.bridge1.configured) {	305	if (cfg.bridge1.configured) {
303	if (cfg.bridge1.macvlan == 0)	306	if (cfg.bridge1.macvlan == 0)
304	net_configure_veth_pair(&cfg.bridge1, "eth1", child);	307	net_configure_veth_pair(&cfg.bridge1, "eth1", child);
305	else	308	else
306	net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);	309	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
307	}	310	}
308		311
309	if (cfg.bridge2.configured) {	312	if (cfg.bridge2.configured) {
310	if (cfg.bridge2.macvlan == 0)	313	if (cfg.bridge2.macvlan == 0)
311	net_configure_veth_pair(&cfg.bridge2, "eth2", child);	314	net_configure_veth_pair(&cfg.bridge2, "eth2", child);
312	else	315	else
313	net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);	316	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
314	}	317	}
315		318
316	if (cfg.bridge3.configured) {	319	if (cfg.bridge3.configured) {
317	if (cfg.bridge3.macvlan == 0)	320	if (cfg.bridge3.macvlan == 0)
318	net_configure_veth_pair(&cfg.bridge3, "eth3", child);	321	net_configure_veth_pair(&cfg.bridge3, "eth3", child);
319	else	322	else
320	net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);	323	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
321	}	324	}
322		325
323	// move interfaces in sandbox	326	// move interfaces in sandbox
324	if (cfg.interface0.configured) {	327	if (cfg.interface0.configured) {
325	net_move_interface(cfg.interface0.dev, child);	328	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface0.dev, cstr);
326	}	329	}
327	if (cfg.interface1.configured) {	330	if (cfg.interface1.configured) {
328	net_move_interface(cfg.interface1.dev, child);	331	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface1.dev, cstr);
329	}	332	}
330	if (cfg.interface2.configured) {	333	if (cfg.interface2.configured) {
331	net_move_interface(cfg.interface2.dev, child);	334	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
332	}	335	}
333	if (cfg.interface3.configured) {	336	if (cfg.interface3.configured) {
334	net_move_interface(cfg.interface3.dev, child);	337	sbox_run(SBOX_ROOT \| SBOX_CAPS_NETWORK \| SBOX_SECCOMP, 4, PATH_FNET, "moveif", cfg.interface3.dev, cstr);
335	}	338	}
		339
		340	free(cstr);
336	}	341	}