From 0d5453fc72da34081f22caf191ff31a22be52af8 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 19 Apr 2016 11:28:19 -0400
Subject: networking profile file support

---
 src/firejail/main.c      |  24 +++++-----
 src/firejail/profile.c   | 121 ++++++++++++++++++++++++++++++++++++++++++++++-
 test/net-profile.profile |  10 ++++
 test/net_profile.exp     |  73 ++++++++++++++++++++++++++++
 test/test.sh             |   3 ++
 todo                     |   2 +
 6 files changed, 220 insertions(+), 13 deletions(-)
 create mode 100644 test/net-profile.profile
 create mode 100755 test/net_profile.exp

diff --git a/src/firejail/main.c b/src/firejail/main.c
index b51ba2e65..15720b4c6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1542,17 +1542,17 @@ int main(int argc, char **argv) {
 				Bridge *br = last_bridge_configured();
 				if (br == NULL) {
 					fprintf(stderr, "Error: no network device configured\n");
-					return 1;
+					exit(1);
 				}
 				if (mac_not_zero(br->macsandbox)) {
 					fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
-					return 1;
+					exit(1);
 				}
 	
 				// read the address
 				if (atomac(argv[i] + 6, br->macsandbox)) {
 					fprintf(stderr, "Error: invalid MAC address\n");
-					return 1;
+					exit(1);
 				}
 			}
 			else {
@@ -1566,12 +1566,12 @@ int main(int argc, char **argv) {
 				Bridge *br = last_bridge_configured();
 				if (br == NULL) {
 					fprintf(stderr, "Error: no network device configured\n");
-					return 1;
+					exit(1);
 				}
 	
 				if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
 					fprintf(stderr, "Error: invalid mtu value\n");
-					return 1;
+					exit(1);
 				}
 			}
 			else {
@@ -1585,11 +1585,11 @@ int main(int argc, char **argv) {
 				Bridge *br = last_bridge_configured();
 				if (br == NULL) {
 					fprintf(stderr, "Error: no network device configured\n");
-					return 1;
+					exit(1);
 				}
 				if (br->arg_ip_none || br->ipsandbox) {
 					fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-					return 1;
+					exit(1);
 				}
 	
 				// configure this IP address for the last bridge defined
@@ -1598,7 +1598,7 @@ int main(int argc, char **argv) {
 				else {
 					if (atoip(argv[i] + 5, &br->ipsandbox)) {
 						fprintf(stderr, "Error: invalid IP address\n");
-						return 1;
+						exit(1);
 					}
 				}
 			}
@@ -1613,11 +1613,11 @@ int main(int argc, char **argv) {
 				Bridge *br = last_bridge_configured();
 				if (br == NULL) {
 					fprintf(stderr, "Error: no network device configured\n");
-					return 1;
+					exit(1);
 				}
 				if (br->arg_ip_none || br->ip6sandbox) {
 					fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
-					return 1;
+					exit(1);
 				}
 	
 				// configure this IP address for the last bridge defined
@@ -1625,7 +1625,7 @@ int main(int argc, char **argv) {
 				br->ip6sandbox = argv[i] + 6;
 //				if (atoip(argv[i] + 5, &br->ipsandbox)) {
 //					fprintf(stderr, "Error: invalid IP address\n");
-//					return 1;
+//					exit(1);
 //				}
 			}
 			else {
@@ -1639,7 +1639,7 @@ int main(int argc, char **argv) {
 			if (checkcfg(CFG_NETWORK)) {
 				if (atoip(argv[i] + 12, &cfg.defaultgw)) {
 					fprintf(stderr, "Error: invalid IP address\n");
-					return 1;
+					exit(1);
 				}
 			}
 			else {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 6ded0ca2f..7ff7c7926 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -319,7 +319,126 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 
-	
+
+// from here
+	else if (strncmp(ptr, "mac ", 4) == 0) {
+#ifdef HAVE_NETWORK
+		if (checkcfg(CFG_NETWORK)) {
+			Bridge *br = last_bridge_configured();
+			if (br == NULL) {
+				fprintf(stderr, "Error: no network device configured\n");
+				exit(1);
+			}
+			
+			if (mac_not_zero(br->macsandbox)) {
+				fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
+				exit(1);
+			}
+
+			// read the address
+			if (atomac(ptr + 4, br->macsandbox)) {
+				fprintf(stderr, "Error: invalid MAC address\n");
+				exit(1);
+			}
+		}
+		else
+			fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+		return 0;
+	}
+
+	else if (strncmp(ptr, "mtu ", 4) == 0) {
+#ifdef HAVE_NETWORK
+		if (checkcfg(CFG_NETWORK)) {
+			Bridge *br = last_bridge_configured();
+			if (br == NULL) {
+				fprintf(stderr, "Error: no network device configured\n");
+				exit(1);
+			}
+			
+			if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
+				fprintf(stderr, "Error: invalid mtu value\n");
+				exit(1);
+			}
+		}
+		else
+			fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+		return 0;
+	}
+
+	else if (strncmp(ptr, "ip ", 3) == 0) {
+#ifdef HAVE_NETWORK
+		if (checkcfg(CFG_NETWORK)) {
+			Bridge *br = last_bridge_configured();
+			if (br == NULL) {
+				fprintf(stderr, "Error: no network device configured\n");
+				exit(1);
+			}
+			if (br->arg_ip_none || br->ipsandbox) {
+				fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+				exit(1);
+			}
+
+			// configure this IP address for the last bridge defined
+			if (strcmp(ptr + 3, "none") == 0)
+				br->arg_ip_none = 1;
+			else {
+				if (atoip(ptr + 3, &br->ipsandbox)) {
+					fprintf(stderr, "Error: invalid IP address\n");
+					exit(1);
+				}
+			}
+		}
+		else
+			fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+		return 0;
+	}
+
+	else if (strncmp(ptr, "ip6 ", 4) == 0) {
+#ifdef HAVE_NETWORK
+		if (checkcfg(CFG_NETWORK)) {
+			Bridge *br = last_bridge_configured();
+			if (br == NULL) {
+				fprintf(stderr, "Error: no network device configured\n");
+				exit(1);
+			}
+			if (br->arg_ip_none || br->ip6sandbox) {
+				fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
+				exit(1);
+			}
+
+			// configure this IP address for the last bridge defined
+			// todo: verify ipv6 syntax
+			br->ip6sandbox = ptr + 4;
+//			if (atoip(argv[i] + 5, &br->ipsandbox)) {
+//				fprintf(stderr, "Error: invalid IP address\n");
+//				exit(1);
+//			}
+			
+		}
+		else
+			fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+		return 0;
+	}
+
+	else if (strncmp(ptr, "defaultgw ", 10) == 0) {
+#ifdef HAVE_NETWORK
+		if (checkcfg(CFG_NETWORK)) {
+			Bridge *br = last_bridge_configured();
+			if (atoip(ptr + 10, &cfg.defaultgw)) {
+				fprintf(stderr, "Error: invalid IP address\n");
+				exit(1);
+			}
+		}
+		else
+			fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+		return 0;
+	}
+
 	if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
 		if (checkcfg(CFG_SECCOMP))
diff --git a/test/net-profile.profile b/test/net-profile.profile
new file mode 100644
index 000000000..05052b6dc
--- /dev/null
+++ b/test/net-profile.profile
@@ -0,0 +1,10 @@
+net br0
+mac 00:11:22:33:44:55
+mtu 1000
+net br1
+ip 10.10.30.50
+net br2
+ip 10.10.40.100
+net br3
+defaultgw 10.10.20.2
+
diff --git a/test/net_profile.exp b/test/net_profile.exp
new file mode 100755
index 000000000..37043c906
--- /dev/null
+++ b/test/net_profile.exp
@@ -0,0 +1,73 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# check eth0
+send -- "firejail --profile=net-profile.profile\r"
+expect {
+	timeout {puts "TESTING ERROR 0.0\n";exit}
+	"eth0"
+}
+expect {
+	timeout {puts "TESTING ERROR 0.1\n";exit}
+	"00:11:22:33:44:55"
+}
+expect {
+	timeout {puts "TESTING ERROR 0.1\n";exit}
+	"10.10.20"
+}
+expect {
+	timeout {puts "TESTING ERROR 0.2\n";exit}
+	"255.255.255.248"
+}
+expect {
+	timeout {puts "TESTING ERROR 0.3\n";exit}
+	"UP"
+}
+expect {
+	timeout {puts "TESTING ERROR 0.4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+send -- "ip route show\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"10.10.30.0/24 dev eth1  proto kernel  scope link  src 10.10.30.50"
+}
+
+send -- "ip route show\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"10.10.40.0/24 dev eth2  proto kernel  scope link  src 10.10.40.100"
+}
+
+
+# check default gw
+send -- "ip route show\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"default via 10.10.20.2 dev eth0"
+}
+
+# check mtu
+send -- "ip link show\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"eth0"
+}
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"mtu 1000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"state UP"
+}
+
+sleep 1
+
+puts "\nall done\n"
+
diff --git a/test/test.sh b/test/test.sh
index c6fe4f299..961b48807 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -10,6 +10,9 @@ echo "TESTING: cpu.print (cpu-print.exp)"
 echo "TESTING:    failing under VirtualBox where there is only one CPU"
 ./cpu-print.exp
 
+echo "TESTING: network profile (net_profile.exp)"
+./net_profile.exp
+
 echo "TESTING: bandwidth (bandwidth.exp)"
 ./bandwidth.exp
 
diff --git a/todo b/todo
index f23b4b13d..56cc3dc0b 100644
--- a/todo
+++ b/todo
@@ -80,3 +80,5 @@ https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
 
 12. check for --chroot why .config/pulse dir is not created
+
+13. print error line number for profile files in  profile_check_line()
-- 
cgit v1.2.3-54-g00ecf