From 7b78bf75c7bcf49e91065ff3013f3e8908c3a9ff Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Sat, 19 Jun 2021 10:34:03 -0400
Subject: jailcheck: networking support

---
 src/jailcheck/jailcheck.h |  2 ++
 src/jailcheck/main.c      | 23 +++++++++++++++++++++++
 src/man/jailcheck.txt     | 12 ++++++++++++
 3 files changed, 37 insertions(+)

diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index 32be1c978..be3104da3 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -53,6 +53,8 @@ void apparmor_test(pid_t pid);
 // seccomp.c
 void seccomp_test(pid_t pid);
 
+// network.c
+void network_test(void);
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
index 4d642bf96..812ac5808 100644
--- a/src/jailcheck/main.c
+++ b/src/jailcheck/main.c
@@ -157,6 +157,7 @@ int main(int argc, char **argv) {
 			seccomp_test(pid);
 			fflush(0);
 
+			// filesystem tests
 			pid_t child = fork();
 			if (child == -1)
 				errExit("fork");
@@ -185,6 +186,28 @@ int main(int argc, char **argv) {
 			}
 			int status;
 			wait(&status);
+
+			// network test
+			child = fork();
+			if (child == -1)
+				errExit("fork");
+			if (child == 0) {
+				int rv = join_namespace(pid, "net");
+				if (rv == 0)
+					network_test();
+				else {
+					printf("   Error: I cannot join the process network stack\n");
+					exit(1);
+				}
+
+				// drop privileges in order not to trigger cleanup()
+				if (setgid(user_gid) != 0)
+					errExit("setgid");
+				if (setuid(user_uid) != 0)
+					errExit("setuid");
+				return 0;
+			}
+			wait(&status);
 		}
 	}
 
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index c80e305cc..483f47fb9 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -23,6 +23,8 @@ them from inside the sandbox.
 .TP
 \fB5. Seccomp test
 .TP
+\fB6. Networking test
+.TP
 The program is started as root using sudo.
 
 .SH OPTIONS
@@ -56,6 +58,8 @@ $ sudo jailcheck
 .br
    Warning: I can run programs in /home/netblue
 .br
+   Networking: disabled
+.br
 
 .br
 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
@@ -64,12 +68,16 @@ $ sudo jailcheck
 .br
    Warning: I can read ~/.ssh
 .br
+   Networking: enabled
+.br
 
 .br
 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
    Virtual dirs: /tmp, /var/tmp, /dev,
 .br
+   Networking: enabled
+.br
 
 .br
 26090:netblue::/usr/bin/firejail /opt/firefox/firefox
@@ -78,6 +86,8 @@ $ sudo jailcheck
 .br
                  /run/user/1000,
 .br
+   Networking: enabled
+.br
 
 .br
 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
@@ -90,6 +100,8 @@ $ sudo jailcheck
 .br
    Warning: I can run programs in /home/netblue
 .br
+   Networking: enabled
+.br
 
 
 .SH LICENSE
-- 
cgit v1.2.3-54-g00ecf