From be22445915de784101f62e12add44121c788165c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 4 Apr 2016 18:02:19 -0400 Subject: grsecurity: more network fixes --- src/firejail/firejail.h | 1 + src/firejail/main.c | 63 +++++++++++++-------------------------------- src/firejail/netfilter.c | 7 +++-- src/firejail/network_main.c | 46 +++++++++++++++++++++++++++++++++ 4 files changed, 70 insertions(+), 47 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d58c6291d..e50b22b4e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -264,6 +264,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); void net_check_cfg(void); void net_dns_print_name(const char *name); void net_dns_print(pid_t pid); +void network_main(pid_t child); // network.c void net_if_up(const char *ifname); diff --git a/src/firejail/main.c b/src/firejail/main.c index 0e0ec094c..e86aa85ac 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1965,54 +1965,27 @@ int main(int argc, char **argv) { printf("The new log directory is /proc/%d/root/var/log\n", child); } - - EUID_ROOT(); if (!arg_nonetwork) { - // create veth pair or macvlan device - if (cfg.bridge0.configured) { - if (cfg.bridge0.macvlan == 0) { - net_configure_veth_pair(&cfg.bridge0, "eth0", child); - } - else - net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); - } - - if (cfg.bridge1.configured) { - if (cfg.bridge1.macvlan == 0) - net_configure_veth_pair(&cfg.bridge1, "eth1", child); - else - net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); - } - - if (cfg.bridge2.configured) { - if (cfg.bridge2.macvlan == 0) - net_configure_veth_pair(&cfg.bridge2, "eth2", child); - else - net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); - } - - if (cfg.bridge3.configured) { - if (cfg.bridge3.macvlan == 0) - net_configure_veth_pair(&cfg.bridge3, "eth3", child); - else - net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); - } - - // move interfaces in sandbox - if (cfg.interface0.configured) { - net_move_interface(cfg.interface0.dev, child); - } - if (cfg.interface1.configured) { - net_move_interface(cfg.interface1.dev, child); - } - if (cfg.interface2.configured) { - net_move_interface(cfg.interface2.dev, child); - } - if (cfg.interface3.configured) { - net_move_interface(cfg.interface3.dev, child); + EUID_ROOT(); + pid_t net_child = fork(); + if (net_child < 0) + errExit("fork"); + if (net_child == 0) { + // elevate privileges in order to get grsecurity working + if (setreuid(0, 0)) + errExit("setreuid"); + if (setregid(0, 0)) + errExit("setregid"); + network_main(child); + if (arg_debug) + printf("Host network configured\n"); + exit(0); } + + // wait for the child to finish + waitpid(net_child, NULL, 0); + EUID_USER(); } - EUID_USER(); // close each end of the unused pipes close(parent_to_child_fds[0]); diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 4a5499699..71abfb53d 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -139,7 +139,6 @@ void netfilter(const char *fname) { exit(1); } dup2(fd,STDIN_FILENO); - close(fd); // wipe out environment variables environ = NULL; @@ -155,6 +154,11 @@ void netfilter(const char *fname) { if (child < 0) errExit("fork"); if (child == 0) { + // elevate privileges in order to get grsecurity working + if (setreuid(0, 0)) + errExit("setreuid"); + if (setregid(0, 0)) + errExit("setregid"); environ = NULL; execl(iptables, iptables, "-vL", NULL); // it will never get here!!! @@ -246,7 +250,6 @@ void netfilter6(const char *fname) { exit(1); } dup2(fd,STDIN_FILENO); - close(fd); // wipe out environment variables environ = NULL; diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index a8ebb3480..80f3bd579 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -278,3 +278,49 @@ void net_dns_print(pid_t pid) { free(fname); exit(0); } + +void network_main(pid_t child) { + // create veth pair or macvlan device + if (cfg.bridge0.configured) { + if (cfg.bridge0.macvlan == 0) { + net_configure_veth_pair(&cfg.bridge0, "eth0", child); + } + else + net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); + } + + if (cfg.bridge1.configured) { + if (cfg.bridge1.macvlan == 0) + net_configure_veth_pair(&cfg.bridge1, "eth1", child); + else + net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); + } + + if (cfg.bridge2.configured) { + if (cfg.bridge2.macvlan == 0) + net_configure_veth_pair(&cfg.bridge2, "eth2", child); + else + net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); + } + + if (cfg.bridge3.configured) { + if (cfg.bridge3.macvlan == 0) + net_configure_veth_pair(&cfg.bridge3, "eth3", child); + else + net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); + } + + // move interfaces in sandbox + if (cfg.interface0.configured) { + net_move_interface(cfg.interface0.dev, child); + } + if (cfg.interface1.configured) { + net_move_interface(cfg.interface1.dev, child); + } + if (cfg.interface2.configured) { + net_move_interface(cfg.interface2.dev, child); + } + if (cfg.interface3.configured) { + net_move_interface(cfg.interface3.dev, child); + } +} -- cgit v1.2.3-54-g00ecf