From d50b3b3db2df3ac5e82bbf49eb8de132099488f0 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 28 Sep 2016 13:23:09 -0400 Subject: --veth-name option --- README.md | 7 +++++++ RELNOTES | 2 ++ src/firejail/firejail.h | 2 ++ src/firejail/main.c | 21 +++++++++++++++++++++ src/firejail/network.c | 6 ++++++ src/firejail/network_main.c | 9 +++++++-- src/firejail/profile.c | 24 +++++++++++++++++++++++- src/firejail/usage.c | 4 ++++ src/man/firejail-profile.txt | 5 +++++ src/man/firejail.txt | 12 ++++++++++++ 10 files changed, 89 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 43489d38a..05cfd3b11 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,13 @@ If you keep your Firejail profiles in a public repository, please give us a link Example: $ firejail --no3d firefox + --veth-name=name + Use this name for the interface connected to the bridge for + --net=bridge_interface commands, instead of the default one. + + Example: + $ firejail --net=br0 --veth-name=if0 + ````` ## New profile commands diff --git a/RELNOTES b/RELNOTES index 8b47ee8e4..9b746e229 100644 --- a/RELNOTES +++ b/RELNOTES @@ -6,6 +6,8 @@ firejail (0.9.43) baseline; urgency=low * modifs: Nvidia drivers added to --private-dev * feature: support starting/joining sandbox is a single command (--join-or-start) + * feature: assign a name to the interface connected to the bridge + (--veth-name) * feature: all user home directories are visible (--allusers) * feature: add files to sandbox container (--put) * feature: blocking x11 (--x11=block) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4ee1c943a..29cdc2c20 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -131,6 +131,8 @@ typedef struct bridge_t { uint8_t mac[6]; // interface mac address int mtu; // interface mtu + char *veth_name; // veth name for the device connected to the bridge + // inside the sandbox char *devsandbox; // name of the device inside the sandbox uint32_t ipsandbox; // ip address inside the sandbox diff --git a/src/firejail/main.c b/src/firejail/main.c index c2d71bdf5..8576c9ee4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1855,6 +1855,27 @@ int main(int argc, char **argv) { } } + else if (strncmp(argv[i], "--veth-name=", 12) == 0) { + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (br == NULL) { + fprintf(stderr, "Error: no network device configured\n"); + exit(1); + } + br->veth_name = strdup(argv[i] + 12); + if (br->veth_name == NULL) + errExit("strdup"); + if (*br->veth_name == '\0') { + fprintf(stderr, "Error: no veth-name configured\n"); + exit(1); + } + } + else { + fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); + exit(1); + } + } + else if (strcmp(argv[i], "--scan") == 0) { if (checkcfg(CFG_NETWORK)) { arg_scan = 1; diff --git a/src/firejail/network.c b/src/firejail/network.c index aac48e521..4473ef099 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -204,6 +204,7 @@ void net_if_up(const char *ifname) { // read the existing flags if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot bring up interface %s\n", ifname); errExit("ioctl"); } @@ -212,6 +213,7 @@ void net_if_up(const char *ifname) { // set the new flags if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot bring up interface %s\n", ifname); errExit("ioctl"); } @@ -219,6 +221,7 @@ void net_if_up(const char *ifname) { // read the existing flags if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot bring up interface %s\n", ifname); errExit("ioctl"); } @@ -230,6 +233,7 @@ void net_if_up(const char *ifname) { // read the existing flags if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot bring up interface %s\n", ifname); errExit("ioctl"); } if (ifr.ifr_flags & IFF_RUNNING) @@ -260,6 +264,7 @@ void net_if_down(const char *ifname) { // read the existing flags if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot shut down interface %s\n", ifname); errExit("ioctl"); } @@ -268,6 +273,7 @@ void net_if_down(const char *ifname) { // set the new flags if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { close(sock); + printf("Error: cannot shut down interface %s\n", ifname); errExit("ioctl"); } diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 396c612b1..907b84642 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -120,8 +120,13 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { // create a veth pair char *dev; - if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0) - errExit("asprintf"); + if (br->veth_name == NULL) { + if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0) + errExit("asprintf"); + } + else + dev = br->veth_name; + net_create_veth(dev, ifname, child); // add interface to the bridge diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1e1ccaf0e..079324f14 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -302,6 +302,29 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + else if (strncmp(ptr, "veth-name ", 10) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + Bridge *br = last_bridge_configured(); + if (br == NULL) { + fprintf(stderr, "Error: no network device configured\n"); + exit(1); + } + + br->veth_name = strdup(ptr + 10); + if (br->veth_name == NULL) + errExit("strdup"); + if (*br->veth_name == '\0') { + fprintf(stderr, "Error: no veth-name configured\n"); + exit(1); + } + } + else + fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); +#endif + return 0; + } + else if (strncmp(ptr, "iprange ", 8) == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) { @@ -348,7 +371,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } -// from here else if (strncmp(ptr, "mac ", 4) == 0) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) { diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 78ba34fd2..903817099 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -272,6 +272,10 @@ void usage(void) { printf("\tdirectoires blacklisted by the security profile.\n\n"); printf(" --tree - print a tree of all sandboxed processes.\n\n"); printf(" --version - print program version and exit.\n\n"); +#ifdef HAVE_NETWORK + printf(" --veth-name=name - use this name for the interface connected to the bridge\n"); + printf("\tfor --net=bridgename commands, instead of the default one.\n\n"); +#endif #ifdef HAVE_WHITELIST printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); #endif diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b945f6828..4c5651925 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -474,6 +474,11 @@ available in the new namespace is a new loopback interface (lo). Use this option to deny network access to programs that don't really need network access. +.TP +\fBveth-name name +Use this name for the interface connected to the bridge for --net=bridge_interface commands, +instead of the default one. + .SH Other .TP \fBjoin-or-start sandboxname diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fe3e53044..2c4944331 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1605,6 +1605,18 @@ Example: $ firejail \-\-version .br firejail version 0.9.27 + +.TP +\fB\-\-veth-name=name +Use this name for the interface connected to the bridge for --net=bridge_interface commands, +instead of the default one. +.br + +.br +Example: +.br +$ firejail \-\-net=br0 --veth-name=if0 + .TP \fB\-\-whitelist=dirname_or_filename Whitelist directory or file. A temporary file system is mounted on the top directory, and the -- cgit v1.2.3-54-g00ecf