From f402d2c683ab9c93240362ea90d0a5ddba51481b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 29 Oct 2018 09:37:03 -0400 Subject: adding --net.print command line option --- README.md | 21 ++++++++++++++--- RELNOTES | 1 + src/firejail/firejail.h | 2 ++ src/firejail/main.c | 10 +++++++++ src/firejail/netfilter.c | 55 ++------------------------------------------- src/firejail/network_main.c | 7 ++++++ src/firejail/usage.c | 1 + src/firejail/util.c | 38 +++++++++++++++++++++++++++++++ src/man/firejail.txt | 17 ++++++++++++++ 9 files changed, 96 insertions(+), 56 deletions(-) diff --git a/README.md b/README.md index 047fcbe20..b560b9b1b 100644 --- a/README.md +++ b/README.md @@ -98,9 +98,9 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ````` ````` -# Current development version: 0.9.57 +## Current development version: 0.9.57 -# New Long Term Support (LTS) version +## New Long Term Support (LTS) version We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old. The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely @@ -128,7 +128,22 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase -# New profiles: +## New commands: +````` + --net.print=name|pid + If a new network namespace is enabled, print network interface + configuration for the sandbox specified by name or PID. Exam‐ + ple: + + $ firejail --net.print=browser + Switching to pid 1853, the first child process inside the + sandbox + Interface MAC IP Mask Status + lo 127.0.0.1 255.0.0.0 UP + eth0-1852 5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP +````` + +## New profiles: QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, easystroke, github-desktop, min, bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep, diff --git a/RELNOTES b/RELNOTES index 09bdeb18f..ee5a24e86 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,6 +1,7 @@ firejail (0.9.56.1) baseline; urgency=low * work in progress * --disable-mnt rework + * --net.print command * new profiles: QMediathekView, aria2c, Authenticator, checkbashisms * new profiles: devilspie, devilspie2, easystroke, github-desktop, min * new profiles: bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2d96863c5..7f6ed2586 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -416,6 +416,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); void net_check_cfg(void); void net_dns_print(pid_t pid); void network_main(pid_t child); +void net_print(pid_t pid); // network.c int check_ip46_address(const char *addr); @@ -547,6 +548,7 @@ void disable_file_or_dir(const char *fname); void disable_file_path(const char *path, const char *file); int safe_fd(const char *path, int flags); int invalid_sandbox(const pid_t pid); +void enter_network_namespace(pid_t pid); // Get info regarding the last kernel mount operation from /proc/self/mountinfo // The return value points to a static area, and will be overwritten by subsequent calls. diff --git a/src/firejail/main.c b/src/firejail/main.c index 29e3df7c6..23d9a1d51 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -592,6 +592,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else exit_err_feature("networking"); } + else if (strncmp(argv[i], "--net.print=", 12) == 0) { + if (checkcfg(CFG_NETWORK)) { + // extract pid or sandbox name + pid_t pid = require_pid(argv[i] + 12); + net_print(pid); + exit(0); + } + else + exit_err_feature("networking"); + } #endif #ifdef HAVE_FILE_TRANSFER else if (strncmp(argv[i], "--get=", 6) == 0) { diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 8fbd11bba..ed2d019ab 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -132,63 +132,12 @@ void netfilter6(const char *fname) { void netfilter_print(pid_t pid, int ipv6) { EUID_ASSERT(); - // verify sandbox - EUID_ROOT(); - char *comm = pid_proc_comm(pid); - EUID_USER(); - if (!comm) { - fprintf(stderr, "Error: cannot find sandbox\n"); - exit(1); - } - - // check for firejail sandbox - if (strcmp(comm, "firejail") != 0) { - fprintf(stderr, "Error: cannot find sandbox\n"); - exit(1); - } - free(comm); - - // check privileges for non-root users - uid_t uid = getuid(); - if (uid != 0) { - uid_t sandbox_uid = pid_get_uid(pid); - if (uid != sandbox_uid) { - fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); - exit(1); - } - } - - // check network namespace - char *name; - if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) - errExit("asprintf"); - struct stat s; - if (stat(name, &s) == -1) { - fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); - exit(1); - } - - // join the network namespace - pid_t child; - if (find_child(pid, &child) == 1) { - fprintf(stderr, "Error: cannot join the network namespace\n"); - exit(1); - } - - if (invalid_sandbox(child)) { - fprintf(stderr, "Error: cannot join the network namespace\n"); - exit(1); - } - - EUID_ROOT(); - if (join_namespace(child, "net")) { - fprintf(stderr, "Error: cannot join the network namespace\n"); - exit(1); - } + enter_network_namespace(pid); // find iptables executable char *iptables = NULL; // char *iptables_restore = NULL; + struct stat s; if (ipv6) { if (stat("/sbin/ip6tables", &s) == 0) iptables = "/sbin/ip6tables"; diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index cdb4c6514..4dee07219 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -372,3 +372,10 @@ void network_main(pid_t child) { free(cstr); } + +void net_print(pid_t pid) { + EUID_ASSERT(); + + enter_network_namespace(pid); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET_MAIN, "printif"); +} \ No newline at end of file diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b8f8b4f2f..84bc22571 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -115,6 +115,7 @@ static char *usage_str = " --net=ethernet_interface - enable network namespaces and connect to this\n" "\tEthernet interface.\n" " --net=none - enable a new, unconnected network namespace.\n" + " --net.print=name|pid - print network interface configuration.\n" " --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n" " --netfilter.print=name|pid - print the firewall.\n" " --netfilter6=filename - enable IPv6 firewall.\n" diff --git a/src/firejail/util.c b/src/firejail/util.c index 866ef4653..47b237911 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -1225,3 +1225,41 @@ int invalid_sandbox(const pid_t pid) { return 0; } + +void enter_network_namespace(pid_t pid) { + // in case the pid is that of a firejail process, use the pid of the first child process + pid_t child = switch_to_child(pid); + + // now check if the pid belongs to a firejail sandbox + if (invalid_sandbox(child)) { + fprintf(stderr, "Error: no valid sandbox\n"); + exit(1); + } + + // check privileges for non-root users + uid_t uid = getuid(); + if (uid != 0) { + uid_t sandbox_uid = pid_get_uid(pid); + if (uid != sandbox_uid) { + fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); + exit(1); + } + } + + // check network namespace + char *name; + if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) + errExit("asprintf"); + struct stat s; + if (stat(name, &s) == -1) { + fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); + exit(1); + } + + // join the namespace + EUID_ROOT(); + if (join_namespace(child, "net")) { + fprintf(stderr, "Error: cannot join the network namespace\n"); + exit(1); + } +} \ No newline at end of file diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f7d18536d..9eb290fef 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -848,6 +848,23 @@ $ firejail \-\-net=none vlc Note: \-\-net=none can crash the application on some platforms. In these cases, it can be replaced with \-\-protocol=unix. +.TP +\fB\-\-net.print=name|pid +If a new network namespace is enabled, print network interface configuration for the sandbox specified by name or PID. Example: +.br + +.br +$ firejail --net.print=browser +.br +Switching to pid 1853, the first child process inside the sandbox +.br +Interface MAC IP Mask Status +.br +lo 127.0.0.1 255.0.0.0 UP +.br +eth0-1852 5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP +.br + .TP \fB\-\-netfilter Enable a default firewall if a new network namespace is created inside the sandbox. -- cgit v1.2.3-54-g00ecf