From 6882f50a52aabdc01e703443bec0079dbf40b117 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 10 Jan 2016 13:29:34 -0500 Subject: network work --- src/firejail/firejail.h | 1 + src/firejail/network.c | 34 ++++++++++++++++++++++++++++++++++ src/firejail/network_main.c | 6 +++--- src/firejail/sandbox.c | 26 ++++++++++++++++++++++++++ 4 files changed, 64 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 12f792af8..3ffb2b527 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -249,6 +249,7 @@ void net_dns_print(pid_t pid); // network.c void net_if_up(const char *ifname); +void net_if_down(const char *ifname); void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu); int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu); int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw); diff --git a/src/firejail/network.c b/src/firejail/network.c index 5f7a84a1e..ece406fc8 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -240,6 +240,40 @@ void net_if_up(const char *ifname) { close(sock); } +// bring interface up +void net_if_down(const char *ifname) { + if (strlen(ifname) > IFNAMSIZ) { + fprintf(stderr, "Error: invalid network device name %s\n", ifname); + exit(1); + } + + int sock = socket(AF_INET,SOCK_DGRAM,0); + if (sock < 0) + errExit("socket"); + + // get the existing interface flags + struct ifreq ifr; + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + ifr.ifr_addr.sa_family = AF_INET; + + // read the existing flags + if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { + close(sock); + errExit("ioctl"); + } + + ifr.ifr_flags &= ~IFF_UP; + + // set the new flags + if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { + close(sock); + errExit("ioctl"); + } + + close(sock); +} + // configure interface void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { if (strlen(ifname) > IFNAMSIZ) { diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index c93c47eda..66eff0b85 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -121,12 +121,12 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { errExit("asprintf"); net_create_veth(dev, ifname, child); - // bring up the interface - net_if_up(dev); - // add interface to the bridge net_bridge_add_interface(br->dev, dev); + // bring up the interface + net_if_up(dev); + char *msg; if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1) errExit("asprintf"); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 356807acf..25662d90e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -161,6 +161,32 @@ static void monitor_application(pid_t app_pid) { if (app_pid != 0 && arg_debug) printf("Sandbox monitor: monitoring %u\n", app_pid); } + +#if 0 +// todo: find a way to shut down interfaces before closing the namespace +// the problem is we don't have enough privileges to shutdown interfaces in this momen + // shut down bridge/macvlan interfaces + if (any_bridge_configured()) { + + if (cfg.bridge0.configured) { + printf("Shutting down %s\n", cfg.bridge0.devsandbox); + net_if_down( cfg.bridge0.devsandbox); + } + if (cfg.bridge1.configured) { + printf("Shutting down %s\n", cfg.bridge1.devsandbox); + net_if_down( cfg.bridge1.devsandbox); + } + if (cfg.bridge2.configured) { + printf("Shutting down %s\n", cfg.bridge2.devsandbox); + net_if_down( cfg.bridge2.devsandbox); + } + if (cfg.bridge3.configured) { + printf("Shutting down %s\n", cfg.bridge3.devsandbox); + net_if_down( cfg.bridge3.devsandbox); + } + usleep(20000); // 20 ms sleep + } +#endif } -- cgit v1.2.3-70-g09d2