From f402d2c683ab9c93240362ea90d0a5ddba51481b Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 29 Oct 2018 09:37:03 -0400 Subject: adding --net.print command line option --- src/firejail/firejail.h | 2 ++ src/firejail/main.c | 10 +++++++++ src/firejail/netfilter.c | 55 ++------------------------------------------- src/firejail/network_main.c | 7 ++++++ src/firejail/usage.c | 1 + src/firejail/util.c | 38 +++++++++++++++++++++++++++++++ src/man/firejail.txt | 17 ++++++++++++++ 7 files changed, 77 insertions(+), 53 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2d96863c5..7f6ed2586 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -416,6 +416,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); void net_check_cfg(void); void net_dns_print(pid_t pid); void network_main(pid_t child); +void net_print(pid_t pid); // network.c int check_ip46_address(const char *addr); @@ -547,6 +548,7 @@ void disable_file_or_dir(const char *fname); void disable_file_path(const char *path, const char *file); int safe_fd(const char *path, int flags); int invalid_sandbox(const pid_t pid); +void enter_network_namespace(pid_t pid); // Get info regarding the last kernel mount operation from /proc/self/mountinfo // The return value points to a static area, and will be overwritten by subsequent calls. diff --git a/src/firejail/main.c b/src/firejail/main.c index 29e3df7c6..23d9a1d51 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -592,6 +592,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else exit_err_feature("networking"); } + else if (strncmp(argv[i], "--net.print=", 12) == 0) { + if (checkcfg(CFG_NETWORK)) { + // extract pid or sandbox name + pid_t pid = require_pid(argv[i] + 12); + net_print(pid); + exit(0); + } + else + exit_err_feature("networking"); + } #endif #ifdef HAVE_FILE_TRANSFER else if (strncmp(argv[i], "--get=", 6) == 0) { diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 8fbd11bba..ed2d019ab 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -132,63 +132,12 @@ void netfilter6(const char *fname) { void netfilter_print(pid_t pid, int ipv6) { EUID_ASSERT(); - // verify sandbox - EUID_ROOT(); - char *comm = pid_proc_comm(pid); - EUID_USER(); - if (!comm) { - fprintf(stderr, "Error: cannot find sandbox\n"); - exit(1); - } - - // check for firejail sandbox - if (strcmp(comm, "firejail") != 0) { - fprintf(stderr, "Error: cannot find sandbox\n"); - exit(1); - } - free(comm); - - // check privileges for non-root users - uid_t uid = getuid(); - if (uid != 0) { - uid_t sandbox_uid = pid_get_uid(pid); - if (uid != sandbox_uid) { - fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); - exit(1); - } - } - - // check network namespace - char *name; - if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) - errExit("asprintf"); - struct stat s; - if (stat(name, &s) == -1) { - fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); - exit(1); - } - - // join the network namespace - pid_t child; - if (find_child(pid, &child) == 1) { - fprintf(stderr, "Error: cannot join the network namespace\n"); - exit(1); - } - - if (invalid_sandbox(child)) { - fprintf(stderr, "Error: cannot join the network namespace\n"); - exit(1); - } - - EUID_ROOT(); - if (join_namespace(child, "net")) { - fprintf(stderr, "Error: cannot join the network namespace\n"); - exit(1); - } + enter_network_namespace(pid); // find iptables executable char *iptables = NULL; // char *iptables_restore = NULL; + struct stat s; if (ipv6) { if (stat("/sbin/ip6tables", &s) == 0) iptables = "/sbin/ip6tables"; diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index cdb4c6514..4dee07219 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -372,3 +372,10 @@ void network_main(pid_t child) { free(cstr); } + +void net_print(pid_t pid) { + EUID_ASSERT(); + + enter_network_namespace(pid); + sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, PATH_FNET_MAIN, "printif"); +} \ No newline at end of file diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b8f8b4f2f..84bc22571 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -115,6 +115,7 @@ static char *usage_str = " --net=ethernet_interface - enable network namespaces and connect to this\n" "\tEthernet interface.\n" " --net=none - enable a new, unconnected network namespace.\n" + " --net.print=name|pid - print network interface configuration.\n" " --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n" " --netfilter.print=name|pid - print the firewall.\n" " --netfilter6=filename - enable IPv6 firewall.\n" diff --git a/src/firejail/util.c b/src/firejail/util.c index 866ef4653..47b237911 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -1225,3 +1225,41 @@ int invalid_sandbox(const pid_t pid) { return 0; } + +void enter_network_namespace(pid_t pid) { + // in case the pid is that of a firejail process, use the pid of the first child process + pid_t child = switch_to_child(pid); + + // now check if the pid belongs to a firejail sandbox + if (invalid_sandbox(child)) { + fprintf(stderr, "Error: no valid sandbox\n"); + exit(1); + } + + // check privileges for non-root users + uid_t uid = getuid(); + if (uid != 0) { + uid_t sandbox_uid = pid_get_uid(pid); + if (uid != sandbox_uid) { + fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); + exit(1); + } + } + + // check network namespace + char *name; + if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) + errExit("asprintf"); + struct stat s; + if (stat(name, &s) == -1) { + fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); + exit(1); + } + + // join the namespace + EUID_ROOT(); + if (join_namespace(child, "net")) { + fprintf(stderr, "Error: cannot join the network namespace\n"); + exit(1); + } +} \ No newline at end of file diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f7d18536d..9eb290fef 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -848,6 +848,23 @@ $ firejail \-\-net=none vlc Note: \-\-net=none can crash the application on some platforms. In these cases, it can be replaced with \-\-protocol=unix. +.TP +\fB\-\-net.print=name|pid +If a new network namespace is enabled, print network interface configuration for the sandbox specified by name or PID. Example: +.br + +.br +$ firejail --net.print=browser +.br +Switching to pid 1853, the first child process inside the sandbox +.br +Interface MAC IP Mask Status +.br +lo 127.0.0.1 255.0.0.0 UP +.br +eth0-1852 5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP +.br + .TP \fB\-\-netfilter Enable a default firewall if a new network namespace is created inside the sandbox. -- cgit v1.2.3-54-g00ecf