nettrace/netlock

Makefile.in

@@ -27,12 +27,13 @@ COMPLETIONDIRS = src/zsh_completion src/bash_completion
 all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
 SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
-SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/profstats/profstats
+SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
+SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
+SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
-SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 

configure

@@ -4271,7 +4271,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5006,6 +5006,7 @@ do
  "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
  "src/jailcheck/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailcheck/Makefile" ;;
  "src/fids/Makefile") CONFIG_FILES="$CONFIG_FILES src/fids/Makefile" ;;
+ "src/fnettrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnettrace/Makefile" ;;
 
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac

configure.ac

@@ -272,7 +272,7 @@ AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailcheck/Makefile src/fids/Makefile])
+src/jailcheck/Makefile src/fids/Makefile src/fnettrace/Makefile])
 AC_OUTPUT
 
 cat <<EOF

src/firejail/firejail.h

@@ -658,6 +658,8 @@ void set_cgroup(const char *fname, pid_t pid);
 void check_output(int argc, char **argv);
 
 // netfilter.c
+void netfilter_netlock(pid_t pid);
+void netfilter_trace(pid_t pid);
 void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);

src/firejail/main.c

@@ -408,6 +408,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
  }
 #endif
 #ifdef HAVE_NETWORK
+ else if (strncmp(argv[i], "--nettrace=", 11) == 0) {
+ pid_t pid = require_pid(argv[i] + 11);
+ netfilter_trace(pid);
+ }
  else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
  if (checkcfg(CFG_NETWORK)) {
  logargs(argc, argv);
@@ -990,8 +994,10 @@ int main(int argc, char **argv, char **envp) {
  int option_cgroup = 0;
  int custom_profile = 0; // custom profile loaded
  int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot)
+ int arg_netlock = 0;
  char **ptr;
 
+
  // sanitize the umask
  orig_umask = umask(022);
 
@@ -2288,6 +2294,12 @@ int main(int argc, char **argv, char **envp) {
  //*************************************
  // network
  //*************************************
+ else if (strcmp(argv[i], "--netlock") == 0)
+ arg_netlock = 1;
+ else if (strncmp(argv[i], "--netlock=", 10) == 0) {
+ pid_t pid = require_pid(argv[i] + 10);
+ netfilter_netlock(pid);
+ }
  else if (strcmp(argv[i], "--net=none") == 0) {
  arg_nonetwork = 1;
  cfg.bridge0.configured = 0;
@@ -3220,6 +3232,16 @@ int main(int argc, char **argv, char **envp) {
  }
  EUID_USER();
 
+ // lock netfilter firewall
+ if (arg_netlock) {
+ char *cmd;
+ if (asprintf(&cmd, "firejail --netlock=%d&", getpid()) == -1)
+ errExit("asprintf");
+ int rv = system(cmd);
+ (void) rv;
+ free(cmd);
+ }
+
  int status = 0;
  //*****************************
  // following code is signal-safe
@@ -3237,26 +3259,6 @@ int main(int argc, char **argv, char **envp) {
  // end of signal-safe code
  //*****************************
 
-#if 0
-// at this point the sandbox was closed and we are on our way out
-// it would make sense to move this before waitpid above to free some memory
-// crash for now as of issue #3662 from dhcp code
- // free globals
- if (cfg.profile) {
- ProfileEntry *prf = cfg.profile;
- while (prf != NULL) {
- ProfileEntry *next = prf->next;
-printf("data #%s#\n", prf->data);
- if (prf->data)
- free(prf->data);
-printf("link #%s#\n", prf->link);
- if (prf->link)
- free(prf->link);
- free(prf);
- prf = next;
- }
- }
-#endif
 
 
  if (WIFEXITED(status)){

src/firejail/netfilter.c

@@ -24,6 +24,91 @@
 #include <sys/wait.h>
 #include <fcntl.h>
 
+void netfilter_netlock(pid_t pid) {
+ EUID_ASSERT();
+
+ // give the sandbox a chance to start up before entering the network namespace
+ sleep(1);
+ enter_network_namespace(pid);
+
+ char *flog;
+ if (asprintf(&flog, "/run/firejail/network/%d-netlock", getpid()) == -1)
+ errExit("asprintf");
+ FILE *fp = fopen(flog, "w");
+ if (!fp)
+ errExit("fopen");
+ fclose(fp);
+
+ // try to find a X terminal
+ char *terminal = NULL;
+ if (access("/usr/bin/lxterminal", X_OK) == 0)
+ terminal = "/usr/bin/lxterminal";
+ else if (access("/usr/bin/xterm", X_OK) == 0)
+ terminal = "/usr/bin/xterm";
+ else if (access("/usr/bin/xfce4-terminal", X_OK) == 0)
+ terminal = "/usr/bin/xfce4-terminal";
+ else if (access("/usr/bin/konsole", X_OK) == 0)
+ terminal = "/usr/bin/konsole";
+// problem: newer gnome-terminal versions don't support -e command line option???
+// else if (access("/usr/bin/gnome-terminal", X_OK) == 0)
+// terminal = "/usr/bin/gnome-terminal";
+
+ if (terminal) {
+ pid_t p = fork();
+ if (p == -1)
+ ; // run without terminal logger
+ else if (p == 0) { // child
+ drop_privs(0);
+
+ char *cmd;
+ if (asprintf(&cmd, "%s -e \"tail -f %s\"", terminal, flog) == -1)
+ errExit("asprintf");
+ int rv = system(cmd);
+ (void) rv;
+ exit(0);
+ }
+ }
+
+ char *cmd;
+ if (asprintf(&cmd, "%s/firejail/fnettrace --netfilter --log=%s", LIBDIR, flog) == -1)
+ errExit("asprintf");
+ free(flog);
+
+ //************************
+ // build command
+ //************************
+ char *arg[4];
+ arg[0] = "/bin/sh";
+ arg[1] = "-c";
+ arg[2] = cmd;
+ arg[3] = NULL;
+ clearenv();
+ sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
+ // it will never get here!!
+}
+
+void netfilter_trace(pid_t pid) {
+ EUID_ASSERT();
+
+ enter_network_namespace(pid);
+ char *cmd;
+ if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1)
+ errExit("asprintf");
+
+ //************************
+ // build command
+ //************************
+ char *arg[4];
+ arg[0] = "/bin/sh";
+ arg[1] = "-c";
+ arg[2] = cmd;
+ arg[3] = NULL;
+
+ clearenv();
+ sbox_exec_v(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, arg);
+ // it will never get here!!
+}
+
 void check_netfilter_file(const char *fname) {
  EUID_ASSERT();
 

src/fnettrace/Makefile.in

@@ -0,0 +1,17 @@
+.PHONY: all
+all: fnettrace
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST)
+ $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+fnettrace: $(OBJS)
+ $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o fnettrace *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+ rm -fr Makefile

src/fnettrace/fnettrace.h

@@ -0,0 +1,64 @@
+#ifndef FNETTRACE_H
+#define FNETTRACE_H
+
+#include "../include/common.h"
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdarg.h>
+
+//#define NETLOCK_INTERVAL 60
+#define NETLOCK_INTERVAL 60
+#define DISPLAY_INTERVAL 3
+
+void logprintf(char* fmt, ...);
+
+static inline void ansi_topleft(int tolog) {
+ char str[] = {0x1b, '[', '1', ';', '1', 'H', '\0'};
+ if (tolog)
+ logprintf("%s", str);
+ else
+ printf("%s", str);
+ fflush(0);
+}
+
+static inline void ansi_clrscr(int tolog) {
+ ansi_topleft(tolog);
+ char str[] = {0x1b, '[', '0', 'J', '\0'};
+ if (tolog)
+ logprintf("%s", str);
+ else
+ printf("%s", str);
+ fflush(0);
+}
+
+static inline void ansi_linestart(int tolog) {
+ char str[] = {0x1b, '[', '0', 'G', '\0'};
+ if (tolog)
+ logprintf("%s", str);
+ else
+ printf("%s", str);
+ fflush(0);
+}
+
+static inline void ansi_clrline(int tolog) {
+ ansi_linestart(tolog);
+ char str[] = {0x1b, '[', '0', 'K', '\0'};
+ if (tolog)
+ logprintf("%s", str);
+ else
+ printf("%s", str);
+ fflush(0);
+}
+
+static inline uint8_t hash(uint32_t ip) {
+ uint8_t *ptr = (uint8_t *) &ip;
+ // simple byte xor
+ return *ptr ^ *(ptr + 1) ^ *(ptr + 2) ^ *(ptr + 3);
+}
+
+
+
+#endif