profile for building software and running test suites ?

[kapouer]

Typical usage:
firejail debuild, firejail sbuild, firejail git-buildpackage...
it should only allow networking on loopback interface, and shout loudly if there's anything trying to access internet.

[reinerh]

This came up on the debian-devel list btw:
https://lists.debian.org/debian-devel/2016/10/msg00116.html

[kapouer]

I tried
firejail --noprofile --net=none debuild
with some kind of success - i was able to spot two failing tests during build, but wasn't able to tell
if some other tests were not failing but were trying to access internet anyway.

[reinerh]

@netblue30 The feature request here is something like --tracelog, but for network access.

[reinerh]

I guess something like that could be achieved with iptables and the LOG target.

[reinerh]

$ cat /tmp/log.net
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j LOG
-A FORWARD -j LOG
-A OUTPUT -j LOG
COMMIT
$ firejail --noprofile --net=eth0 --ip=10.0.0.42 --netfilter=/tmp/log.net
...

Something like this should work, though it doesn't reach the kernel log (outside of firejail the rules are working).
I can also see with firejail --join-network=$pid /sbin/iptables -vL that the rules are applied and the counters are increasing.

Edit: Oww, LOG has been disabled in containers inside the kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=69b34fb996b2eee3970548cf6eb516d3ecb5eeed
Edit2: Might be possible with NFLOG

[netblue30]

You can set up a bridge:

$ sudo brctl addbr br0
$ sudo ifconfig br0 10.10.20.1/24

Disable routing, so traffic on 10.10.20.1/24 network doesn't escape outside:

$ sudo echo 0 > /proc/sys/net/ipv4/ip_forward

Start Wireshark and monitor br0 interface, and start the sandbox:

$ firejail --net=br0

The first ARP in the trace is the sandbox grabbing an IP address, you'll get also some ipv6 traffic as the sandbox is starting up. If you find a way to log the traffic automatically, I'll add it in.

[ruany]

I've just discovered that Linux 4.11 allows network namespace iptables logging. I've been looking for this type of functionality for quite a long time now, but I've finally figured it out.

First, enable it:
$ sudo sysctl -w net.netfilter.nf_log_all_netns=1

/etc/iptables/logdeny.rules:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -j LOG
-A OUTPUT -j DROP

COMMIT

Launch the namespace:
$ firejail --noprofile --netfilter=/etc/iptables/logdeny.rules --net=eth0 --ip=192.168.1.84 --defaultgw=192.168.1.1

Run a test:
$ nc 192.168.1.1 80

Kill the command, then check your kernel logs (dmesg or journalctl):

Sep 08 10:30:24 desktop kernel: IN= OUT=eth0-1747823 SRC=192.168.1.84 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58978 DF PROTO=TCP SPT=37568 DPT=80 WINDOW=65340 RES=0x00 SYN URGP=0

With this setup you can deny all traffic and log all outbound attempts.

Another great use case is whitelisting specific IP addresses (and/or ports) for specific programs, and logging all packets dropped by the whitelist.

I also wrote a script which pipes blocked packets into desktop notifications.
~/.local/bin/iptables-snitch

#!/bin/bash
duration=9001
journalctl -qkfg OUT=eth0 |\
while read line; do
    host=$(echo $line|grep -Eo 'DST=[^ ]+'|cut -c5-)
    port=$(echo $line|grep -Eo 'DPT=[^ ]+'|cut -c5-)
    notify-send -t $duration "Blocked packet. $host:$port"
done

My dream of logging dropped packets using Firejail's netfilter is complete :)