network code split

Makefile.in

@@ -1,6 +1,6 @@
 all: apps man
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect
+APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/libconnect src/fnet
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 
 prefix=@prefix@
@@ -76,6 +76,7 @@ realinstall:
  install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
  install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
+ install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
  # documents
  install -m 0755 -d $(DESTDIR)/$(DOCDIR)
  install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
@@ -124,6 +125,7 @@ install-strip: all
  strip src/libconnect/libconnect.so
  strip src/ftee/ftee
  strip src/faudit/faudit
+ strip src/fnet/fnet
  $(MAKE) realinstall
 
 uninstall:

configure

@@ -3759,7 +3759,7 @@ if test "$prefix" = /usr; then
  sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4470,6 +4470,7 @@ do
  case $ac_config_target in
  "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
  "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
+ "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
  "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
  "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
  "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;

configure.ac

@@ -148,7 +148,7 @@ if test "$prefix" = /usr; then
  sysconfdir="/etc"
 fi
 
-AC_OUTPUT(Makefile src/lib/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile)
+AC_OUTPUT(Makefile src/lib/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/libconnect/Makefile)
 
 echo
 echo "Configuration options:"

src/firejail/Makefile.in

@@ -30,11 +30,11 @@ BINOBJS = $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
-%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h
  $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
- $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+ $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -f *.o firejail firejail.1 firejail.1.gz
 

src/firejail/appimage_size.c

@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
 /*
 Compile with:
 gcc elfsize.c -o elfsize
@@ -9,7 +28,6 @@ Size of section headers e_shentsize 64
 Number of section headers e_shnum 29
 e_shoff + ( e_shentsize * e_shnum ) = 126584
 */
-
 #include <elf.h>
 #include <byteswap.h>
 #include <stdio.h>

src/firejail/firejail.h

@@ -362,7 +362,6 @@ void net_if_ip6(const char *ifname, const char *addr6);
 int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu);
 int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);
 void net_ifprint(void);
-void net_bridge_add_interface(const char *bridge, const char *dev);
 uint32_t network_get_defaultgw(void);
 int net_config_mac(const char *ifname, const unsigned char mac[6]);
 int net_get_mac(const char *ifname, unsigned char mac[6]);
@@ -432,11 +431,6 @@ uint32_t arp_assign(const char *dev, Bridge *br);
 // scan interface (--scan option)
 void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask);
 
-// veth.c
-int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
-int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
-int net_move_interface(const char *dev, unsigned pid);
-
 // util.c
 void drop_privs(int nogroups);
 int mkpath_as_root(const char* path);

src/firejail/network.c

@@ -431,52 +431,6 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
 }
 
 
-// add a veth device to a bridge
-void net_bridge_add_interface(const char *bridge, const char *dev) {
- if (strlen(bridge) > IFNAMSIZ) {
- fprintf(stderr, "Error: invalid network device name %s\n", bridge);
- exit(1);
- }
-
- // somehow adding the interface to the bridge resets MTU on bridge device!!!
- // workaround: restore MTU on the bridge device
- // todo: put a real fix in
- int mtu1 = net_get_mtu(bridge);
-
- struct ifreq ifr;
- int err;
- int ifindex = if_nametoindex(dev);
-
- if (ifindex <= 0)
- errExit("if_nametoindex");
-
- int sock;
- if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- errExit("socket");
-
- memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
-#ifdef SIOCBRADDIF
- ifr.ifr_ifindex = ifindex;
- err = ioctl(sock, SIOCBRADDIF, &ifr);
- if (err < 0)
-#endif
- {
- unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 };
-
- ifr.ifr_data = (char *) args;
- err = ioctl(sock, SIOCDEVPRIVATE, &ifr);
- }
- (void) err;
- close(sock);
-
- int mtu2 = net_get_mtu(bridge);
- if (mtu1 != mtu2) {
- if (arg_debug)
- printf("Restoring MTU for %s\n", bridge);
- net_set_mtu(bridge, mtu1);
- }
-}
 
 #define BUFSIZE 1024
 uint32_t network_get_defaultgw(void) {

src/firejail/network_main.c

@@ -23,6 +23,50 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <net/if.h>
+#include <stdarg.h>
+
+static void fnet_run(int num, ...) {
+ int i;
+ va_list valist;
+ va_start(valist, num);
+
+ char *fnet;
+ if (asprintf(&fnet, "%s/firejail/fnet", LIBDIR) == -1)
+ errExit("asprintf");
+
+ char *arg[num + 2];
+ arg[0] = fnet;
+ for (i = 0; i < num; i++)
+ arg[i + 1] = va_arg(valist, char*);
+ arg[i + 1] = NULL;
+
+ pid_t child = fork();
+ if (child < 0)
+ errExit("fork");
+ if (child == 0) {
+ // elevate privileges in order to get grsecurity working
+ if (setreuid(0, 0))
+ errExit("setreuid");
+ if (setregid(0, 0))
+ errExit("setregid");
+
+ execvp(arg[0], arg);
+ perror("execl");
+ _exit(1);
+ }
+
+ int status;
+ if (waitpid(child, &status, 0) == -1 ) {
+ errExit("waitpid");
+ }
+ if (WIFEXITED(status) && status != 0) {
+ fprintf(stderr, "Error: cannot run fnet\n");
+ exit(1);
+ }
+
+ va_end(valist);
+ free(fnet);
+}
 
 // configure bridge structure
 // - extract ip address and mask from the bridge interface
@@ -127,13 +171,12 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
  else
  dev = br->veth_name;
 
- net_create_veth(dev, ifname, child);
-
- // add interface to the bridge
- net_bridge_add_interface(br->dev, dev);
-
- // bring up the interface
- net_if_up(dev);
+// net_create_veth(dev, ifname, child);
+ char *cstr;
+ if (asprintf(&cstr, "%d", child) == -1)
+ errExit("asprintf");
+ fnet_run(6, "create", "veth", dev, ifname, br->dev, cstr);
+ free(cstr);
 
  char *msg;
  if (asprintf(&msg, "%d.%d.%d.%d address assigned to sandbox", PRINT_IP(br->ipsandbox)) == -1)
@@ -290,47 +333,61 @@ void net_dns_print(pid_t pid) {
 }
 
 void network_main(pid_t child) {
+ char *cstr;
+ if (asprintf(&cstr, "%d", child) == -1)
+ errExit("asprintf");
+
  // create veth pair or macvlan device
  if (cfg.bridge0.configured) {
  if (cfg.bridge0.macvlan == 0) {
  net_configure_veth_pair(&cfg.bridge0, "eth0", child);
  }
  else
- net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+// net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child);
+ fnet_run(5, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
  }
 
  if (cfg.bridge1.configured) {
  if (cfg.bridge1.macvlan == 0)
  net_configure_veth_pair(&cfg.bridge1, "eth1", child);
  else
- net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+// net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child);
+ fnet_run(5, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
  }
 
  if (cfg.bridge2.configured) {
  if (cfg.bridge2.macvlan == 0)
  net_configure_veth_pair(&cfg.bridge2, "eth2", child);
  else
- net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
+// net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child);
+ fnet_run(5, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
  }
 
  if (cfg.bridge3.configured) {
  if (cfg.bridge3.macvlan == 0)
  net_configure_veth_pair(&cfg.bridge3, "eth3", child);
  else
- net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
+// net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child);
+ fnet_run(5, "create", "macvlan", cfg.bridge3.devsandbox, cfg.bridge3.dev, cstr);
  }
 
  // move interfaces in sandbox
  if (cfg.interface0.configured) {
- net_move_interface(cfg.interface0.dev, child);
+// net_move_interface(cfg.interface0.dev, child);
+ fnet_run(3, "moveif", cfg.interface0.dev, cstr);
  }
  if (cfg.interface1.configured) {
- net_move_interface(cfg.interface1.dev, child);
+// net_move_interface(cfg.interface1.dev, child);
+ fnet_run(3, "moveif", cfg.interface1.dev, cstr);
  }
  if (cfg.interface2.configured) {
- net_move_interface(cfg.interface2.dev, child);
+// net_move_interface(cfg.interface2.dev, child);
+ fnet_run(3, "moveif", cfg.interface3.dev, cstr);
  }
  if (cfg.interface3.configured) {
- net_move_interface(cfg.interface3.dev, child);
+// net_move_interface(cfg.interface3.dev, child);
+ fnet_run(3, "moveif", cfg.interface3.dev, cstr);
  }
+
+ free(cstr);
 }

src/fnet/Makefile.in

@@ -0,0 +1,43 @@
+all: fnet
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+
+H_FILE_LIST = $(sort $(wildcard *.[h]))
+C_FILE_LIST = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS = $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
+ $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+fnet: $(OBJS) ../lib/libnetlink.o ../lib/common.o
+ $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -f *.o fnet
+
+distclean: clean
+ rm -fr Makefile
+

src/fnet/fnet.h

@@ -0,0 +1,40 @@
+ /*
+ * Copyright (C) 2014-2016 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNET_H
+#define FNET_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include "../include/common.h"
+
+// veth.c
+int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
+int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
+int net_move_interface(const char *dev, unsigned pid);
+
+// interface.c
+void net_bridge_add_interface(const char *bridge, const char *dev);
+void net_if_up(const char *ifname);
+int net_get_mtu(const char *ifname);
+void net_set_mtu(const char *ifname, int mtu);
+
+#endif