github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

networking profile file support

Browse source
This commit is contained in:
netblue30 2016-04-19 11:28:19 -04:00
parent 7cc1fa0d7e
commit 0d5453fc72
6 changed files with 220 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/firejail/main.c
View file

@ -1542,17 +1542,17 @@ int main(int argc, char **argv) {
Bridge *br = last_bridge_configured();
if (br == NULL) {
fprintf(stderr, "Error: no network device configured\n");
return 1;
exit(1);
}
if (mac_not_zero(br->macsandbox)) {
fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
return 1;
exit(1);
}
// read the address
if (atomac(argv[i] + 6, br->macsandbox)) {
fprintf(stderr, "Error: invalid MAC address\n");
return 1;
exit(1);
}
}
else {
@ -1566,12 +1566,12 @@ int main(int argc, char **argv) {
Bridge *br = last_bridge_configured();
if (br == NULL) {
fprintf(stderr, "Error: no network device configured\n");
return 1;
exit(1);
}
if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
fprintf(stderr, "Error: invalid mtu value\n");
return 1;
exit(1);
}
}
else {
@ -1585,11 +1585,11 @@ int main(int argc, char **argv) {
Bridge *br = last_bridge_configured();
if (br == NULL) {
fprintf(stderr, "Error: no network device configured\n");
return 1;
exit(1);
}
if (br->arg_ip_none || br->ipsandbox) {
fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
return 1;
exit(1);
}
// configure this IP address for the last bridge defined
@ -1598,7 +1598,7 @@ int main(int argc, char **argv) {
else {
if (atoip(argv[i] + 5, &br->ipsandbox)) {
fprintf(stderr, "Error: invalid IP address\n");
return 1;
exit(1);
}
}
}
@ -1613,11 +1613,11 @@ int main(int argc, char **argv) {
Bridge *br = last_bridge_configured();
if (br == NULL) {
fprintf(stderr, "Error: no network device configured\n");
return 1;
exit(1);
}
if (br->arg_ip_none || br->ip6sandbox) {
fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
return 1;
exit(1);
}
// configure this IP address for the last bridge defined
@ -1625,7 +1625,7 @@ int main(int argc, char **argv) {
br->ip6sandbox = argv[i] + 6;
// if (atoip(argv[i] + 5, &br->ipsandbox)) {
// fprintf(stderr, "Error: invalid IP address\n");
// return 1;
// exit(1);
// }
}
else {
@ -1639,7 +1639,7 @@ int main(int argc, char **argv) {
if (checkcfg(CFG_NETWORK)) {
if (atoip(argv[i] + 12, &cfg.defaultgw)) {
fprintf(stderr, "Error: invalid IP address\n");
return 1;
exit(1);
}
}
else {

121
src/firejail/profile.c
View file

@ -319,7 +319,126 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
return 0;
}
// from here
else if (strncmp(ptr, "mac ", 4) == 0) {
#ifdef HAVE_NETWORK
if (checkcfg(CFG_NETWORK)) {
Bridge *br = last_bridge_configured();
if (br == NULL) {
fprintf(stderr, "Error: no network device configured\n");
exit(1);
}
if (mac_not_zero(br->macsandbox)) {
fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n");
exit(1);
}
// read the address
if (atomac(ptr + 4, br->macsandbox)) {
fprintf(stderr, "Error: invalid MAC address\n");
exit(1);
}
}
else
fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
#endif
return 0;
}
else if (strncmp(ptr, "mtu ", 4) == 0) {
#ifdef HAVE_NETWORK
if (checkcfg(CFG_NETWORK)) {
Bridge *br = last_bridge_configured();
if (br == NULL) {
fprintf(stderr, "Error: no network device configured\n");
exit(1);
}
if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) {
fprintf(stderr, "Error: invalid mtu value\n");
exit(1);
}
}
else
fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
#endif
return 0;
}
else if (strncmp(ptr, "ip ", 3) == 0) {
#ifdef HAVE_NETWORK
if (checkcfg(CFG_NETWORK)) {
Bridge *br = last_bridge_configured();
if (br == NULL) {
fprintf(stderr, "Error: no network device configured\n");
exit(1);
}
if (br->arg_ip_none || br->ipsandbox) {
fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
exit(1);
}
// configure this IP address for the last bridge defined
if (strcmp(ptr + 3, "none") == 0)
br->arg_ip_none = 1;
else {
if (atoip(ptr + 3, &br->ipsandbox)) {
fprintf(stderr, "Error: invalid IP address\n");
exit(1);
}
}
}
else
fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
#endif
return 0;
}
else if (strncmp(ptr, "ip6 ", 4) == 0) {
#ifdef HAVE_NETWORK
if (checkcfg(CFG_NETWORK)) {
Bridge *br = last_bridge_configured();
if (br == NULL) {
fprintf(stderr, "Error: no network device configured\n");
exit(1);
}
if (br->arg_ip_none || br->ip6sandbox) {
fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
exit(1);
}
// configure this IP address for the last bridge defined
// todo: verify ipv6 syntax
br->ip6sandbox = ptr + 4;
// if (atoip(argv[i] + 5, &br->ipsandbox)) {
// fprintf(stderr, "Error: invalid IP address\n");
// exit(1);
// }
}
else
fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
#endif
return 0;
}
else if (strncmp(ptr, "defaultgw ", 10) == 0) {
#ifdef HAVE_NETWORK
if (checkcfg(CFG_NETWORK)) {
Bridge *br = last_bridge_configured();
if (atoip(ptr + 10, &cfg.defaultgw)) {
fprintf(stderr, "Error: invalid IP address\n");
exit(1);
}
}
else
fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
#endif
return 0;
}
if (strncmp(ptr, "protocol ", 9) == 0) {
#ifdef HAVE_SECCOMP
if (checkcfg(CFG_SECCOMP))

10
test/net-profile.profile Normal file
View file

@ -0,0 +1,10 @@
net br0
mac 00:11:22:33:44:55
mtu 1000
net br1
ip 10.10.30.50
net br2
ip 10.10.40.100
net br3
defaultgw 10.10.20.2

73
test/net_profile.exp Executable file
View file

@ -0,0 +1,73 @@
#!/usr/bin/expect -f
set timeout 10
spawn $env(SHELL)
match_max 100000
# check eth0
send -- "firejail --profile=net-profile.profile\r"
expect {
timeout {puts "TESTING ERROR 0.0\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
"00:11:22:33:44:55"
}
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
"10.10.20"
}
expect {
timeout {puts "TESTING ERROR 0.2\n";exit}
"255.255.255.248"
}
expect {
timeout {puts "TESTING ERROR 0.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 0.4\n";exit}
"Child process initialized"
}
sleep 2
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50"
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100"
}
# check default gw
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"default via 10.10.20.2 dev eth0"
}
# check mtu
send -- "ip link show\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"mtu 1000"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"state UP"
}
sleep 1
puts "\nall done\n"

3
test/test.sh
View file

@ -10,6 +10,9 @@ echo "TESTING: cpu.print (cpu-print.exp)"
echo "TESTING: failing under VirtualBox where there is only one CPU"
./cpu-print.exp
echo "TESTING: network profile (net_profile.exp)"
./net_profile.exp
echo "TESTING: bandwidth (bandwidth.exp)"
./bandwidth.exp

2
todo
View file

@ -80,3 +80,5 @@ https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
12. check for --chroot why .config/pulse dir is not created
13. print error line number for profile files in profile_check_line()