remove firemon --interface option - it is a duplication of firejail --net.print

RELNOTES

@@ -4,6 +4,8 @@ firejail (0.9.73) baseline; urgency=low
   * feature: Print the argument when failing with "too long arguments" (#5677)
   * feature: a random hostname is assigned to each sandbox unless
     overwritten using --hostname command
+  * feature: add IPv6 support for --net.print option
+  * modif: remove firemon --interface option (duplicating --net.print option)
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
     from containing only digits (#5578)

gcov.sh

@@ -21,29 +21,29 @@ rm -fr gcov-dir gcov-file
 firejail --version
 gcov_generate
 
-#make test-firecfg | grep TESTING
-#gcov_generate
-#make test-apparmor | grep TESTING
-#gcov_generate
+make test-firecfg | grep TESTING
+gcov_generate
+make test-apparmor | grep TESTING
+gcov_generate
 make test-network | grep TESTING
 gcov_generate
-#make test-appimage | grep TESTING
-#gcov_generate
-#make test-chroot | grep TESTING
-#gcov_generate
-#make test-sysutils | grep TESTING
-#gcov_generate
-#make test-private-etc | grep TESTING
-#gcov_generate
-#make test-profiles | grep TESTING
-#gcov_generate
-#make test-fcopy | grep TESTING
-#gcov_generate
+make test-appimage | grep TESTING
+gcov_generate
+make test-chroot | grep TESTING
+gcov_generate
+make test-sysutils | grep TESTING
+gcov_generate
+make test-private-etc | grep TESTING
+gcov_generate
+make test-profiles | grep TESTING
+gcov_generate
+make test-fcopy | grep TESTING
+gcov_generate
 make test-fnetfilter | grep TESTING
 gcov_generate
-#make test-fs | grep TESTING
-#gcov_generate
-#make test-utils | grep TESTING
-#gcov_generate
-#make test-environment | grep TESTING
-#gcov_generate
+make test-fs | grep TESTING
+gcov_generate
+make test-utils | grep TESTING
+gcov_generate
+make test-environment | grep TESTING
+gcov_generate

src/firemon/firemon.c

@@ -30,7 +30,6 @@ int arg_debug = 0;
 static int arg_route = 0;
 static int arg_arp = 0;
 static int arg_tree = 0;
-static int arg_interface = 0;
 static int arg_seccomp = 0;
 static int arg_caps = 0;
 static int arg_cpu = 0;
@@ -178,13 +177,6 @@ int main(int argc, char **argv) {
 			arg_seccomp = 1;
 		else if (strcmp(argv[i], "--caps") == 0)
 			arg_caps = 1;
-		else if (strcmp(argv[i], "--interface") == 0) {
-			if (getuid() != 0) {
-				fprintf(stderr, "Error: you need to be root to run this command\n");
-				exit(1);
-			}
-			arg_interface = 1;
-		}
 #ifdef HAVE_NETWORK
 		else if (strcmp(argv[i], "--route") == 0)
 			arg_route = 1;
@@ -261,13 +253,12 @@ int main(int argc, char **argv) {
 
 	// if --name requested without other options, print all data
 	if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
-	    !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
+	    !arg_x11  && !arg_route && !arg_arp) {
 		arg_tree = 1;
 		arg_cpu = 1;
 		arg_seccomp = 1;
 		arg_caps = 1;
 		arg_x11 = 1;
-		arg_interface = 1;
 		arg_route = 1;
 		arg_arp = 1;
 		arg_apparmor = 1;
@@ -295,10 +286,6 @@ int main(int argc, char **argv) {
 		x11((pid_t) pid, print_procs);
 		print_procs = 0;
 	}
-	if (arg_interface && getuid() == 0) {
-		interface((pid_t) pid, print_procs);
-		print_procs = 0;
-	}
 	if (arg_route) {
 		route((pid_t) pid, print_procs);
 		print_procs = 0;

src/firemon/firemon.h

@@ -57,9 +57,6 @@ void top(void) __attribute__((noreturn));
 // list.c
 void list(void);
 
-// interface.c
-void interface(pid_t pid, int print_procs);
-
 // arp.c
 void arp(pid_t pid, int print_procs);
 

src/firemon/interface.c

@@ -1,175 +0,0 @@
-/*
- * Copyright (C) 2014-2023 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firemon.h"
-#include "../include/gcov_wrapper.h"
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <ifaddrs.h>
-#include <net/if.h>
-#include <linux/connector.h>
-#include <linux/netlink.h>
-#include <linux/if_link.h>
-#include <linux/sockios.h>
-#include <sys/ioctl.h>
-
-//#include <net/route.h>
-//#include <linux/if_bridge.h>
-
-// print IP addresses for all interfaces
-static void net_ifprint(void) {
-	uint32_t ip;
-	uint32_t mask;
-	struct ifaddrs *ifaddr, *ifa;
-
-	int fd;
-	if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
-		fprintf(stderr, "Error: cannot open AF_INET socket\n");
-		exit(1);
-	}
-
-	if (getifaddrs(&ifaddr) == -1)
-		errExit("getifaddrs");
-
-	// walk through the linked list
-	printf("  Link status:\n");
-	for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-		if (ifa->ifa_addr == NULL)
-			continue;
-
-		if (ifa->ifa_addr->sa_family == AF_PACKET) {
-			if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) {
-				if (ifa->ifa_data != NULL) {
-					struct rtnl_link_stats *stats = ifa->ifa_data;
-
-					// extract mac address
-					struct ifreq ifr;
-					memset(&ifr, 0, sizeof(ifr));
-					strncpy(ifr.ifr_name,  ifa->ifa_name, IFNAMSIZ - 1);
-					int rv = ioctl (fd, SIOCGIFHWADDR, &ifr);
-
-					if (rv == 0)
-						printf("     %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n",
-							ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data));
-					else
-						printf("     %s UP\n", ifa->ifa_name);
-
-					printf("          tx/rx: %u/%u packets,  %u/%u bytes\n",
-						stats->tx_packets, stats->rx_packets,
-						stats->tx_bytes, stats->rx_bytes);
-				}
-			}
-			else
-				printf("     %s DOWN\n", ifa->ifa_name);
-		}
-	}
-
-
-	// walk through the linked list
-	printf("  IPv4 status:\n");
-	for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-		if (ifa->ifa_addr == NULL)
-			continue;
-
-		if (ifa->ifa_addr->sa_family == AF_INET) {
-			struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask;
-			mask = ntohl(si->sin_addr.s_addr);
-			si = (struct sockaddr_in *) ifa->ifa_addr;
-			ip = ntohl(si->sin_addr.s_addr);
-
-			char *status;
-			if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-				status = "UP";
-			else
-				status = "DOWN";
-
-			printf("     %s %s, %d.%d.%d.%d/%u\n",
-				ifa->ifa_name, status, PRINT_IP(ip), mask2bits(mask));
-		}
-	}
-
-
-	// walk through the linked list
-	printf("  IPv6 status:\n");
-	for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-		if (ifa->ifa_addr == NULL)
-			continue;
-
-		if (ifa->ifa_addr->sa_family == AF_INET6) {
-			char host[NI_MAXHOST];
-			int s = getnameinfo(ifa->ifa_addr, sizeof(struct sockaddr_in6),
-				host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST);
-			if (s == 0) {
-				char *ptr;
-				if ((ptr = strchr(host, '%')) != NULL)
-					*ptr = '\0';
-				char *status;
-				if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-					status = "UP";
-				else
-					status = "DOWN";
-
-				printf("     %s %s, %s\n", ifa->ifa_name, status, host);
-			}
-		}
-	}
-
-	freeifaddrs(ifaddr);
-	close(fd);
-}
-
-static void print_sandbox(pid_t pid) {
-	pid_t child = fork();
-	if (child == -1)
-		return;
-
-	if (child == 0) {
-		int rv = join_namespace(pid, "net");
-		if (rv)
-			return;
-		net_ifprint();
-
-		__gcov_flush();
-
-		_exit(0);
-	}
-
-	// wait for the child to finish
-	waitpid(child, NULL, 0);
-}
-
-void interface(pid_t pid, int print_procs) {
-	pid_read(pid); // a pid of 0 will include all processes
-
-	// print processes
-	int i;
-	for (i = 0; i < max_pids; i++) {
-		if (pids[i].level == 1) {
-			if (print_procs || pid == 0)
-				pid_print_list(i, arg_wrap);
-			int child = find_child(i);
-			if (child != -1) {
-				print_sandbox(child);
-			}
-		}
-	}
-	printf("\n");
-}

src/man/firemon.txt

@@ -30,9 +30,6 @@ Print debug messages
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
-\fB\-\-interface
-Print network interface information for each sandbox.
-.TP
 \fB\-\-list
 List all sandboxes.
 .TP

test/network/firemon-interface.exp

@@ -1,28 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2023 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "firejail --name=test --net=br0 --ip=10.10.20.50\r"
-expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 2
-
-spawn $env(SHELL)
-send -- "firemon --interface\r"
-expect {
-	timeout {puts "TESTING ERROR 2\n";exit}
-	"firejail --name=test --net=br0 --ip=10.10.20.50"
-}
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
-	"eth0 UP, 10.10.20.50/24"
-}
-sleep 2
-puts "\nall done\n"

test/network/network.sh

@@ -51,8 +51,5 @@ echo "TESTING: firemon arp (firemon-arp.exp)"
 echo "TESTING: firemon route (firemon-route.exp)"
 ./firemon-route.exp
 
-#echo "TESTING: firemon interface (firemon-interface.exp)"
-#sudo ./firemon-interface.exp
-
 sudo ip link set br0 down
 sudo brctl delbr br0