new netjail

1 files changed, 16 insertions, 22 deletions

diff --git a/netjail/netjail.sh b/netjail/netjail.sh
index df4df1a..17dd095 100755
--- a/netjail/netjail.sh
+++ b/netjail/netjail.sh
@@ -15,6 +15,7 @@
 #
 
 set -eu
+set -x
 
 # Be extra safe, even though sudo should already do this.
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -22,30 +23,23 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 # See netjail-init.sh
 BRIDGE=builderbridge
 
-# Make $N the first argument.
-N=$1
-shift 1
+# Generate random ID for namespace
+NSUID=$(od -x /dev/urandom | head -1 | awk '{OFS="-"; print $2$3}')
 
-NAME=buildernet-$N
-
-# Delete previous bridge and netns
-brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true
-ip netns del "$NAME" 2>/dev/null || true
+NSNAME=buildernet-$NSUID
 
 # Create network namespace
-ip netns add "$NAME"
-# Ensure loopback is up
-ip netns exec "$NAME" ip link set lo up
+ip netns add "$NSNAME"
+
+TAP=tap-$NSUID
+BRTAP=br-tap-$NSUID
 
 # Setup link to our bridge
-ip link add "tap$N" type veth peer name br-tap$N
-brctl addif "$BRIDGE" "br-tap$N"
-ip link set "tap$N" netns "$NAME"
-ip netns exec "$NAME" ip link set dev "tap$N" up
-ip link set dev "br-tap$N" up
-ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N"
-ip netns exec "$NAME" ip route add default via 10.42.42.1
-
-# Finally, run whatever the user's command was
-ME=${SUDO_USER:?must run in sudo}
-exec unshare -pf --mount-proc -- ip netns exec "$NAME" sudo -u "$ME" -- "$@"
+ip link add "$TAP" type veth peer name "$BRTAP"
+brctl addif "$BRIDGE" "$BRTAP"
+ip link set "$TAP" netns "$NSNAME"
+ip link set dev "$BRTAP" up
+
+# Execute netjail-privdrop in a process namespace, but do not mount proc yet,
+# so that we can still "nsenter" the root NS to drop the 
+exec unshare -fp --kill-child -- ip netns exec "$NSNAME" netjail-privdrop.sh "$NSUID" "$@"