diff options
author | Florian Dold <florian.dold@gmail.com> | 2020-02-17 14:08:07 +0100 |
---|---|---|
committer | Florian Dold <florian.dold@gmail.com> | 2020-02-17 14:08:07 +0100 |
commit | 114060fb686285de9dc9b39acbd739ea9c9d7e15 (patch) | |
tree | 475c00a76cd640fb87f9d7090369c3c10b9124ab /netjail/netjail.sh | |
parent | eca7832242d4c5cedf9e3fc7627fb1a26fc9cc5e (diff) | |
download | deployment-114060fb686285de9dc9b39acbd739ea9c9d7e15.tar.gz deployment-114060fb686285de9dc9b39acbd739ea9c9d7e15.tar.bz2 deployment-114060fb686285de9dc9b39acbd739ea9c9d7e15.zip |
new netjail
Diffstat (limited to 'netjail/netjail.sh')
-rwxr-xr-x | netjail/netjail.sh | 38 |
1 files changed, 16 insertions, 22 deletions
diff --git a/netjail/netjail.sh b/netjail/netjail.sh index df4df1a..17dd095 100755 --- a/netjail/netjail.sh +++ b/netjail/netjail.sh @@ -15,6 +15,7 @@ # set -eu +set -x # Be extra safe, even though sudo should already do this. export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" @@ -22,30 +23,23 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # See netjail-init.sh BRIDGE=builderbridge -# Make $N the first argument. -N=$1 -shift 1 +# Generate random ID for namespace +NSUID=$(od -x /dev/urandom | head -1 | awk '{OFS="-"; print $2$3}') -NAME=buildernet-$N - -# Delete previous bridge and netns -brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true -ip netns del "$NAME" 2>/dev/null || true +NSNAME=buildernet-$NSUID # Create network namespace -ip netns add "$NAME" -# Ensure loopback is up -ip netns exec "$NAME" ip link set lo up +ip netns add "$NSNAME" + +TAP=tap-$NSUID +BRTAP=br-tap-$NSUID # Setup link to our bridge -ip link add "tap$N" type veth peer name br-tap$N -brctl addif "$BRIDGE" "br-tap$N" -ip link set "tap$N" netns "$NAME" -ip netns exec "$NAME" ip link set dev "tap$N" up -ip link set dev "br-tap$N" up -ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N" -ip netns exec "$NAME" ip route add default via 10.42.42.1 - -# Finally, run whatever the user's command was -ME=${SUDO_USER:?must run in sudo} -exec unshare -pf --mount-proc -- ip netns exec "$NAME" sudo -u "$ME" -- "$@" +ip link add "$TAP" type veth peer name "$BRTAP" +brctl addif "$BRIDGE" "$BRTAP" +ip link set "$TAP" netns "$NSNAME" +ip link set dev "$BRTAP" up + +# Execute netjail-privdrop in a process namespace, but do not mount proc yet, +# so that we can still "nsenter" the root NS to drop the +exec unshare -fp --kill-child -- ip netns exec "$NSNAME" netjail-privdrop.sh "$NSUID" "$@" |