commit 114060fb686285de9dc9b39acbd739ea9c9d7e15
parent eca7832242d4c5cedf9e3fc7627fb1a26fc9cc5e
Author: Florian Dold <florian.dold@gmail.com>
Date: Mon, 17 Feb 2020 14:08:07 +0100
new netjail
Diffstat:
2 files changed, 63 insertions(+), 22 deletions(-)
diff --git a/netjail/netjail-privdrop.sh b/netjail/netjail-privdrop.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# This file is in the public domain.
+#
+# Shell script for to setup one instance of a network namespace.
+# Used by buildslaves to avoid port conflicts.
+#
+# First argument ($1) must be a unique number (unique amongst
+# all users of the script) between 2 and 254 to be used in
+# the IP address for routing the traffic of the network
+# namespace to the Internet.
+#
+# The remaining arguments are the command (and arguments to the
+# command) to be run in the network namespace (i.e. 'make check').
+
+# This script is executed by root and should *not* be in sudoers
+
+set -eu
+set -x
+
+N=$1
+shift 1
+
+NAME=buildernet-$N
+
+# Go to the root namespace to delete our network NS,
+# as we can't do it from inside when we use 'ip netns' to enter it.
+nsenter -m -t 1 -- ip netns del $NAME
+
+# Configure our network inside the namespace
+ip link set dev lo up
+ip link set dev "tap-$N" up
+dhclient --no-pid "tap-$N"
+
+# Finally, run whatever the user's command was
+ME=${SUDO_USER:?must run in sudo}
+
+# Execute target program as the original user.
+# We should already be in a PID namespace, but we still need to mount proc.
+unshare --mount-proc -- sudo -u "$ME" -- "$@"
+ret=$?
+
+# Release the lease
+dhclient --no-pid -r || false
+
+# Exit with the target program's exit status
+exit $ret
diff --git a/netjail/netjail.sh b/netjail/netjail.sh
@@ -15,6 +15,7 @@
#
set -eu
+set -x
# Be extra safe, even though sudo should already do this.
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -22,30 +23,23 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# See netjail-init.sh
BRIDGE=builderbridge
-# Make $N the first argument.
-N=$1
-shift 1
+# Generate random ID for namespace
+NSUID=$(od -x /dev/urandom | head -1 | awk '{OFS="-"; print $2$3}')
-NAME=buildernet-$N
-
-# Delete previous bridge and netns
-brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true
-ip netns del "$NAME" 2>/dev/null || true
+NSNAME=buildernet-$NSUID
# Create network namespace
-ip netns add "$NAME"
-# Ensure loopback is up
-ip netns exec "$NAME" ip link set lo up
+ip netns add "$NSNAME"
+
+TAP=tap-$NSUID
+BRTAP=br-tap-$NSUID
# Setup link to our bridge
-ip link add "tap$N" type veth peer name br-tap$N
-brctl addif "$BRIDGE" "br-tap$N"
-ip link set "tap$N" netns "$NAME"
-ip netns exec "$NAME" ip link set dev "tap$N" up
-ip link set dev "br-tap$N" up
-ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N"
-ip netns exec "$NAME" ip route add default via 10.42.42.1
-
-# Finally, run whatever the user's command was
-ME=${SUDO_USER:?must run in sudo}
-exec unshare -pf --mount-proc -- ip netns exec "$NAME" sudo -u "$ME" -- "$@"
+ip link add "$TAP" type veth peer name "$BRTAP"
+brctl addif "$BRIDGE" "$BRTAP"
+ip link set "$TAP" netns "$NSNAME"
+ip link set dev "$BRTAP" up
+
+# Execute netjail-privdrop in a process namespace, but do not mount proc yet,
+# so that we can still "nsenter" the root NS to drop the
+exec unshare -fp --kill-child -- ip netns exec "$NSNAME" netjail-privdrop.sh "$NSUID" "$@"
