netjail-privdrop.sh (1247B)
1 #!/bin/sh 2 3 # This file is in the public domain. 4 # 5 # Shell script for to setup one instance of a network namespace. 6 # Used by buildslaves to avoid port conflicts. 7 # 8 # First argument ($1) must be a unique number (unique amongst 9 # all users of the script) to be used in 10 # the name of the virtual network devices and the namespace itself. 11 # 12 # The remaining arguments are the command (and arguments to the 13 # command) to be run in the network namespace (i.e. 'make check'). 14 15 # This script is executed by root and should *not* be in sudoers 16 17 set -eu 18 set -x 19 20 N=$1 21 shift 1 22 23 NAME=buildernet-$N 24 25 # Go to the root namespace to delete our network NS, 26 # as we can't do it from inside when we use 'ip netns' to enter it. 27 nsenter -m -t 1 -- ip netns del $NAME 28 29 # Configure our network inside the namespace 30 ip link set dev lo up 31 ip link set dev "tap-$N" up 32 dhclient --no-pid "tap-$N" 33 34 # Finally, run whatever the user's command was 35 ME=${SUDO_USER:?must run in sudo} 36 37 # Execute target program as the original user. 38 # We should already be in a PID namespace, but we still need to mount proc. 39 set +e 40 unshare --mount-proc -- sudo -u "$ME" -- "$@" 41 ret=$? 42 set -e 43 44 # Release the lease 45 dhclient --no-pid -r || false 46 47 # Exit with the target program's exit status 48 exit $ret