2021-08-12 15:42:43 +02:00
|
|
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
|
|
|
|
/* PASST - Plug A Simple Socket Transport
|
|
|
|
* for qemu/UNIX domain socket mode
|
|
|
|
*
|
|
|
|
* PASTA - Pack A Subtle Tap Abstraction
|
|
|
|
* for network namespace/tap device mode
|
|
|
|
*
|
|
|
|
* conf.c - Configuration settings and option parsing
|
|
|
|
*
|
|
|
|
* Copyright (c) 2020-2021 Red Hat GmbH
|
|
|
|
* Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
*/
|
|
|
|
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <arpa/inet.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <fcntl.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <getopt.h>
|
|
|
|
#include <string.h>
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <sched.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/stat.h>
|
2022-02-18 16:12:11 +01:00
|
|
|
#include <libgen.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <limits.h>
|
2022-05-18 19:10:45 +02:00
|
|
|
#include <grp.h>
|
|
|
|
#include <pwd.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <stdlib.h>
|
|
|
|
#include <stdint.h>
|
2022-07-22 07:31:16 +02:00
|
|
|
#include <stdbool.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <unistd.h>
|
|
|
|
#include <syslog.h>
|
|
|
|
#include <time.h>
|
|
|
|
#include <netinet/in.h>
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <netinet/if_ether.h>
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
#include "util.h"
|
|
|
|
#include "passt.h"
|
2021-10-21 04:26:08 +02:00
|
|
|
#include "netlink.h"
|
2021-08-12 15:42:43 +02:00
|
|
|
#include "udp.h"
|
|
|
|
#include "tcp.h"
|
2021-10-11 12:01:31 +02:00
|
|
|
#include "pasta.h"
|
2022-06-24 04:17:30 +02:00
|
|
|
#include "lineread.h"
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-09-27 05:24:30 +02:00
|
|
|
/**
|
|
|
|
* get_bound_ports() - Get maps of ports with bound sockets
|
|
|
|
* @c: Execution context
|
|
|
|
* @ns: If set, set bitmaps for ports to tap/ns -- to init otherwise
|
|
|
|
* @proto: Protocol number (IPPROTO_TCP or IPPROTO_UDP)
|
|
|
|
*/
|
|
|
|
void get_bound_ports(struct ctx *c, int ns, uint8_t proto)
|
|
|
|
{
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
uint8_t *udp_map, *udp_excl, *tcp_map, *tcp_excl;
|
2021-09-27 05:24:30 +02:00
|
|
|
|
|
|
|
if (ns) {
|
|
|
|
udp_map = c->udp.port_to_tap;
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
udp_excl = c->udp.port_to_init;
|
2021-09-27 05:24:30 +02:00
|
|
|
tcp_map = c->tcp.port_to_tap;
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
tcp_excl = c->tcp.port_to_init;
|
2021-09-27 05:24:30 +02:00
|
|
|
} else {
|
|
|
|
udp_map = c->udp.port_to_init;
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
udp_excl = c->udp.port_to_tap;
|
2021-09-27 05:24:30 +02:00
|
|
|
tcp_map = c->tcp.port_to_init;
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
tcp_excl = c->tcp.port_to_tap;
|
2021-09-27 05:24:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (proto == IPPROTO_UDP) {
|
|
|
|
memset(udp_map, 0, USHRT_MAX / 8);
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
procfs_scan_listen(c, IPPROTO_UDP, V4, ns, udp_map, udp_excl);
|
|
|
|
procfs_scan_listen(c, IPPROTO_UDP, V6, ns, udp_map, udp_excl);
|
2021-09-27 05:24:30 +02:00
|
|
|
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
procfs_scan_listen(c, IPPROTO_TCP, V4, ns, udp_map, udp_excl);
|
|
|
|
procfs_scan_listen(c, IPPROTO_TCP, V6, ns, udp_map, udp_excl);
|
2021-09-27 05:24:30 +02:00
|
|
|
} else if (proto == IPPROTO_TCP) {
|
|
|
|
memset(tcp_map, 0, USHRT_MAX / 8);
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
procfs_scan_listen(c, IPPROTO_TCP, V4, ns, tcp_map, tcp_excl);
|
|
|
|
procfs_scan_listen(c, IPPROTO_TCP, V6, ns, tcp_map, tcp_excl);
|
2021-09-27 05:24:30 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
* struct get_bound_ports_ns_arg - Arguments for get_bound_ports_ns()
|
|
|
|
* @c: Execution context
|
|
|
|
* @proto: Protocol number (IPPROTO_TCP or IPPROTO_UDP)
|
|
|
|
*/
|
|
|
|
struct get_bound_ports_ns_arg {
|
|
|
|
struct ctx *c;
|
|
|
|
uint8_t proto;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
2021-09-27 05:24:30 +02:00
|
|
|
* get_bound_ports_ns() - Get maps of ports in namespace with bound sockets
|
2021-08-12 15:42:43 +02:00
|
|
|
* @arg: See struct get_bound_ports_ns_arg
|
|
|
|
*
|
|
|
|
* Return: 0
|
|
|
|
*/
|
|
|
|
static int get_bound_ports_ns(void *arg)
|
|
|
|
{
|
|
|
|
struct get_bound_ports_ns_arg *a = (struct get_bound_ports_ns_arg *)arg;
|
|
|
|
struct ctx *c = a->c;
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
if (!c->pasta_netns_fd || ns_enter(c))
|
2021-08-12 15:42:43 +02:00
|
|
|
return 0;
|
|
|
|
|
2021-09-27 05:24:30 +02:00
|
|
|
get_bound_ports(c, 1, a->proto);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
enum conf_port_type {
|
|
|
|
PORT_SPEC = 1,
|
|
|
|
PORT_NONE,
|
|
|
|
PORT_AUTO,
|
|
|
|
PORT_ALL,
|
|
|
|
};
|
|
|
|
|
2022-05-01 06:36:34 +02:00
|
|
|
/**
|
|
|
|
* conf_ports() - Parse port configuration options, initialise UDP/TCP sockets
|
|
|
|
* @c: Execution context
|
|
|
|
* @optname: Short option name, t, T, u, or U
|
|
|
|
* @optarg: Option argument (port specification)
|
|
|
|
* @set: Pointer to @conf_port_type to be set (port binding type)
|
|
|
|
*
|
|
|
|
* Return: -EINVAL on parsing error, 0 otherwise
|
|
|
|
*/
|
2021-08-12 15:42:43 +02:00
|
|
|
static int conf_ports(struct ctx *c, char optname, const char *optarg,
|
|
|
|
enum conf_port_type *set)
|
|
|
|
{
|
2022-07-13 08:05:01 +02:00
|
|
|
int start_src, end_src, start_dst, end_dst, exclude_only = 1, i, port;
|
|
|
|
char addr_buf[sizeof(struct in6_addr)] = { 0 }, *addr = addr_buf;
|
2021-08-12 15:42:43 +02:00
|
|
|
void (*remap)(in_port_t port, in_port_t delta);
|
2022-07-13 08:05:01 +02:00
|
|
|
uint8_t *map, exclude[USHRT_MAX / 8] = { 0 };
|
|
|
|
char buf[BUFSIZ], *sep, *spec, *p;
|
2022-05-01 06:36:34 +02:00
|
|
|
sa_family_t af = AF_UNSPEC;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
if (optname == 't') {
|
|
|
|
map = c->tcp.port_to_tap;
|
|
|
|
remap = tcp_remap_to_tap;
|
|
|
|
} else if (optname == 'T') {
|
|
|
|
map = c->tcp.port_to_init;
|
|
|
|
remap = tcp_remap_to_init;
|
|
|
|
} else if (optname == 'u') {
|
|
|
|
map = c->udp.port_to_tap;
|
|
|
|
remap = udp_remap_to_tap;
|
|
|
|
} else if (optname == 'U') {
|
|
|
|
map = c->udp.port_to_init;
|
|
|
|
remap = udp_remap_to_init;
|
|
|
|
} else { /* For gcc -O3 */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "none")) {
|
|
|
|
if (*set)
|
|
|
|
return -EINVAL;
|
|
|
|
*set = PORT_NONE;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "auto")) {
|
|
|
|
if (*set || c->mode != MODE_PASTA)
|
|
|
|
return -EINVAL;
|
|
|
|
*set = PORT_AUTO;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "all")) {
|
2022-05-01 06:36:34 +02:00
|
|
|
int i;
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (*set || c->mode != MODE_PASST)
|
|
|
|
return -EINVAL;
|
|
|
|
*set = PORT_ALL;
|
|
|
|
memset(map, 0xff, PORT_EPHEMERAL_MIN / 8);
|
2022-05-01 06:36:34 +02:00
|
|
|
|
|
|
|
for (i = 0; i < PORT_EPHEMERAL_MIN; i++) {
|
|
|
|
if (optname == 't')
|
|
|
|
tcp_sock_init(c, 0, AF_UNSPEC, NULL, i);
|
|
|
|
else if (optname == 'u')
|
|
|
|
udp_sock_init(c, 0, AF_UNSPEC, NULL, i);
|
|
|
|
}
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (*set > PORT_SPEC)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
*set = PORT_SPEC;
|
|
|
|
|
2022-05-01 06:36:34 +02:00
|
|
|
strncpy(buf, optarg, sizeof(buf) - 1);
|
|
|
|
|
2022-07-13 08:05:01 +02:00
|
|
|
if ((spec = strchr(buf, '/'))) {
|
|
|
|
*spec = 0;
|
|
|
|
spec++;
|
2022-05-01 06:36:34 +02:00
|
|
|
|
|
|
|
if (optname != 't' && optname != 'u')
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if (inet_pton(AF_INET, buf, addr))
|
|
|
|
af = AF_INET;
|
|
|
|
else if (inet_pton(AF_INET6, buf, addr))
|
|
|
|
af = AF_INET6;
|
|
|
|
else
|
|
|
|
goto bad;
|
|
|
|
} else {
|
2022-07-13 08:05:01 +02:00
|
|
|
spec = buf;
|
2022-05-01 06:36:34 +02:00
|
|
|
|
|
|
|
addr = NULL;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
2022-07-13 08:05:01 +02:00
|
|
|
if (strspn(spec, "0123456789-,:~") != strlen(spec))
|
2022-05-01 06:36:34 +02:00
|
|
|
goto bad;
|
|
|
|
|
2022-07-13 08:05:01 +02:00
|
|
|
/* Mark all exclusions first, they might be given after base ranges */
|
|
|
|
p = spec;
|
|
|
|
start_src = end_src = -1;
|
2021-08-12 15:42:43 +02:00
|
|
|
do {
|
2022-07-13 08:05:01 +02:00
|
|
|
while (*p != '~' && start_src == -1) {
|
|
|
|
exclude_only = 0;
|
|
|
|
|
|
|
|
if (!(p = strchr(p, ',')))
|
|
|
|
break;
|
|
|
|
|
|
|
|
p++;
|
|
|
|
}
|
|
|
|
if (!p || !*p)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (*p == '~')
|
|
|
|
p++;
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
port = strtol(p, &sep, 10);
|
|
|
|
if (sep == p)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (port < 0 || port > USHRT_MAX || errno)
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
switch (*sep) {
|
|
|
|
case '-':
|
|
|
|
if (start_src == -1) /* ~22-... */
|
|
|
|
start_src = port;
|
|
|
|
break;
|
|
|
|
case ',':
|
|
|
|
case 0:
|
|
|
|
if (start_src == -1) /* ~80 */
|
|
|
|
start_src = end_src = port;
|
|
|
|
else if (end_src == -1) /* ~22-25 */
|
|
|
|
end_src = port;
|
|
|
|
else
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if (start_src > end_src) /* ~80-22 */
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
for (i = start_src; i <= end_src; i++) {
|
|
|
|
if (bitmap_isset(exclude, i))
|
|
|
|
goto overlap;
|
|
|
|
|
|
|
|
bitmap_set(exclude, i);
|
|
|
|
}
|
2022-07-14 16:35:57 +02:00
|
|
|
start_src = end_src = -1;
|
2022-07-13 08:05:01 +02:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
p = sep + 1;
|
|
|
|
} while (*sep);
|
|
|
|
|
|
|
|
if (exclude_only) {
|
|
|
|
for (i = 0; i < PORT_EPHEMERAL_MIN; i++) {
|
|
|
|
if (bitmap_isset(exclude, i))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
bitmap_set(map, i);
|
|
|
|
|
|
|
|
if (optname == 't')
|
|
|
|
tcp_sock_init(c, 0, af, addr, i);
|
|
|
|
else if (optname == 'u')
|
|
|
|
udp_sock_init(c, 0, af, addr, i);
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Now process base ranges, skipping exclusions */
|
|
|
|
start_src = end_src = start_dst = end_dst = -1;
|
|
|
|
p = spec;
|
|
|
|
do {
|
|
|
|
while (*p == '~') {
|
|
|
|
if (!(p = strchr(p, ',')))
|
|
|
|
break;
|
|
|
|
p++;
|
|
|
|
}
|
|
|
|
if (!p || !*p)
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-10-14 03:08:54 +02:00
|
|
|
errno = 0;
|
2021-08-12 15:42:43 +02:00
|
|
|
port = strtol(p, &sep, 10);
|
|
|
|
if (sep == p)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (port < 0 || port > USHRT_MAX || errno)
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
/* -p 22
|
|
|
|
* ^ start_src end_src == start_dst == end_dst == -1
|
|
|
|
*
|
|
|
|
* -p 22-25
|
|
|
|
* | ^ end_src
|
|
|
|
* ` start_src start_dst == end_dst == -1
|
|
|
|
*
|
|
|
|
* -p 80:8080
|
|
|
|
* | ^ start_dst
|
|
|
|
* ` start_src end_src == end_dst == -1
|
|
|
|
*
|
|
|
|
* -p 22-80:8022-8080
|
|
|
|
* | | | ^ end_dst
|
|
|
|
* | | ` start_dst
|
|
|
|
* | ` end_dst
|
|
|
|
* ` start_src
|
|
|
|
*/
|
|
|
|
switch (*sep) {
|
|
|
|
case '-':
|
|
|
|
if (start_src == -1) { /* 22-... */
|
|
|
|
start_src = port;
|
|
|
|
} else {
|
|
|
|
if (!end_src) /* 22:8022-8080 */
|
|
|
|
goto bad;
|
|
|
|
start_dst = port; /* 22-80:8022-... */
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case ':':
|
|
|
|
if (start_src == -1) /* 80:... */
|
|
|
|
start_src = end_src = port;
|
|
|
|
else if (end_src == -1) /* 22-80:... */
|
|
|
|
end_src = port;
|
|
|
|
else /* 22-80:8022:... */
|
|
|
|
goto bad;
|
|
|
|
break;
|
|
|
|
case ',':
|
|
|
|
case 0:
|
|
|
|
if (start_src == -1) /* 80 */
|
|
|
|
start_src = end_src = port;
|
|
|
|
else if (end_src == -1) /* 22-25 */
|
|
|
|
end_src = port;
|
|
|
|
else if (start_dst == -1) /* 80:8080 */
|
|
|
|
start_dst = end_dst = port;
|
|
|
|
else if (end_dst == -1) /* 22-80:8022-8080 */
|
|
|
|
end_dst = port;
|
|
|
|
else
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if (start_src > end_src) /* 80-22 */
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if (start_dst > end_dst) /* 22-80:8080:8022 */
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if (end_dst != -1 &&
|
|
|
|
end_dst - start_dst != end_src - start_src)
|
|
|
|
goto bad; /* 22-81:8022:8080 */
|
|
|
|
|
|
|
|
for (i = start_src; i <= end_src; i++) {
|
|
|
|
if (bitmap_isset(map, i))
|
|
|
|
goto overlap;
|
|
|
|
|
2022-07-13 08:05:01 +02:00
|
|
|
if (bitmap_isset(exclude, i))
|
|
|
|
continue;
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
bitmap_set(map, i);
|
|
|
|
|
2022-05-01 06:36:34 +02:00
|
|
|
if (start_dst != -1) {
|
|
|
|
/* 80:8080 or 22-80:8080:8080 */
|
|
|
|
remap(i, (in_port_t)(start_dst -
|
|
|
|
start_src));
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-05-01 06:36:34 +02:00
|
|
|
if (optname == 't')
|
|
|
|
tcp_sock_init(c, 0, af, addr, i);
|
|
|
|
else if (optname == 'u')
|
|
|
|
udp_sock_init(c, 0, af, addr, i);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
start_src = end_src = start_dst = end_dst = -1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
p = sep + 1;
|
|
|
|
} while (*sep);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
bad:
|
|
|
|
err("Invalid port specifier %s", optarg);
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
overlap:
|
|
|
|
err("Overlapping port specifier %s", optarg);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* get_dns() - Get nameserver addresses from local /etc/resolv.conf
|
|
|
|
* @c: Execution context
|
|
|
|
*/
|
|
|
|
static void get_dns(struct ctx *c)
|
|
|
|
{
|
2021-10-14 01:21:29 +02:00
|
|
|
int dns4_set, dns6_set, dnss_set, dns_set, fd;
|
2021-08-12 15:42:43 +02:00
|
|
|
struct in6_addr *dns6 = &c->dns6[0];
|
|
|
|
struct fqdn *s = c->dns_search;
|
|
|
|
uint32_t *dns4 = &c->dns4[0];
|
2022-06-24 04:17:30 +02:00
|
|
|
struct lineread resolvconf;
|
|
|
|
int line_len;
|
|
|
|
char *line, *p, *end;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
dns4_set = !c->ifi4 || !!*dns4;
|
|
|
|
dns6_set = !c->ifi6 || !IN6_IS_ADDR_UNSPECIFIED(dns6);
|
2021-08-12 15:42:43 +02:00
|
|
|
dnss_set = !!*s->n || c->no_dns_search;
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
dns_set = (dns4_set && dns6_set) || c->no_dns;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
if (dns_set && dnss_set)
|
|
|
|
return;
|
|
|
|
|
2022-03-27 13:10:26 +02:00
|
|
|
if ((fd = open("/etc/resolv.conf", O_RDONLY | O_CLOEXEC)) < 0)
|
2021-08-12 15:42:43 +02:00
|
|
|
goto out;
|
|
|
|
|
2022-06-24 04:17:30 +02:00
|
|
|
lineread_init(&resolvconf, fd);
|
|
|
|
while ((line_len = lineread_get(&resolvconf, &line)) > 0) {
|
|
|
|
if (!dns_set && strstr(line, "nameserver ") == line) {
|
|
|
|
p = strrchr(line, ' ');
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!p)
|
|
|
|
continue;
|
|
|
|
|
2022-06-24 04:17:30 +02:00
|
|
|
end = strpbrk(line, "%\n");
|
2021-08-12 15:42:43 +02:00
|
|
|
if (end)
|
|
|
|
*end = 0;
|
|
|
|
|
2021-10-10 01:13:37 +02:00
|
|
|
if (!dns4_set &&
|
|
|
|
dns4 - &c->dns4[0] < ARRAY_SIZE(c->dns4) - 1 &&
|
2021-09-26 23:22:31 +02:00
|
|
|
inet_pton(AF_INET, p + 1, dns4)) {
|
2022-07-06 09:28:56 +02:00
|
|
|
/* We can only access local addresses via the gw redirect */
|
|
|
|
if (ntohl(*dns4) >> IN_CLASSA_NSHIFT == IN_LOOPBACKNET) {
|
|
|
|
if (c->no_map_gw) {
|
|
|
|
*dns4 = 0;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
*dns4 = c->gw4;
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
dns4++;
|
2021-09-26 23:22:31 +02:00
|
|
|
*dns4 = 0;
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-10-10 01:13:37 +02:00
|
|
|
if (!dns6_set &&
|
|
|
|
dns6 - &c->dns6[0] < ARRAY_SIZE(c->dns6) - 1 &&
|
2021-09-26 23:22:31 +02:00
|
|
|
inet_pton(AF_INET6, p + 1, dns6)) {
|
2022-07-06 09:28:56 +02:00
|
|
|
/* We can only access local addresses via the gw redirect */
|
|
|
|
if (IN6_IS_ADDR_LOOPBACK(dns6)) {
|
|
|
|
if (c->no_map_gw) {
|
|
|
|
memset(dns6, 0, sizeof(*dns6));
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
memcpy(dns6, &c->gw6, sizeof(*dns6));
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
dns6++;
|
2021-09-26 23:22:31 +02:00
|
|
|
memset(dns6, 0, sizeof(*dns6));
|
|
|
|
}
|
2022-06-24 04:17:30 +02:00
|
|
|
} else if (!dnss_set && strstr(line, "search ") == line &&
|
2021-08-12 15:42:43 +02:00
|
|
|
s == c->dns_search) {
|
2022-06-24 04:17:30 +02:00
|
|
|
end = strpbrk(line, "\n");
|
2021-08-12 15:42:43 +02:00
|
|
|
if (end)
|
|
|
|
*end = 0;
|
|
|
|
|
2022-06-24 04:17:30 +02:00
|
|
|
if (!strtok(line, " \t"))
|
2021-10-19 19:18:04 +02:00
|
|
|
continue;
|
|
|
|
|
2021-09-26 23:22:31 +02:00
|
|
|
while (s - c->dns_search < ARRAY_SIZE(c->dns_search) - 1
|
|
|
|
&& (p = strtok(NULL, " \t"))) {
|
2021-08-12 15:42:43 +02:00
|
|
|
strncpy(s->n, p, sizeof(c->dns_search[0]));
|
|
|
|
s++;
|
2021-09-26 23:22:31 +02:00
|
|
|
*s->n = 0;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-06-24 04:17:30 +02:00
|
|
|
if (line_len < 0)
|
|
|
|
warn("Error reading /etc/resolv.conf: %s", strerror(errno));
|
2021-10-14 01:21:29 +02:00
|
|
|
close(fd);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
out:
|
|
|
|
if (!dns_set && dns4 == c->dns4 && dns6 == c->dns6)
|
|
|
|
warn("Couldn't get any nameserver address");
|
|
|
|
}
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
/**
|
|
|
|
* conf_ns_check() - Check if we can enter configured namespaces
|
|
|
|
* @arg: Execution context
|
|
|
|
*
|
|
|
|
* Return: 0
|
|
|
|
*/
|
|
|
|
static int conf_ns_check(void *arg)
|
|
|
|
{
|
|
|
|
struct ctx *c = (struct ctx *)arg;
|
|
|
|
|
2022-01-25 20:08:00 +01:00
|
|
|
if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) ||
|
|
|
|
setns(c->pasta_netns_fd, CLONE_NEWNET))
|
2021-09-29 16:11:06 +02:00
|
|
|
c->pasta_userns_fd = c->pasta_netns_fd = -1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* conf_ns_opt() - Open network, user namespaces descriptors from configuration
|
|
|
|
* @c: Execution context
|
|
|
|
* @nsdir: --nsrun-dir argument, can be an empty string
|
|
|
|
* @conf_userns: --userns argument, can be an empty string
|
|
|
|
* @optarg: PID, path or name of namespace
|
|
|
|
*
|
|
|
|
* Return: 0 on success, negative error code otherwise
|
|
|
|
*/
|
|
|
|
static int conf_ns_opt(struct ctx *c,
|
2022-03-26 07:23:21 +01:00
|
|
|
char *nsdir, const char *conf_userns, const char *optarg)
|
2021-09-29 16:11:06 +02:00
|
|
|
{
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
int ufd = -1, nfd = -1, try, ret, netns_only_reset = c->netns_only;
|
2021-10-19 19:18:04 +02:00
|
|
|
char userns[PATH_MAX] = { 0 }, netns[PATH_MAX];
|
2021-09-29 16:11:06 +02:00
|
|
|
char *endptr;
|
2022-04-05 07:24:48 +02:00
|
|
|
long pid_arg;
|
2021-09-29 16:11:06 +02:00
|
|
|
pid_t pid;
|
|
|
|
|
|
|
|
if (c->netns_only && *conf_userns) {
|
|
|
|
err("Both --userns and --netns-only given");
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* It might be a PID, a netns path, or a netns name */
|
|
|
|
for (try = 0; try < 3; try++) {
|
|
|
|
if (try == 0) {
|
2022-04-05 07:24:48 +02:00
|
|
|
pid_arg = strtol(optarg, &endptr, 10);
|
|
|
|
if (*endptr || pid_arg < 0 || pid_arg > INT_MAX)
|
2021-09-29 16:11:06 +02:00
|
|
|
continue;
|
|
|
|
|
2022-04-05 07:24:48 +02:00
|
|
|
pid = pid_arg;
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
if (!*conf_userns && !c->netns_only) {
|
|
|
|
ret = snprintf(userns, PATH_MAX,
|
|
|
|
"/proc/%i/ns/user", pid);
|
|
|
|
if (ret <= 0 || ret > (int)sizeof(userns))
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
ret = snprintf(netns, PATH_MAX, "/proc/%i/ns/net", pid);
|
|
|
|
if (ret <= 0 || ret > (int)sizeof(netns))
|
|
|
|
continue;
|
|
|
|
} else if (try == 1) {
|
|
|
|
if (!*conf_userns)
|
|
|
|
c->netns_only = 1;
|
|
|
|
|
|
|
|
ret = snprintf(netns, PATH_MAX, "%s", optarg);
|
|
|
|
if (ret <= 0 || ret > (int)sizeof(userns))
|
|
|
|
continue;
|
|
|
|
} else if (try == 2) {
|
|
|
|
ret = snprintf(netns, PATH_MAX, "%s/%s",
|
|
|
|
*nsdir ? nsdir : NETNS_RUN_DIR, optarg);
|
|
|
|
if (ret <= 0 || ret > (int)sizeof(netns))
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2022-03-27 13:10:26 +02:00
|
|
|
/* Don't pass O_CLOEXEC here: ns_enter() needs those files */
|
2021-09-29 16:11:06 +02:00
|
|
|
if (!c->netns_only) {
|
|
|
|
if (*conf_userns)
|
2022-03-27 13:10:26 +02:00
|
|
|
/* NOLINTNEXTLINE(android-cloexec-open) */
|
2021-09-29 16:11:06 +02:00
|
|
|
ufd = open(conf_userns, O_RDONLY);
|
|
|
|
else if (*userns)
|
2022-03-27 13:10:26 +02:00
|
|
|
/* NOLINTNEXTLINE(android-cloexec-open) */
|
2021-09-29 16:11:06 +02:00
|
|
|
ufd = open(userns, O_RDONLY);
|
|
|
|
}
|
|
|
|
|
2022-03-27 13:10:26 +02:00
|
|
|
/* NOLINTNEXTLINE(android-cloexec-open) */
|
2021-09-29 16:11:06 +02:00
|
|
|
nfd = open(netns, O_RDONLY);
|
|
|
|
|
2022-02-18 16:12:11 +01:00
|
|
|
if (nfd == -1 || (ufd == -1 && !c->netns_only)) {
|
|
|
|
if (nfd >= 0)
|
|
|
|
close(nfd);
|
2021-09-29 16:11:06 +02:00
|
|
|
|
2022-02-18 16:12:11 +01:00
|
|
|
if (ufd >= 0)
|
|
|
|
close(ufd);
|
|
|
|
|
|
|
|
continue;
|
2021-09-29 16:11:06 +02:00
|
|
|
}
|
|
|
|
|
2022-02-18 16:12:11 +01:00
|
|
|
c->pasta_netns_fd = nfd;
|
|
|
|
c->pasta_userns_fd = ufd;
|
|
|
|
|
|
|
|
NS_CALL(conf_ns_check, c);
|
|
|
|
|
|
|
|
if (c->pasta_netns_fd >= 0) {
|
|
|
|
char buf[PATH_MAX];
|
|
|
|
|
|
|
|
if (try == 0 || c->no_netns_quit)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
strncpy(buf, netns, PATH_MAX);
|
|
|
|
strncpy(c->netns_base, basename(buf), PATH_MAX - 1);
|
|
|
|
strncpy(buf, netns, PATH_MAX);
|
|
|
|
strncpy(c->netns_dir, dirname(buf), PATH_MAX - 1);
|
2021-09-29 16:11:06 +02:00
|
|
|
|
2022-02-18 16:12:11 +01:00
|
|
|
return 0;
|
|
|
|
}
|
2021-09-29 16:11:06 +02:00
|
|
|
}
|
|
|
|
|
2021-10-14 12:12:33 +02:00
|
|
|
c->netns_only = netns_only_reset;
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
return -ENOENT;
|
|
|
|
}
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
/**
|
2022-07-22 07:31:17 +02:00
|
|
|
* conf_ip4() - Verify or detect IPv4 support, get relevant addresses
|
2021-10-11 12:01:31 +02:00
|
|
|
* @c: Execution context
|
2022-07-22 07:31:17 +02:00
|
|
|
* @ifi: Host interface to attempt (0 to determine one)
|
|
|
|
*
|
|
|
|
* Return: Interface index for IPv4, or 0 on failure.
|
2021-10-11 12:01:31 +02:00
|
|
|
*/
|
2022-07-22 07:31:17 +02:00
|
|
|
static unsigned int conf_ip4(struct ctx *c, unsigned int ifi)
|
2021-10-11 12:01:31 +02:00
|
|
|
{
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!ifi)
|
|
|
|
ifi = nl_get_ext_if(AF_INET);
|
2022-07-22 07:31:13 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!ifi) {
|
|
|
|
warn("No external routable interface for IPv4");
|
|
|
|
return 0;
|
2022-07-22 07:31:13 +02:00
|
|
|
}
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!c->gw4)
|
|
|
|
nl_route(0, ifi, AF_INET, &c->gw4);
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!c->addr4) {
|
|
|
|
int mask_len = 0;
|
2021-10-19 09:01:27 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
nl_addr(0, ifi, AF_INET, &c->addr4, &mask_len, NULL);
|
|
|
|
c->mask4 = htonl(0xffffffff << (32 - mask_len));
|
|
|
|
}
|
2021-10-19 09:01:27 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!c->mask4) {
|
|
|
|
if (IN_CLASSA(ntohl(c->addr4)))
|
|
|
|
c->mask4 = htonl(IN_CLASSA_NET);
|
|
|
|
else if (IN_CLASSB(ntohl(c->addr4)))
|
|
|
|
c->mask4 = htonl(IN_CLASSB_NET);
|
|
|
|
else if (IN_CLASSC(ntohl(c->addr4)))
|
|
|
|
c->mask4 = htonl(IN_CLASSC_NET);
|
|
|
|
else
|
|
|
|
c->mask4 = 0xffffffff;
|
|
|
|
}
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
memcpy(&c->addr4_seen, &c->addr4, sizeof(c->addr4_seen));
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (MAC_IS_ZERO(c->mac))
|
|
|
|
nl_link(0, ifi, c->mac, 0, 0);
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!c->gw4 || !c->addr4 || MAC_IS_ZERO(c->mac))
|
|
|
|
return 0;
|
2021-10-19 09:01:27 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
return ifi;
|
|
|
|
}
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
/**
|
|
|
|
* conf_ip6() - Verify or detect IPv6 support, get relevant addresses
|
|
|
|
* @c: Execution context
|
|
|
|
* @ifi: Host interface to attempt (0 to determine one)
|
|
|
|
*
|
|
|
|
* Return: Interface index for IPv6, or 0 on failure.
|
|
|
|
*/
|
|
|
|
static unsigned int conf_ip6(struct ctx *c, unsigned int ifi)
|
|
|
|
{
|
|
|
|
int prefix_len = 0;
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!ifi)
|
|
|
|
ifi = nl_get_ext_if(AF_INET6);
|
2022-07-22 07:31:14 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!ifi) {
|
|
|
|
warn("No external routable interface for IPv6");
|
|
|
|
return 0;
|
2021-10-11 12:01:31 +02:00
|
|
|
}
|
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->gw6))
|
|
|
|
nl_route(0, ifi, AF_INET6, &c->gw6);
|
|
|
|
|
|
|
|
nl_addr(0, ifi, AF_INET6,
|
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&c->addr6) ? &c->addr6 : NULL,
|
|
|
|
&prefix_len, &c->addr6_ll);
|
|
|
|
|
|
|
|
memcpy(&c->addr6_seen, &c->addr6, sizeof(c->addr6));
|
|
|
|
memcpy(&c->addr6_ll_seen, &c->addr6_ll, sizeof(c->addr6_ll));
|
|
|
|
|
|
|
|
if (MAC_IS_ZERO(c->mac))
|
|
|
|
nl_link(0, ifi, c->mac, 0, 0);
|
2021-10-11 12:01:31 +02:00
|
|
|
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->gw6) ||
|
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&c->addr6) ||
|
2022-07-22 07:31:14 +02:00
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&c->addr6_ll) ||
|
|
|
|
MAC_IS_ZERO(c->mac))
|
2022-07-22 07:31:17 +02:00
|
|
|
return 0;
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
return ifi;
|
2021-10-11 12:01:31 +02:00
|
|
|
}
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
* usage() - Print usage and exit
|
|
|
|
* @name: Executable name
|
|
|
|
*/
|
|
|
|
static void usage(const char *name)
|
|
|
|
{
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta")) {
|
2021-09-29 16:11:06 +02:00
|
|
|
info("Usage: %s [OPTION]... [PID|PATH|NAME]", name);
|
2021-08-12 15:42:43 +02:00
|
|
|
info("");
|
2021-09-29 16:11:06 +02:00
|
|
|
info("Without PID|PATH|NAME, run the default shell in a new");
|
|
|
|
info("network and user namespace, and connect it via pasta.");
|
2021-08-12 15:42:43 +02:00
|
|
|
} else {
|
|
|
|
info("Usage: %s [OPTION]...", name);
|
|
|
|
}
|
|
|
|
info("");
|
|
|
|
|
|
|
|
info( " -d, --debug Be verbose, don't run in background");
|
2022-03-15 00:59:09 +01:00
|
|
|
info( " --trace Be extra verbose, implies --debug");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -q, --quiet Don't print informational messages");
|
|
|
|
info( " -f, --foreground Don't run in background");
|
|
|
|
info( " default: run in background if started from a TTY");
|
|
|
|
info( " -e, --stderr Log to stderr too");
|
|
|
|
info( " default: log to system logger only if started from a TTY");
|
2022-05-18 19:10:45 +02:00
|
|
|
info( " --runas UID|UID:GID Use given UID, GID if started as root");
|
|
|
|
info( " UID and GID can be numeric, or login and group names");
|
|
|
|
info( " default: drop to user \"nobody\"");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -h, --help Display this help message and exit");
|
|
|
|
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta")) {
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -I, --ns-ifname NAME namespace interface name");
|
|
|
|
info( " default: same interface name as external one");
|
|
|
|
} else {
|
|
|
|
info( " -s, --socket PATH UNIX domain socket path");
|
|
|
|
info( " default: probe free path starting from "
|
|
|
|
UNIX_SOCK_PATH, 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
info( " -p, --pcap [FILE] Log tap-facing traffic to pcap file");
|
|
|
|
info( " if FILE is not given, log to:");
|
|
|
|
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta"))
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
info(" /tmp/pasta_ISO8601-TIMESTAMP_PID.pcap");
|
2021-08-12 15:42:43 +02:00
|
|
|
else
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
info(" /tmp/passt_ISO8601-TIMESTAMP_PID.pcap");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-10-14 12:17:47 +02:00
|
|
|
info( " -P, --pid FILE Write own PID to the given file");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -m, --mtu MTU Assign MTU via DHCP/NDP");
|
2021-09-07 11:19:57 +02:00
|
|
|
info( " a zero value disables assignment");
|
|
|
|
info( " default: 65520: maximum 802.3 MTU minus 802.3 header");
|
|
|
|
info( " length, rounded to 32 bits (IPv4 words)");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -a, --address ADDR Assign IPv4 or IPv6 address ADDR");
|
|
|
|
info( " can be specified zero to two times (for IPv4 and IPv6)");
|
|
|
|
info( " default: use addresses from interface with default route");
|
|
|
|
info( " -n, --netmask MASK Assign IPv4 MASK, dot-decimal or bits");
|
|
|
|
info( " default: netmask from matching address on the host");
|
|
|
|
info( " -M, --mac-addr ADDR Use source MAC address ADDR");
|
|
|
|
info( " default: MAC address from interface with default route");
|
|
|
|
info( " -g, --gateway ADDR Pass IPv4 or IPv6 address as gateway");
|
|
|
|
info( " default: gateway from interface with default route");
|
|
|
|
info( " -i, --interface NAME Interface for addresses and routes");
|
|
|
|
info( " default: interface with first default route");
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info( " -D, --dns ADDR Use IPv4 or IPv6 address as DNS");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " can be specified multiple times");
|
|
|
|
info( " a single, empty option disables DNS information");
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta"))
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info( " default: don't use any addresses");
|
2021-08-12 15:42:43 +02:00
|
|
|
else
|
|
|
|
info( " default: use addresses from /etc/resolv.conf");
|
|
|
|
|
|
|
|
info( " -S, --search LIST Space-separated list, search domains");
|
|
|
|
info( " a single, empty option disables the DNS search list");
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta"))
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info( " default: don't use any search list");
|
2021-08-12 15:42:43 +02:00
|
|
|
else
|
|
|
|
info( " default: use search list from /etc/resolv.conf");
|
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
if (strstr(name, "pasta"))
|
|
|
|
info(" --dhcp-dns: \tPass DNS list via DHCP/DHCPv6/NDP");
|
|
|
|
else
|
|
|
|
info(" --no-dhcp-dns: No DNS list in DHCP/DHCPv6/NDP");
|
|
|
|
|
|
|
|
if (strstr(name, "pasta"))
|
|
|
|
info(" --dhcp-search: Pass list via DHCP/DHCPv6/NDP");
|
|
|
|
else
|
|
|
|
info(" --no-dhcp-search: No list in DHCP/DHCPv6/NDP");
|
|
|
|
|
|
|
|
info( " --dns-forward ADDR Forward DNS queries sent to ADDR");
|
|
|
|
info( " can be specified zero to two times (for IPv4 and IPv6)");
|
|
|
|
info( " default: don't forward DNS queries");
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " --no-tcp Disable TCP protocol handler");
|
|
|
|
info( " --no-udp Disable UDP protocol handler");
|
|
|
|
info( " --no-icmp Disable ICMP/ICMPv6 protocol handler");
|
|
|
|
info( " --no-dhcp Disable DHCP server");
|
|
|
|
info( " --no-ndp Disable NDP responses");
|
|
|
|
info( " --no-dhcpv6 Disable DHCPv6 server");
|
|
|
|
info( " --no-ra Disable router advertisements");
|
2021-10-14 05:26:37 +02:00
|
|
|
info( " --no-map-gw Don't map gateway address to host");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -4, --ipv4-only Enable IPv4 operation only");
|
|
|
|
info( " -6, --ipv6-only Enable IPv6 operation only");
|
|
|
|
|
2022-02-17 01:41:28 +01:00
|
|
|
if (strstr(name, "pasta"))
|
2021-09-29 16:11:06 +02:00
|
|
|
goto pasta_opts;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
info( " -t, --tcp-ports SPEC TCP port forwarding to guest");
|
|
|
|
info( " can be specified multiple times");
|
|
|
|
info( " SPEC can be:");
|
|
|
|
info( " 'none': don't forward any ports");
|
|
|
|
info( " 'all': forward all unbound, non-ephemeral ports");
|
2021-08-19 19:46:01 +02:00
|
|
|
info( " a comma-separated list, optionally ranged with '-'");
|
2022-05-01 06:36:34 +02:00
|
|
|
info( " and optional target ports after ':', with optional");
|
2022-07-13 08:05:01 +02:00
|
|
|
info( " address specification suffixed by '/'. Ranges can be");
|
|
|
|
info( " reduced by excluding ports or ranges prefixed by '~'");
|
|
|
|
info( " Examples:");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -t 22 Forward local port 22 to 22 on guest");
|
|
|
|
info( " -t 22:23 Forward local port 22 to 23 on guest");
|
|
|
|
info( " -t 22,25 Forward ports 22, 25 to ports 22, 25");
|
|
|
|
info( " -t 22-80 Forward ports 22 to 80");
|
|
|
|
info( " -t 22-80:32-90 Forward ports 22 to 80 to");
|
|
|
|
info( " corresponding port numbers plus 10");
|
2022-05-01 06:36:34 +02:00
|
|
|
info( " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to guest");
|
2022-07-13 08:05:01 +02:00
|
|
|
info( " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25");
|
|
|
|
info( " -t ~25 Forward all ports except for 25");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " default: none");
|
|
|
|
info( " -u, --udp-ports SPEC UDP port forwarding to guest");
|
|
|
|
info( " SPEC is as described for TCP above");
|
|
|
|
info( " default: none");
|
|
|
|
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
pasta_opts:
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -t, --tcp-ports SPEC TCP port forwarding to namespace");
|
|
|
|
info( " can be specified multiple times");
|
|
|
|
info( " SPEC can be:");
|
|
|
|
info( " 'none': don't forward any ports");
|
|
|
|
info( " 'auto': forward all ports currently bound in namespace");
|
2021-08-19 19:46:01 +02:00
|
|
|
info( " a comma-separated list, optionally ranged with '-'");
|
2022-05-01 06:36:34 +02:00
|
|
|
info( " and optional target ports after ':', with optional");
|
|
|
|
info( " address specification suffixed by '/'. Examples:");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -t 22 Forward local port 22 to port 22 in netns");
|
|
|
|
info( " -t 22:23 Forward local port 22 to port 23");
|
|
|
|
info( " -t 22,25 Forward ports 22, 25 to ports 22, 25");
|
|
|
|
info( " -t 22-80 Forward ports 22 to 80");
|
|
|
|
info( " -t 22-80:32-90 Forward ports 22 to 80 to");
|
|
|
|
info( " corresponding port numbers plus 10");
|
2022-05-01 06:36:34 +02:00
|
|
|
info( " -t 192.0.2.1/5 Bind port 5 of 192.0.2.1 to namespace");
|
2022-07-13 08:05:01 +02:00
|
|
|
info( " -t 5-25,~10-20 Forward ports 5 to 9, and 21 to 25");
|
|
|
|
info( " -t ~25 Forward all bound ports except for 25");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " default: auto");
|
|
|
|
info( " IPv6 bound ports are also forwarded for IPv4");
|
|
|
|
info( " -u, --udp-ports SPEC UDP port forwarding to namespace");
|
|
|
|
info( " SPEC is as described for TCP above");
|
|
|
|
info( " default: auto");
|
2021-09-07 11:28:57 +02:00
|
|
|
info( " IPv6 bound ports are also forwarded for IPv4");
|
|
|
|
info( " unless specified, with '-t auto', UDP ports with numbers");
|
|
|
|
info( " corresponding to forwarded TCP port numbers are");
|
|
|
|
info( " forwarded too");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -T, --tcp-ns SPEC TCP port forwarding to init namespace");
|
|
|
|
info( " SPEC is as described above");
|
|
|
|
info( " default: auto");
|
|
|
|
info( " -U, --udp-ns SPEC UDP port forwarding to init namespace");
|
|
|
|
info( " SPEC is as described above");
|
|
|
|
info( " default: auto");
|
2021-09-29 16:11:06 +02:00
|
|
|
info( " --userns NSPATH Target user namespace to join");
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
info( " --netns-only Don't join existing user namespace");
|
2021-09-29 16:11:06 +02:00
|
|
|
info( " implied if PATH or NAME are given without --userns");
|
|
|
|
info( " --nsrun-dir Directory for nsfs mountpoints");
|
|
|
|
info( " default: " NETNS_RUN_DIR);
|
2021-10-11 12:01:31 +02:00
|
|
|
info( " --config-net Configure tap interface in namespace");
|
|
|
|
info( " --ns-mac-addr ADDR Set MAC address on tap interface");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
|
2022-03-26 07:23:21 +01:00
|
|
|
/**
|
|
|
|
* conf_print() - Print fundamental configuration parameters
|
|
|
|
* @c: Execution context
|
|
|
|
*/
|
|
|
|
static void conf_print(const struct ctx *c)
|
2021-08-12 15:42:43 +02:00
|
|
|
{
|
2021-10-21 09:41:13 +02:00
|
|
|
char buf4[INET_ADDRSTRLEN], ifn[IFNAMSIZ];
|
2021-08-12 15:42:43 +02:00
|
|
|
int i;
|
|
|
|
|
2022-07-22 07:31:12 +02:00
|
|
|
if (c->ifi4)
|
|
|
|
info("Outbound interface (IPv4): %s", if_indextoname(c->ifi4, ifn));
|
|
|
|
if (c->ifi6)
|
|
|
|
info("Outbound interface (IPv6): %s", if_indextoname(c->ifi6, ifn));
|
|
|
|
if (c->mode == MODE_PASTA)
|
|
|
|
info("Namespace interface: %s", c->pasta_ifn);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-07-22 07:31:14 +02:00
|
|
|
info("MAC:");
|
|
|
|
info(" host: %02x:%02x:%02x:%02x:%02x:%02x",
|
|
|
|
c->mac[0], c->mac[1], c->mac[2],
|
|
|
|
c->mac[3], c->mac[4], c->mac[5]);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (c->ifi4) {
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!c->no_dhcp) {
|
|
|
|
info("DHCP:");
|
|
|
|
info(" assign: %s",
|
|
|
|
inet_ntop(AF_INET, &c->addr4, buf4, sizeof(buf4)));
|
|
|
|
info(" mask: %s",
|
|
|
|
inet_ntop(AF_INET, &c->mask4, buf4, sizeof(buf4)));
|
|
|
|
info(" router: %s",
|
|
|
|
inet_ntop(AF_INET, &c->gw4, buf4, sizeof(buf4)));
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; c->dns4[i]; i++) {
|
|
|
|
if (!i)
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info("DNS:");
|
2021-08-12 15:42:43 +02:00
|
|
|
inet_ntop(AF_INET, &c->dns4[i], buf4, sizeof(buf4));
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info(" %s", buf4);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; *c->dns_search[i].n; i++) {
|
|
|
|
if (!i)
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info("DNS search list:");
|
|
|
|
info(" %s", c->dns_search[i].n);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (c->ifi6) {
|
2021-10-21 09:41:13 +02:00
|
|
|
char buf6[INET6_ADDRSTRLEN];
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!c->no_ndp && !c->no_dhcpv6)
|
|
|
|
info("NDP/DHCPv6:");
|
|
|
|
else if (!c->no_ndp)
|
|
|
|
info("DHCPv6:");
|
|
|
|
else if (!c->no_dhcpv6)
|
|
|
|
info("NDP:");
|
|
|
|
else
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
goto dns6;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
info(" assign: %s",
|
|
|
|
inet_ntop(AF_INET6, &c->addr6, buf6, sizeof(buf6)));
|
|
|
|
info(" router: %s",
|
|
|
|
inet_ntop(AF_INET6, &c->gw6, buf6, sizeof(buf6)));
|
2021-10-10 01:09:25 +02:00
|
|
|
info(" our link-local: %s",
|
|
|
|
inet_ntop(AF_INET6, &c->addr6_ll, buf6, sizeof(buf6)));
|
2021-08-12 15:42:43 +02:00
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
dns6:
|
2021-08-12 15:42:43 +02:00
|
|
|
for (i = 0; !IN6_IS_ADDR_UNSPECIFIED(&c->dns6[i]); i++) {
|
|
|
|
if (!i)
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info("DNS:");
|
2021-08-12 15:42:43 +02:00
|
|
|
inet_ntop(AF_INET6, &c->dns6[i], buf6, sizeof(buf6));
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info(" %s", buf6);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; *c->dns_search[i].n; i++) {
|
|
|
|
if (!i)
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
info("DNS search list:");
|
|
|
|
info(" %s", c->dns_search[i].n);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-05-18 19:10:45 +02:00
|
|
|
/**
|
|
|
|
* conf_runas() - Handle --runas: look up desired UID and GID
|
|
|
|
* @opt: Passed option value
|
|
|
|
* @uid: User ID, set on return if valid
|
|
|
|
* @gid: Group ID, set on return if valid
|
|
|
|
*
|
|
|
|
* Return: 0 on success, negative error code on failure
|
|
|
|
*/
|
|
|
|
static int conf_runas(const char *opt, unsigned int *uid, unsigned int *gid)
|
|
|
|
{
|
|
|
|
char ubuf[LOGIN_NAME_MAX], gbuf[LOGIN_NAME_MAX], *endptr;
|
|
|
|
struct passwd *pw;
|
|
|
|
struct group *gr;
|
|
|
|
|
|
|
|
/* NOLINTNEXTLINE(cert-err34-c): 2 if conversion succeeds */
|
2022-05-20 10:50:35 +02:00
|
|
|
if (sscanf(opt, "%u:%u", uid, gid) == 2 && *uid && *gid)
|
2022-05-18 19:10:45 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
*uid = strtol(opt, &endptr, 0);
|
|
|
|
if (!*endptr && (*gid = *uid))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
#ifdef GLIBC_NO_STATIC_NSS
|
|
|
|
(void)ubuf;
|
|
|
|
(void)gbuf;
|
|
|
|
(void)pw;
|
2022-06-16 15:08:27 +02:00
|
|
|
(void)gr;
|
2022-05-18 19:10:45 +02:00
|
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
#else
|
|
|
|
/* NOLINTNEXTLINE(cert-err34-c): 2 if conversion succeeds */
|
|
|
|
if (sscanf(opt, "%" STR(LOGIN_NAME_MAX) "[^:]:"
|
|
|
|
"%" STR(LOGIN_NAME_MAX) "s", ubuf, gbuf) == 2) {
|
2022-05-20 10:50:35 +02:00
|
|
|
if (!(pw = getpwnam(ubuf)) || !(*uid = pw->pw_uid))
|
2022-05-18 19:10:45 +02:00
|
|
|
return -ENOENT;
|
|
|
|
|
2022-05-20 10:50:35 +02:00
|
|
|
if (!(gr = getgrnam(gbuf)) || !(*gid = gr->gr_gid))
|
2022-05-18 19:10:45 +02:00
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
pw = getpwnam(ubuf);
|
|
|
|
if (!pw || !(*uid = pw->pw_uid) || !(*gid = pw->pw_gid))
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
#endif /* !GLIBC_NO_STATIC_NSS */
|
|
|
|
}
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
* conf() - Process command-line arguments and set configuration
|
|
|
|
* @c: Execution context
|
|
|
|
* @argc: Argument count
|
|
|
|
* @argv: Options, plus target PID for pasta mode
|
|
|
|
*/
|
|
|
|
void conf(struct ctx *c, int argc, char **argv)
|
|
|
|
{
|
|
|
|
struct option options[] = {
|
|
|
|
{"debug", no_argument, NULL, 'd' },
|
2021-10-07 04:07:59 +02:00
|
|
|
{"quiet", no_argument, NULL, 'q' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"foreground", no_argument, NULL, 'f' },
|
2022-01-27 16:42:19 +01:00
|
|
|
{"stderr", no_argument, NULL, 'e' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"help", no_argument, NULL, 'h' },
|
|
|
|
{"socket", required_argument, NULL, 's' },
|
|
|
|
{"ns-ifname", required_argument, NULL, 'I' },
|
|
|
|
{"pcap", optional_argument, NULL, 'p' },
|
2021-10-14 12:17:47 +02:00
|
|
|
{"pid", required_argument, NULL, 'P' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"mtu", required_argument, NULL, 'm' },
|
|
|
|
{"address", required_argument, NULL, 'a' },
|
|
|
|
{"netmask", required_argument, NULL, 'n' },
|
|
|
|
{"mac-addr", required_argument, NULL, 'M' },
|
|
|
|
{"gateway", required_argument, NULL, 'g' },
|
|
|
|
{"interface", required_argument, NULL, 'i' },
|
|
|
|
{"dns", optional_argument, NULL, 'D' },
|
|
|
|
{"search", optional_argument, NULL, 'S' },
|
|
|
|
{"no-tcp", no_argument, &c->no_tcp, 1 },
|
|
|
|
{"no-udp", no_argument, &c->no_udp, 1 },
|
|
|
|
{"no-icmp", no_argument, &c->no_icmp, 1 },
|
|
|
|
{"no-dhcp", no_argument, &c->no_dhcp, 1 },
|
|
|
|
{"no-dhcpv6", no_argument, &c->no_dhcpv6, 1 },
|
|
|
|
{"no-ndp", no_argument, &c->no_ndp, 1 },
|
|
|
|
{"no-ra", no_argument, &c->no_ra, 1 },
|
2021-10-14 05:26:37 +02:00
|
|
|
{"no-map-gw", no_argument, &c->no_map_gw, 1 },
|
2022-07-22 07:31:16 +02:00
|
|
|
{"ipv4-only", no_argument, NULL, '4' },
|
|
|
|
{"ipv6-only", no_argument, NULL, '6' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"tcp-ports", required_argument, NULL, 't' },
|
|
|
|
{"udp-ports", required_argument, NULL, 'u' },
|
|
|
|
{"tcp-ns", required_argument, NULL, 'T' },
|
|
|
|
{"udp-ns", required_argument, NULL, 'U' },
|
2021-09-29 16:11:06 +02:00
|
|
|
{"userns", required_argument, NULL, 2 },
|
|
|
|
{"netns-only", no_argument, &c->netns_only, 1 },
|
|
|
|
{"nsrun-dir", required_argument, NULL, 3 },
|
2021-10-11 12:01:31 +02:00
|
|
|
{"config-net", no_argument, &c->pasta_conf_ns, 1 },
|
|
|
|
{"ns-mac-addr", required_argument, NULL, 4 },
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
{"dhcp-dns", no_argument, NULL, 5 },
|
|
|
|
{"no-dhcp-dns", no_argument, NULL, 6 },
|
|
|
|
{"dhcp-search", no_argument, NULL, 7 },
|
|
|
|
{"no-dhcp-search", no_argument, NULL, 8 },
|
|
|
|
{"dns-forward", required_argument, NULL, 9 },
|
2022-02-18 16:12:11 +01:00
|
|
|
{"no-netns-quit", no_argument, NULL, 10 },
|
2022-03-15 00:59:09 +01:00
|
|
|
{"trace", no_argument, NULL, 11 },
|
2022-05-18 19:10:45 +02:00
|
|
|
{"runas", required_argument, NULL, 12 },
|
2021-08-12 15:42:43 +02:00
|
|
|
{ 0 },
|
|
|
|
};
|
|
|
|
struct get_bound_ports_ns_arg ns_ports_arg = { .c = c };
|
2021-09-29 16:11:06 +02:00
|
|
|
char nsdir[PATH_MAX] = { 0 }, userns[PATH_MAX] = { 0 };
|
2021-08-12 15:42:43 +02:00
|
|
|
enum conf_port_type tcp_tap = 0, tcp_init = 0;
|
|
|
|
enum conf_port_type udp_tap = 0, udp_init = 0;
|
2022-07-22 07:31:16 +02:00
|
|
|
bool v4_only = false, v6_only = false;
|
2021-08-12 15:42:43 +02:00
|
|
|
struct fqdn *dnss = c->dns_search;
|
|
|
|
struct in6_addr *dns6 = c->dns6;
|
|
|
|
int name, ret, mask, b, i;
|
|
|
|
uint32_t *dns4 = c->dns4;
|
2022-07-22 07:31:17 +02:00
|
|
|
unsigned int ifi = 0;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
if (c->mode == MODE_PASTA)
|
|
|
|
c->no_dhcp_dns = c->no_dhcp_dns_search = 1;
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
do {
|
|
|
|
const char *optstring;
|
|
|
|
|
|
|
|
if (c->mode == MODE_PASST)
|
2021-10-14 12:17:47 +02:00
|
|
|
optstring = "dqfehs:p::P:m:a:n:M:g:i:D::S::46t:u:";
|
2021-08-12 15:42:43 +02:00
|
|
|
else
|
2021-10-14 12:17:47 +02:00
|
|
|
optstring = "dqfehI:p::P:m:a:n:M:g:i:D::S::46t:u:T:U:";
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
name = getopt_long(argc, argv, optstring, options, NULL);
|
|
|
|
|
|
|
|
if ((name == 'p' || name == 'D' || name == 'S') && !optarg &&
|
|
|
|
optind < argc && *argv[optind] && *argv[optind] != '-') {
|
|
|
|
if (c->mode == MODE_PASTA) {
|
2021-09-29 16:11:06 +02:00
|
|
|
if (conf_ns_opt(c, nsdir, userns, argv[optind]))
|
2021-08-12 15:42:43 +02:00
|
|
|
optarg = argv[optind++];
|
|
|
|
} else {
|
|
|
|
optarg = argv[optind++];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (name) {
|
|
|
|
case -1:
|
|
|
|
case 0:
|
|
|
|
break;
|
2021-09-29 16:11:06 +02:00
|
|
|
case 2:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--userns is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(userns, sizeof(userns), "%s", optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(userns)) {
|
|
|
|
err("Invalid userns: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 3:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--nsrun-dir is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(nsdir, sizeof(nsdir), "%s", optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(nsdir)) {
|
|
|
|
err("Invalid nsrun-dir: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
2021-10-11 12:01:31 +02:00
|
|
|
case 4:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--ns-mac-addr is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < ETH_ALEN; i++) {
|
|
|
|
errno = 0;
|
2022-01-30 02:59:12 +01:00
|
|
|
b = strtol(optarg + (intptr_t)i * 3, NULL, 16);
|
2021-10-11 12:01:31 +02:00
|
|
|
if (b < 0 || b > UCHAR_MAX || errno) {
|
|
|
|
err("Invalid MAC address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->mac_guest[i] = b;
|
|
|
|
}
|
|
|
|
break;
|
conf, udp: Introduce basic DNS forwarding
For compatibility with libslirp/slirp4netns users: introduce a
mechanism to map, in the UDP routines, an address facing guest or
namespace to the first IPv4 or IPv6 address resulting from
configuration as resolver. This can be enabled with the new
--dns-forward option.
This implies that sourcing and using DNS addresses and search lists,
passed via command line or read from /etc/resolv.conf, is not bound
anymore to DHCP/DHCPv6/NDP usage: for example, pasta users might just
want to use addresses from /etc/resolv.conf as mapping target, while
not passing DNS options via DHCP.
Reflect this in all the involved code paths by differentiating
DHCP/DHCPv6/NDP usage from DNS configuration per se, and in the new
options --dhcp-dns, --dhcp-search for pasta, and --no-dhcp-dns,
--no-dhcp-search for passt.
This should be the last bit to enable substantial compatibility
between slirp4netns.sh and slirp4netns(1): pass the --dns-forward
option from the script too.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-18 04:03:53 +01:00
|
|
|
case 5:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--dhcp-dns is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->no_dhcp_dns = 0;
|
|
|
|
break;
|
|
|
|
case 6:
|
|
|
|
if (c->mode != MODE_PASST) {
|
|
|
|
err("--no-dhcp-dns is for passt mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->no_dhcp_dns = 1;
|
|
|
|
break;
|
|
|
|
case 7:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--dhcp-search is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->no_dhcp_dns_search = 0;
|
|
|
|
break;
|
|
|
|
case 8:
|
|
|
|
if (c->mode != MODE_PASST) {
|
|
|
|
err("--no-dhcp-search is for passt mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->no_dhcp_dns_search = 1;
|
|
|
|
break;
|
|
|
|
case 9:
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->dns6_fwd) &&
|
|
|
|
inet_pton(AF_INET6, optarg, &c->dns6_fwd) &&
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->dns6_fwd) &&
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->dns6_fwd))
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (c->dns4_fwd == INADDR_ANY &&
|
|
|
|
inet_pton(AF_INET, optarg, &c->dns4_fwd) &&
|
|
|
|
c->dns4_fwd != INADDR_ANY &&
|
|
|
|
c->dns4_fwd != INADDR_BROADCAST &&
|
|
|
|
c->dns4_fwd != INADDR_LOOPBACK)
|
|
|
|
break;
|
|
|
|
|
|
|
|
err("Invalid DNS forwarding address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
2022-02-18 16:12:11 +01:00
|
|
|
case 10:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--no-netns-quit is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->no_netns_quit = 1;
|
|
|
|
break;
|
2022-03-15 00:59:09 +01:00
|
|
|
case 11:
|
|
|
|
if (c->trace) {
|
|
|
|
err("Multiple --trace options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (c->quiet) {
|
|
|
|
err("Either --trace or --quiet");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->trace = c->debug = c->foreground = 1;
|
|
|
|
break;
|
2022-05-18 19:10:45 +02:00
|
|
|
case 12:
|
|
|
|
if (c->uid || c->gid) {
|
|
|
|
err("Multiple --runas options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (conf_runas(optarg, &c->uid, &c->gid)) {
|
|
|
|
err("Invalid --runas option: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'd':
|
|
|
|
if (c->debug) {
|
|
|
|
err("Multiple --debug options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (c->quiet) {
|
|
|
|
err("Either --debug or --quiet");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->debug = 1;
|
|
|
|
c->foreground = 1;
|
|
|
|
break;
|
2022-01-27 16:42:19 +01:00
|
|
|
case 'e':
|
|
|
|
if (c->stderr) {
|
|
|
|
err("Multiple --stderr options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->stderr = 1;
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'q':
|
|
|
|
if (c->quiet) {
|
|
|
|
err("Multiple --quiet options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (c->debug) {
|
|
|
|
err("Either --debug or --quiet");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->quiet = 1;
|
|
|
|
break;
|
|
|
|
case 'f':
|
|
|
|
if (c->foreground && !c->debug) {
|
|
|
|
err("Multiple --foreground options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->foreground = 1;
|
|
|
|
break;
|
|
|
|
case 's':
|
|
|
|
if (*c->sock_path) {
|
|
|
|
err("Multiple --socket options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
2022-04-05 12:33:31 +02:00
|
|
|
ret = snprintf(c->sock_path, UNIX_SOCK_MAX - 1, "%s",
|
2021-08-12 15:42:43 +02:00
|
|
|
optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pcap)) {
|
|
|
|
err("Invalid socket path: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'I':
|
|
|
|
if (*c->pasta_ifn) {
|
|
|
|
err("Multiple --ns-ifname options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
2022-04-05 12:33:31 +02:00
|
|
|
ret = snprintf(c->pasta_ifn, IFNAMSIZ - 1, "%s",
|
2021-08-12 15:42:43 +02:00
|
|
|
optarg);
|
2022-04-05 12:33:31 +02:00
|
|
|
if (ret <= 0 || ret >= IFNAMSIZ - 1) {
|
2021-08-12 15:42:43 +02:00
|
|
|
err("Invalid interface name: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'p':
|
|
|
|
if (*c->pcap) {
|
|
|
|
err("Multiple --pcap options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!optarg) {
|
|
|
|
*c->pcap = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(c->pcap, sizeof(c->pcap), "%s", optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pcap)) {
|
|
|
|
err("Invalid pcap path: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
2021-10-14 12:17:47 +02:00
|
|
|
case 'P':
|
|
|
|
if (*c->pid_file) {
|
|
|
|
err("Multiple --pid options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(c->pid_file, sizeof(c->pid_file), "%s",
|
|
|
|
optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pid_file)) {
|
|
|
|
err("Invalid PID file: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'm':
|
|
|
|
if (c->mtu) {
|
|
|
|
err("Multiple --mtu options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
c->mtu = strtol(optarg, NULL, 0);
|
2021-09-07 11:19:57 +02:00
|
|
|
|
|
|
|
if (!c->mtu) {
|
|
|
|
c->mtu = -1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (c->mtu < ETH_MIN_MTU || c->mtu > (int)ETH_MAX_MTU ||
|
|
|
|
errno) {
|
|
|
|
err("Invalid MTU: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'a':
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->addr6) &&
|
|
|
|
inet_pton(AF_INET6, optarg, &c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_V4MAPPED(&c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_V4COMPAT(&c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_MULTICAST(&c->addr6))
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (c->addr4 == INADDR_ANY &&
|
|
|
|
inet_pton(AF_INET, optarg, &c->addr4) &&
|
|
|
|
c->addr4 != INADDR_ANY &&
|
|
|
|
c->addr4 != INADDR_BROADCAST &&
|
|
|
|
c->addr4 != INADDR_LOOPBACK &&
|
|
|
|
!IN_MULTICAST(c->addr4))
|
|
|
|
break;
|
|
|
|
|
|
|
|
err("Invalid address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case 'n':
|
|
|
|
if (inet_pton(AF_INET, optarg, &c->mask4))
|
|
|
|
break;
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
mask = strtol(optarg, NULL, 0);
|
2021-10-21 09:41:13 +02:00
|
|
|
if (mask > 0 && mask <= 32 && !errno) {
|
2021-08-12 15:42:43 +02:00
|
|
|
c->mask4 = htonl(0xffffffff << (32 - mask));
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
err("Invalid netmask: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case 'M':
|
|
|
|
for (i = 0; i < ETH_ALEN; i++) {
|
|
|
|
errno = 0;
|
2022-01-30 02:59:12 +01:00
|
|
|
b = strtol(optarg + (intptr_t)i * 3, NULL, 16);
|
2021-08-12 15:42:43 +02:00
|
|
|
if (b < 0 || b > UCHAR_MAX || errno) {
|
|
|
|
err("Invalid MAC address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->mac[i] = b;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'g':
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->gw6) &&
|
|
|
|
inet_pton(AF_INET6, optarg, &c->gw6) &&
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->gw6) &&
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->gw6))
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (c->gw4 == INADDR_ANY &&
|
|
|
|
inet_pton(AF_INET, optarg, &c->gw4) &&
|
|
|
|
c->gw4 != INADDR_ANY &&
|
|
|
|
c->gw4 != INADDR_BROADCAST &&
|
|
|
|
c->gw4 != INADDR_LOOPBACK)
|
|
|
|
break;
|
|
|
|
|
|
|
|
err("Invalid gateway address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case 'i':
|
2022-07-22 07:31:17 +02:00
|
|
|
if (ifi) {
|
2021-08-12 15:42:43 +02:00
|
|
|
err("Redundant interface: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!(ifi = if_nametoindex(optarg))) {
|
2021-10-11 12:01:31 +02:00
|
|
|
err("Invalid interface name %s: %s", optarg,
|
|
|
|
strerror(errno));
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
case 'D':
|
|
|
|
if (c->no_dns ||
|
|
|
|
(!optarg && (dns4 - c->dns4 || dns6 - c->dns6))) {
|
|
|
|
err("Empty and non-empty DNS options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!optarg) {
|
|
|
|
c->no_dns = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dns4 - &c->dns4[0] < ARRAY_SIZE(c->dns4) &&
|
|
|
|
inet_pton(AF_INET, optarg, dns4)) {
|
|
|
|
dns4++;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dns6 - &c->dns6[0] < ARRAY_SIZE(c->dns6) &&
|
|
|
|
inet_pton(AF_INET6, optarg, dns6)) {
|
|
|
|
dns6++;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
err("Cannot use DNS address %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case 'S':
|
|
|
|
if (c->no_dns_search ||
|
|
|
|
(!optarg && dnss != c->dns_search)) {
|
|
|
|
err("Empty and non-empty DNS search given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!optarg) {
|
|
|
|
c->no_dns_search = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dnss - c->dns_search < ARRAY_SIZE(c->dns_search)) {
|
|
|
|
ret = snprintf(dnss->n, sizeof(*c->dns_search),
|
|
|
|
"%s", optarg);
|
|
|
|
dnss++;
|
|
|
|
|
|
|
|
if (ret > 0 &&
|
|
|
|
ret < (int)sizeof(*c->dns_search))
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
err("Cannot use DNS search domain %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case '4':
|
2022-07-22 07:31:16 +02:00
|
|
|
v4_only = true;
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
case '6':
|
2022-07-22 07:31:16 +02:00
|
|
|
v6_only = true;
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
case 't':
|
|
|
|
case 'u':
|
|
|
|
case 'T':
|
|
|
|
case 'U':
|
2022-05-01 06:36:34 +02:00
|
|
|
/* Handle these later, once addresses are configured */
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
2021-10-20 00:05:11 +02:00
|
|
|
case '?':
|
|
|
|
case 'h':
|
|
|
|
default:
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
} while (name != -1);
|
|
|
|
|
2022-05-18 19:10:45 +02:00
|
|
|
check_root(c);
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (c->mode == MODE_PASTA && optind + 1 == argc) {
|
2021-09-29 16:11:06 +02:00
|
|
|
ret = conf_ns_opt(c, nsdir, userns, argv[optind]);
|
|
|
|
if (ret == -ENOENT)
|
|
|
|
err("Namespace %s not found", argv[optind]);
|
|
|
|
if (ret < 0)
|
2021-08-12 15:42:43 +02:00
|
|
|
usage(argv[0]);
|
2021-09-29 16:11:06 +02:00
|
|
|
} else if (c->mode == MODE_PASTA && *userns && optind == argc) {
|
|
|
|
err("--userns requires PID, PATH or NAME");
|
|
|
|
usage(argv[0]);
|
2021-08-12 15:42:43 +02:00
|
|
|
} else if (optind != argc) {
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
2022-02-23 10:51:46 +01:00
|
|
|
if (c->pasta_conf_ns)
|
|
|
|
c->no_ra = 1;
|
|
|
|
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
if (c->mode == MODE_PASTA && c->pasta_netns_fd == -1)
|
2021-10-11 12:01:31 +02:00
|
|
|
pasta_start_ns(c);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
if (nl_sock_init(c)) {
|
|
|
|
err("Failed to get netlink socket");
|
|
|
|
exit(EXIT_FAILURE);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
2022-07-22 07:31:16 +02:00
|
|
|
if (v4_only && v6_only) {
|
|
|
|
err("Options ipv4-only and ipv6-only are mutually exclusive");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!v6_only)
|
|
|
|
c->ifi4 = conf_ip4(c, ifi);
|
|
|
|
if (!v4_only)
|
|
|
|
c->ifi6 = conf_ip6(c, ifi);
|
|
|
|
if (!c->ifi4 && !c->ifi6) {
|
|
|
|
err("External interface not usable");
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
2021-10-11 12:01:31 +02:00
|
|
|
|
2022-05-01 06:36:34 +02:00
|
|
|
/* Now we can process port configuration options */
|
|
|
|
optind = 1;
|
|
|
|
do {
|
|
|
|
enum conf_port_type *set = NULL;
|
|
|
|
const char *optstring;
|
|
|
|
|
|
|
|
if (c->mode == MODE_PASST)
|
|
|
|
optstring = "dqfehs:p::P:m:a:n:M:g:i:D::S::46t:u:";
|
|
|
|
else
|
|
|
|
optstring = "dqfehI:p::P:m:a:n:M:g:i:D::S::46t:u:T:U:";
|
|
|
|
|
|
|
|
name = getopt_long(argc, argv, optstring, options, NULL);
|
|
|
|
switch (name) {
|
|
|
|
case 't':
|
|
|
|
case 'u':
|
|
|
|
case 'T':
|
|
|
|
case 'U':
|
|
|
|
if (name == 't')
|
|
|
|
set = &tcp_tap;
|
|
|
|
else if (name == 'T')
|
|
|
|
set = &tcp_init;
|
|
|
|
else if (name == 'u')
|
|
|
|
set = &udp_tap;
|
|
|
|
else if (name == 'U')
|
|
|
|
set = &udp_init;
|
|
|
|
|
|
|
|
if (!optarg || conf_ports(c, name, optarg, set))
|
|
|
|
usage(argv[0]);
|
|
|
|
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
} while (name != -1);
|
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!c->ifi4)
|
2021-10-11 12:01:31 +02:00
|
|
|
c->no_dhcp = 1;
|
|
|
|
|
2022-07-22 07:31:17 +02:00
|
|
|
if (!c->ifi6) {
|
2021-10-11 12:01:31 +02:00
|
|
|
c->no_ndp = 1;
|
|
|
|
c->no_dhcpv6 = 1;
|
2021-09-07 11:19:57 +02:00
|
|
|
}
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
if (!c->mtu)
|
|
|
|
c->mtu = ROUND_DOWN(ETH_MAX_MTU - ETH_HLEN, sizeof(uint32_t));
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
get_dns(c);
|
|
|
|
|
2022-07-22 07:31:12 +02:00
|
|
|
if (!*c->pasta_ifn) {
|
|
|
|
if (c->ifi4)
|
|
|
|
if_indextoname(c->ifi4, c->pasta_ifn);
|
|
|
|
else
|
|
|
|
if_indextoname(c->ifi6, c->pasta_ifn);
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-09-27 05:24:30 +02:00
|
|
|
c->tcp.ns_detect_ports = c->udp.ns_detect_ports = 0;
|
|
|
|
c->tcp.init_detect_ports = c->udp.init_detect_ports = 0;
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (c->mode == MODE_PASTA) {
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 21:11:37 +01:00
|
|
|
c->proc_net_tcp[V4][0] = c->proc_net_tcp[V4][1] = -1;
|
|
|
|
c->proc_net_tcp[V6][0] = c->proc_net_tcp[V6][1] = -1;
|
|
|
|
c->proc_net_udp[V4][0] = c->proc_net_udp[V4][1] = -1;
|
|
|
|
c->proc_net_udp[V6][0] = c->proc_net_udp[V6][1] = -1;
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!tcp_tap || tcp_tap == PORT_AUTO) {
|
2021-09-27 05:24:30 +02:00
|
|
|
c->tcp.ns_detect_ports = 1;
|
2021-08-12 15:42:43 +02:00
|
|
|
ns_ports_arg.proto = IPPROTO_TCP;
|
|
|
|
NS_CALL(get_bound_ports_ns, &ns_ports_arg);
|
|
|
|
}
|
|
|
|
if (!udp_tap || udp_tap == PORT_AUTO) {
|
2021-09-27 05:24:30 +02:00
|
|
|
c->udp.ns_detect_ports = 1;
|
2021-08-12 15:42:43 +02:00
|
|
|
ns_ports_arg.proto = IPPROTO_UDP;
|
|
|
|
NS_CALL(get_bound_ports_ns, &ns_ports_arg);
|
|
|
|
}
|
2021-09-27 05:24:30 +02:00
|
|
|
if (!tcp_init || tcp_init == PORT_AUTO) {
|
|
|
|
c->tcp.init_detect_ports = 1;
|
|
|
|
get_bound_ports(c, 0, IPPROTO_TCP);
|
|
|
|
}
|
|
|
|
if (!udp_init || udp_init == PORT_AUTO) {
|
|
|
|
c->udp.init_detect_ports = 1;
|
|
|
|
get_bound_ports(c, 0, IPPROTO_UDP);
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
2022-02-18 00:19:10 +01:00
|
|
|
if (!c->quiet)
|
|
|
|
conf_print(c);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|