commit 6c0863036842df03a681307d2da84d2b0f7f908f
author Elly Fong-Jones <ellyjones@chromium.org> Wed Mar 20 17:15:28 2013 -0400
committer ChromeBot <chrome-bot@google.com> Mon Apr 01 17:21:17 2013 -0700
tree 9f3654f723b426043c3a8d65c7ffcc59aff39a7c
parent 6d71785b5e0b690a84fe0ff1f084e2b415eaaea4

[minijail] support network namespacing

Add a -e argument to minijail0 to network-namespace the target program.

BUG=None
TEST=adhoc
$ minijail0 -e `which ping` 4.2.2.1
connect: Network is unreachable
$ minijail0 `which ping` 4.2.2.1
<ordinary output...>

Change-Id: Ie58ff1ec1e1ec21987734b86cbabb1118c7e0bf0
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/46035
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

libminijail.c

diff --git a/libminijail.c b/libminijail.c
index 9b8d465..103aa5d 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -72,6 +72,7 @@
 		int caps:1;
 		int vfs:1;
 		int pids:1;
+		int net:1;
 		int seccomp:1;
 		int readonly:1;
 		int usergroups:1;
@@ -216,6 +217,11 @@
 	j->flags.pids = 1;
 }
 
+void API minijail_namespace_net(struct minijail *j)
+{
+	j->flags.net = 1;
+}
+
 void API minijail_remount_readonly(struct minijail *j)
 {
 	j->flags.vfs = 1;
@@ -695,7 +701,10 @@
 	 * entire process.
 	 */
 	if (j->flags.vfs && unshare(CLONE_NEWNS))
-		pdie("unshare");
+		pdie("unshare(vfs)");
+
+	if (j->flags.net && unshare(CLONE_NEWNET))
+		pdie("unshare(net)");
 
 	if (j->flags.chroot && enter_chroot(j))
 		pdie("chroot");

libminijail.h

diff --git a/libminijail.h b/libminijail.h
index 05d2c15..0d5e15a 100644
--- a/libminijail.h
+++ b/libminijail.h
@@ -49,6 +49,7 @@
 void minijail_log_seccomp_filter_failures(struct minijail *j);
 void minijail_use_caps(struct minijail *j, uint64_t capmask);
 void minijail_namespace_vfs(struct minijail *j);
+void minijail_namespace_net(struct minijail *j);
 /* Implies namespace_vfs and remount_readonly.
  * WARNING: this is NOT THREAD SAFE. See the block comment in </libminijail.c>.
  */

minijail0.c

diff --git a/minijail0.c b/minijail0.c
index 6ee3c2f..a71811e 100644
--- a/minijail0.c
+++ b/minijail0.c
@@ -80,6 +80,7 @@
 	       "instances allowed\n"
 	       "  -c <caps>:  restrict caps to <caps>\n"
 	       "  -C <dir>:   chroot to <dir>\n"
+               "  -e          enter a network namespace\n"
 	       "  -G:         inherit secondary groups from uid\n"
 	       "  -g <group>: change gid to <group>\n"
 	       "  -h:         help (this message)\n"
@@ -116,7 +117,7 @@
 	int opt;
 	if (argc > 1 && argv[1][0] != '-')
 		return 1;
-	while ((opt = getopt(argc, argv, "u:g:sS:c:C:b:vrGhHnpL")) != -1) {
+	while ((opt = getopt(argc, argv, "u:g:sS:c:C:b:vrGhHnpLe")) != -1) {
 		switch (opt) {
 		case 'u':
 			set_user(j, optarg);
@@ -158,6 +159,9 @@
 		case 'p':
 			minijail_namespace_pids(j);
 			break;
+		case 'e':
+			minijail_namespace_net(j);
+			break;
 		case 'H':
 			seccomp_filter_usage(argv[0]);
 			exit(1);