cmdline: add iface_own to take ownership of one of the global interfaces
diff --git a/cmdline.cc b/cmdline.cc
index 7455e68..6a03185 100644
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -145,6 +145,7 @@
{ { "cgroup_cpu_mount", required_argument, NULL, 0x0822 }, "Location of cpu cgroup FS (default: '/sys/fs/cgroup/net_cls')" },
{ { "cgroup_cpu_parent", required_argument, NULL, 0x0833 }, "Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')" },
{ { "iface_no_lo", no_argument, NULL, 0x700 }, "Don't bring the 'lo' interface up" },
+ { { "iface_own", required_argument, NULL, 0x704 }, "Move this existing network interface into the new NET namespace" },
{ { "macvlan_iface", required_argument, NULL, 'I' }, "Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'" },
{ { "macvlan_vs_ip", required_argument, NULL, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" },
{ { "macvlan_vs_nm", required_argument, NULL, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" },
@@ -780,6 +781,9 @@
case 0x703:
nsjconf->iface_vs_gw = optarg;
break;
+ case 0x704:
+ nsjconf->ifaces.push_back(optarg);
+ break;
case 0x801:
nsjconf->cgroup_mem_max = (size_t)strtoull(optarg, NULL, 0);
break;
diff --git a/net.cc b/net.cc
index 8d76c12..6a0c4b8 100644
--- a/net.cc
+++ b/net.cc
@@ -53,6 +53,7 @@
#if defined(NSJAIL_NL3_WITH_MACVLAN)
#include <netlink/route/link.h>
#include <netlink/route/link/macvlan.h>
+
bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
if (!nsjconf->clone_newnet) {
return true;
@@ -121,10 +122,26 @@
}
#else // defined(NSJAIL_NL3_WITH_MACVLAN)
+bool moveToNs(const std::string& iface, pid_t pid) {
+ const std::vector<std::string> argv{
+ "/sbin/ip", "link", "set", iface, "netns", std::to_string(pid)};
+ if (subproc::systemExe(argv, environ) != 0) {
+ LOG_E("Couldn't create put interface '%s' into NET ns of the PID=%d", iface.c_str(),
+ (int)pid);
+ return false;
+ }
+ return true;
+}
+
bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
if (!nsjconf->clone_newnet) {
return true;
}
+ for (const auto& iface : nsjconf->ifaces) {
+ if (!moveToNs(iface, pid)) {
+ return false;
+ }
+ }
if (nsjconf->iface_vs.empty()) {
return true;
}
@@ -132,11 +149,8 @@
LOG_D("Putting iface:'%s' into namespace of PID:%d (with /sbin/ip)",
nsjconf->iface_vs.c_str(), pid);
- char pid_str[256];
- snprintf(pid_str, sizeof(pid_str), "%d", pid);
-
const std::vector<std::string> argv{"/sbin/ip", "link", "add", "link", nsjconf->iface_vs,
- "name", IFACE_NAME, "netns", pid_str, "type", "macvlan", "mode", "bridge"};
+ "name", IFACE_NAME, "netns", std::to_string(pid), "type", "macvlan", "mode", "bridge"};
if (subproc::systemExe(argv, environ) != 0) {
LOG_E("Couldn't create MACVTAP interface for '%s'", nsjconf->iface_vs.c_str());
return false;
diff --git a/nsjail.h b/nsjail.h
index 99f904f..132d7e5 100644
--- a/nsjail.h
+++ b/nsjail.h
@@ -153,6 +153,7 @@
std::vector<std::string> envs;
std::vector<int> openfds;
std::vector<int> caps;
+ std::vector<std::string> ifaces;
};
#endif /* _NSJAIL_H */
