From eb03f03105a857a0b7310e4c93bff46aa29f3a40 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Wed, 13 Apr 2022 00:11:23 +0100
Subject: [PATCH] jail: include necessary files for per-netns netifd instance

Up to now only proto 'static' and 'none' have been supported for
in-jail interfaces as Shell-based protocol handlers needed some more
utilities, PATH set in the environment and /var/ubus/ubus.sock to be
mounted on the per-netns-jail ubus socket.
Include files needed by shell proto handler, set PATH in env and bend
ubus socket path to get DHCP client to work for per-jail netns.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 jail/netifd.c | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/jail/netifd.c b/jail/netifd.c
index bb205d0..6f9cd72 100644
--- a/jail/netifd.c
+++ b/jail/netifd.c
@@ -46,6 +46,7 @@
 static const char ubusd_path[] = "/sbin/ubusd";
 static const char netifd_path[] = "/sbin/netifd";
 static const char uci_net[] = "network";
+static const char ubus_sock_name[] = "ubus.sock";
 
 static char *jail_name, *ubus_sock_path, *ubus_sock_dir, *uci_config_network = NULL;
 
@@ -193,8 +194,8 @@ static void run_ubusd(struct uloop_timeout *t)
 static void run_netifd(struct uloop_timeout *t)
 {
 	static struct blob_buf req;
-	void *ins, *in, *cmd, *jail, *setns, *setnso, *namespaces, *mount;
-	char *resolvconf_dir, *resolvconf, *ucimount;
+	void *ins, *in, *cmd, *jail, *setns, *setnso, *namespaces, *mount, *pathenv;
+	char *resolvconf_dir, *resolvconf, *ucimount, *ubusmount;
 	char uci_dir[] = "/var/containers/ujail-uci-XXXXXX";
 
 	uint32_t id;
@@ -222,9 +223,12 @@ static void run_netifd(struct uloop_timeout *t)
 	if (asprintf(&ucimount, "%s:/etc/config", uci_dir) == -1)
 		goto netifd_out_ucinetconf;
 
-	if (gen_jail_uci_network())
+	if (asprintf(&ubusmount, "%s:/var/run/ubus", ubus_sock_dir) == -1)
 		goto netifd_out_ucimount;
 
+	if (gen_jail_uci_network())
+		goto netifd_out_ubusmount;
+
 	blob_buf_init(&req, 0);
 	blobmsg_add_string(&req, "name", jail_name);
 	ins = blobmsg_open_table(&req, "instances");
@@ -234,10 +238,12 @@ static void run_netifd(struct uloop_timeout *t)
 	blobmsg_add_string(&req, "", netifd_path);
 	blobmsg_add_string(&req, "", "-r");
 	blobmsg_add_string(&req, "", resolvconf);
-	blobmsg_add_string(&req, "", "-s");
-	blobmsg_add_string(&req, "", ubus_sock_path);
 	blobmsg_close_array(&req, cmd);
 
+	pathenv = blobmsg_open_table(&req, "env");
+	blobmsg_add_string(&req, "PATH", "/usr/sbin:/usr/bin:/sbin:/bin");
+	blobmsg_close_table(&req, pathenv);
+
 	jail = blobmsg_open_table(&req, "jail");
 
 	setns = blobmsg_open_array(&req, "setns");
@@ -252,13 +258,20 @@ static void run_netifd(struct uloop_timeout *t)
 	blobmsg_close_array(&req, setns);
 
 	mount = blobmsg_open_table(&req, "mount");
-	blobmsg_add_string(&req, ubus_sock_dir, "1");
+	blobmsg_add_string(&req, ubusmount, "1");
 	blobmsg_add_string(&req, resolvconf_dir, "1");
 	blobmsg_add_string(&req, ucimount, "0");
+	blobmsg_add_string(&req, "/bin/cat", "0");
+	blobmsg_add_string(&req, "/bin/ipcalc.sh", "0");
+	blobmsg_add_string(&req, "/bin/kill", "0");
+	blobmsg_add_string(&req, "/bin/ubus", "0");
 	blobmsg_add_string(&req, "/etc/hotplug.d", "0");
+	blobmsg_add_string(&req, "/lib/functions", "0");
 	blobmsg_add_string(&req, "/lib/functions.sh", "0");
 	blobmsg_add_string(&req, "/lib/netifd", "0");
 	blobmsg_add_string(&req, "/lib/network", "0");
+	blobmsg_add_string(&req, "/usr/bin/awk", "0");
+	blobmsg_add_string(&req, "/usr/bin/killall", "0");
 	blobmsg_add_string(&req, "/usr/bin/logger", "0");
 	blobmsg_add_string(&req, "/usr/bin/jshn", "0");
 	blobmsg_add_string(&req, "/usr/share/libubox/jshn.sh", "0");
@@ -285,6 +298,8 @@ static void run_netifd(struct uloop_timeout *t)
 
 	if (!running)
 		blob_buf_free(&req);
+netifd_out_ubusmount:
+	free(ubusmount);
 netifd_out_ucimount:
 	free(ucimount);
 netifd_out_ucinetconf:
@@ -326,7 +341,7 @@ static void inotify_read_handler(struct uloop_fd *u, unsigned int events)
 		if (in->len < 4)
 			continue;
 
-		if (!strncmp("ubus", in->name, in->len))
+		if (!strncmp(ubus_sock_name, in->name, in->len))
 			uloop_timeout_add(&netifd_start_timeout);
         }
 }
@@ -431,7 +446,7 @@ int jail_network_start(struct ubus_context *new_ctx, char *new_jail_name, pid_t
 		goto errout_dir;
 	}
 
-	if (asprintf(&ubus_sock_path, "%s/ubus", ubus_sock_dir) == -1) {
+	if (asprintf(&ubus_sock_path, "%s/%s", ubus_sock_dir, ubus_sock_name) == -1) {
 		ret = ENOMEM;
 		goto errout_path;
 	}
-- 
2.30.2