[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Two little features
From:       Taral <taralx () gmail ! com>
Date:       2008-08-26 22:57:37
Message-ID: fa0147d90808261557o1b47bb50sa547535a00578809 () mail ! gmail ! com
[Download RAW message or body]

I've been carrying these locally, figured it might be useful to push
them upstream. The first implements an ns_exec for namespaces (very
useful for security). The second adds "change" and "replace" to "ip
address". I use "ip address replace" in my udhcpc.script to make sure
that old addresses are removed on a renew or bound event.

Comments? Commits?

-- 
Taral <taralx@gmail.com>
"Please let me know if there's any further trouble I can give you."
 -- Unknown

-- 
commit 36706c36b0b5ac0076a07d0ef42c1bfba0c2e6fe
Author: Taral <taral@taral.net>
Date:   Sat Jul 12 11:29:34 2008 -0700

   Add ns_exec applet

diff --git a/include/applets.h b/include/applets.h
index 46135dc..c83be9d 100644
--- a/include/applets.h
+++ b/include/applets.h
@@ -265,6 +265,7 @@ USE_NETSTAT(APPLET(netstat, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_NICE(APPLET(nice, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_NMETER(APPLET(nmeter, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_NOHUP(APPLET(nohup, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_NS_EXEC(APPLET(ns_exec, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_NSLOOKUP(APPLET(nslookup, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_OD(APPLET(od, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_OPENVT(APPLET(openvt, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
diff --git a/include/usage.h b/include/usage.h
index 41012af..f6c6a5f 100644
--- a/include/usage.h
+++ b/include/usage.h
@@ -2889,6 +2889,20 @@
       "Name:       debian\n" \
       "Address:    127.0.0.1\n"

+#define ns_exec_trivial_usage \
+       "[-muiUpn | -a] [-c] COMMAND..."
+#define ns_exec_full_usage "\n\n" \
+       "Start COMMAND in a new container with specified parts isolated\n" \
+     "\nOptions:" \
+     "\n       -m      filesystem (mount)" \
+     "\n       -u      utsname" \
+     "\n       -i      ipc" \
+     "\n       -U      user" \
+     "\n       -p      pid" \
+     "\n       -n      network"
+#define ns_exec_example_usage \
+       "ns_exec -ac /bin/sh"
+
 #define od_trivial_usage \
       "[-aBbcDdeFfHhIiLlOovXx] " USE_DESKTOP("[-t TYPE] ") "[FILE]"
 #define od_full_usage "\n\n" \
diff --git a/miscutils/Config.in b/miscutils/Config.in
index 0c80ae6..2c46acb 100644
--- a/miscutils/Config.in
+++ b/miscutils/Config.in
@@ -424,6 +424,12 @@ config MT
         to advance or rewind a tape past a specified number of archive
         files on the tape.

+config NS_EXEC
+       bool "ns_exec"
+       default n
+       help
+         Run a program inside a separate namespace. Used for containers.
+
 config RAIDAUTORUN
       bool "raidautorun"
       default n
diff --git a/miscutils/Kbuild b/miscutils/Kbuild
index c12b12d..6aec748 100644
--- a/miscutils/Kbuild
+++ b/miscutils/Kbuild
@@ -25,6 +25,7 @@ lib-$(CONFIG_MAN)         += man.o
 lib-$(CONFIG_MICROCOM)    += microcom.o
 lib-$(CONFIG_MOUNTPOINT)  += mountpoint.o
 lib-$(CONFIG_MT)          += mt.o
+lib-$(CONFIG_NS_EXEC)     += ns_exec.o
 lib-$(CONFIG_RAIDAUTORUN) += raidautorun.o
 lib-$(CONFIG_READAHEAD)   += readahead.o
 lib-$(CONFIG_RUNLEVEL)    += runlevel.o
diff --git a/miscutils/ns_exec.c b/miscutils/ns_exec.c
new file mode 100644
index 0000000..86a70b5
--- /dev/null
+++ b/miscutils/ns_exec.c
@@ -0,0 +1,50 @@
+/*
+ * ns_exec implementation for busybox
+ *
+ * Copyright (C) 2008 JP Sugarbroad
+ *
+ * Licensed under the GPL v2 or later, see the file LICENSE in this tarball.
+ *
+ */
+
+#include "libbb.h"
+
+#include <linux/sched.h>
+#include <sys/syscall.h>
+
+int ns_exec_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+int ns_exec_main(int argc UNUSED_PARAM, char **argv)
+{
+       int flags = 0;
+       int use_clone = 0;
+       unsigned opt = getopt32(argv, "amuiUpnc");
+       argv += optind;
+
+       if (!*argv)
+               bb_show_usage();
+
+       if (opt & 1) opt = (unsigned) -1;
+       if (opt & 2) flags = CLONE_NEWNS;
+       if (opt & 4) flags = CLONE_NEWUTS;
+       if (opt & 8) flags = CLONE_NEWIPC;
+       if (opt & 16) flags = CLONE_NEWUSER;
+       if (opt & 32) flags = CLONE_NEWPID;
+       if (opt & 64) flags = CLONE_NEWNET;
+       if (opt & 128) use_clone = 1;
+
+       if (use_clone) {
+               int ret = syscall(__NR_clone, flags, NULL);
+               if (ret == -1) bb_simple_perror_msg_and_die("clone");
+               if (ret) {
+                       int status;
+                       wait(&status);
+                       return WIFEXITED(status) ? WEXITSTATUS(status)
: EXIT_FAILURE;
+               }
+       } else {
+               int ret = syscall(__NR_unshare, flags);
+               if (ret == -1) bb_simple_perror_msg_and_die("unshare");
+       }
+
+       BB_EXECVP(*argv, argv);
+       exit(127);
+}

commit ae25ab8a09e10d79aae677ae83d8fa3a9e663264
Author: Taral <taral@taral.net>
Date:   Sat Jul 12 12:18:56 2008 -0700

   Add change/replace to ip address

diff --git a/networking/libiproute/ipaddress.c
b/networking/libiproute/ipaddress.c
index 288dcca..be67a34 100644
--- a/networking/libiproute/ipaddress.c
+++ b/networking/libiproute/ipaddress.c
@@ -593,7 +593,7 @@ static int default_scope(inet_prefix *lcl)
 }

 /* Return value becomes exitcode. It's okay to not return at all */
-static int ipaddr_modify(int cmd, char **argv)
+static int ipaddr_modify(int cmd, int flags, char **argv)
 {
       static const char option[] ALIGN1 =
               "peer\0""remote\0""broadcast\0""brd\0"
@@ -617,7 +617,7 @@ static int ipaddr_modify(int cmd, char **argv)
       memset(&req, 0, sizeof(req));

       req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
-       req.n.nlmsg_flags = NLM_F_REQUEST;
+       req.n.nlmsg_flags = NLM_F_REQUEST | flags;
       req.n.nlmsg_type = cmd;
       req.ifa.ifa_family = preferred_family;

@@ -763,22 +763,23 @@ static int ipaddr_modify(int cmd, char **argv)
 int do_ipaddr(char **argv)
 {
       static const char commands[] ALIGN1 =
-               "add\0""delete\0""list\0""show\0""lst\0""flush\0";
+
"add\0""change\0""replace\0""delete\0""list\0""show\0""lst\0""flush\0";
+       static ushort flags[] ALIGN1 = { NLM_F_CREATE|NLM_F_EXCL,
NLM_F_REPLACE, NLM_F_CREATE|NLM_F_REPLACE };

-       int command_num = 2; /* default command is list */
+       int command_num = 4; /* default command is list */

       if (*argv) {
               command_num = index_in_substrings(commands, *argv);
-               if (command_num < 0 || command_num > 5)
+               if (command_num < 0 || command_num > 7)
                       bb_error_msg_and_die("unknown command %s", *argv);
               argv++;
       }
-       if (command_num == 0) /* add */
-               return ipaddr_modify(RTM_NEWADDR, argv);
-       if (command_num == 1) /* delete */
-               return ipaddr_modify(RTM_DELADDR, argv);
-       if (command_num == 5) /* flush */
+       if (command_num < 3) /* add */
+               return ipaddr_modify(RTM_NEWADDR, flags[command_num], argv);
+       if (command_num == 3) /* delete */
+               return ipaddr_modify(RTM_DELADDR, 0, argv);
+       if (command_num == 7) /* flush */
               return ipaddr_list_or_flush(argv, 1);
-       /* 2 == list, 3 == show, 4 == lst */
+       /* 4 == list, 5 == show, 6 == lst */
       return ipaddr_list_or_flush(argv, 0);
 }
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic