cmdline: add iface_own to take ownership of one of the global interfaces

cmdline.cc

@@ -145,6 +145,7 @@ struct custom_option custom_opts[] = {
     { { "cgroup_cpu_mount", required_argument, NULL, 0x0822 }, "Location of cpu cgroup FS (default: '/sys/fs/cgroup/net_cls')" },
     { { "cgroup_cpu_parent", required_argument, NULL, 0x0833 }, "Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')" },
     { { "iface_no_lo", no_argument, NULL, 0x700 }, "Don't bring the 'lo' interface up" },
+    { { "iface_own", required_argument, NULL, 0x704 }, "Move this existing network interface into the new NET namespace" },
     { { "macvlan_iface", required_argument, NULL, 'I' }, "Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'" },
     { { "macvlan_vs_ip", required_argument, NULL, 0x701 }, "IP of the 'vs' interface (e.g. \"192.168.0.1\")" },
     { { "macvlan_vs_nm", required_argument, NULL, 0x702 }, "Netmask of the 'vs' interface (e.g. \"255.255.255.0\")" },
@@ -780,6 +781,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 		case 0x703:
 			nsjconf->iface_vs_gw = optarg;
 			break;
+		case 0x704:
+			nsjconf->ifaces.push_back(optarg);
+			break;
 		case 0x801:
 			nsjconf->cgroup_mem_max = (size_t)strtoull(optarg, NULL, 0);
 			break;

net.cc

@@ -53,6 +53,7 @@ namespace net {
 #if defined(NSJAIL_NL3_WITH_MACVLAN)
 #include <netlink/route/link.h>
 #include <netlink/route/link/macvlan.h>
+
 bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
 	if (!nsjconf->clone_newnet) {
 		return true;
@@ -121,10 +122,26 @@ bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
 }
 #else   // defined(NSJAIL_NL3_WITH_MACVLAN)
 
+bool moveToNs(const std::string& iface, pid_t pid) {
+	const std::vector<std::string> argv{
+	    "/sbin/ip", "link", "set", iface, "netns", std::to_string(pid)};
+	if (subproc::systemExe(argv, environ) != 0) {
+		LOG_E("Couldn't create put interface '%s' into NET ns of the PID=%d", iface.c_str(),
+		    (int)pid);
+		return false;
+	}
+	return true;
+}
+
 bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
 	if (!nsjconf->clone_newnet) {
 		return true;
 	}
+	for (const auto& iface : nsjconf->ifaces) {
+		if (!moveToNs(iface, pid)) {
+			return false;
+		}
+	}
 	if (nsjconf->iface_vs.empty()) {
 		return true;
 	}
@@ -132,11 +149,8 @@ bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
 	LOG_D("Putting iface:'%s' into namespace of PID:%d (with /sbin/ip)",
 	    nsjconf->iface_vs.c_str(), pid);
 
-	char pid_str[256];
-	snprintf(pid_str, sizeof(pid_str), "%d", pid);
-
 	const std::vector<std::string> argv{"/sbin/ip", "link", "add", "link", nsjconf->iface_vs,
-	    "name", IFACE_NAME, "netns", pid_str, "type", "macvlan", "mode", "bridge"};
+	    "name", IFACE_NAME, "netns", std::to_string(pid), "type", "macvlan", "mode", "bridge"};
 	if (subproc::systemExe(argv, environ) != 0) {
 		LOG_E("Couldn't create MACVTAP interface for '%s'", nsjconf->iface_vs.c_str());
 		return false;

nsjail.h

@@ -153,6 +153,7 @@ struct nsjconf_t {
 	std::vector<std::string> envs;
 	std::vector<int> openfds;
 	std::vector<int> caps;
+	std::vector<std::string> ifaces;
 };
 
 #endif /* _NSJAIL_H */