net: move to C++

Makefile

@@ -35,8 +35,8 @@ LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf)
 
 BIN = nsjail
 LIBS = kafel/libkafel.a
-SRCS_C = caps.c log.c cgroup.c mount.c net.c pid.c user.c util.c uts.c cpu.c
-SRCS_CXX = cmdline.cc config.cc contain.cc nsjail.cc sandbox.cc subproc.cc
+SRCS_C = caps.c log.c cgroup.c mount.c pid.c user.c util.c uts.c cpu.c
+SRCS_CXX = cmdline.cc config.cc contain.cc net.cc nsjail.cc sandbox.cc subproc.cc
 SRCS_PROTO = config.proto
 SRCS_PB_CXX = $(SRCS_PROTO:.proto=.pb.cc)
 SRCS_PB_H = $(SRCS_PROTO:.proto=.pb.h)
@@ -101,7 +101,6 @@ caps.o: caps.h nsjail.h common.h log.h util.h
 log.o: log.h nsjail.h
 cgroup.o: cgroup.h nsjail.h log.h util.h
 mount.o: mount.h nsjail.h common.h log.h subproc.h util.h
-net.o: net.h nsjail.h log.h subproc.h
 pid.o: pid.h nsjail.h log.h subproc.h
 user.o: user.h nsjail.h common.h log.h subproc.h util.h
 util.o: util.h nsjail.h common.h log.h
@@ -111,9 +110,10 @@ cmdline.o: cmdline.h nsjail.h caps.h common.h log.h mount.h user.h util.h
 cmdline.o: config.h sandbox.h
 config.o: common.h caps.h nsjail.h config.h log.h mount.h user.h util.h
 config.o: cmdline.h
-contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
-contain.o: user.h uts.h
+contain.o: contain.h nsjail.h caps.h cgroup.h cpu.h log.h mount.h pid.h
+contain.o: user.h uts.h net.h
+net.o: net.h nsjail.h log.h subproc.h
 nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h util.h
 sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h
-subproc.o: subproc.h nsjail.h contain.h sandbox.h cgroup.h common.h log.h
-subproc.o: net.h user.h util.h
+subproc.o: subproc.h nsjail.h contain.h net.h sandbox.h cgroup.h common.h
+subproc.o: log.h user.h util.h

contain.cc

@@ -43,19 +43,20 @@ extern "C" {
 #include "cpu.h"
 #include "log.h"
 #include "mount.h"
-#include "net.h"
 #include "pid.h"
 #include "user.h"
 #include "uts.h"
 }
 
+#include "net.h"
+
 namespace contain {
 
 static bool containUserNs(struct nsjconf_t* nsjconf) { return userInitNsFromChild(nsjconf); }
 
 static bool containInitPidNs(struct nsjconf_t* nsjconf) { return pidInitNs(nsjconf); }
 
-static bool containInitNetNs(struct nsjconf_t* nsjconf) { return netInitNsFromChild(nsjconf); }
+static bool containInitNetNs(struct nsjconf_t* nsjconf) { return net::initNsFromChild(nsjconf); }
 
 static bool containInitUtsNs(struct nsjconf_t* nsjconf) { return utsInitNs(nsjconf); }
 

net.cc

@@ -40,17 +40,22 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+extern "C" {
 #include "log.h"
+}
+
 #include "subproc.h"
 
-#define IFACE_NAME "vs"
-
 extern char** environ;
 
+namespace net {
+
+#define IFACE_NAME "vs"
+
 #if defined(NSJAIL_NL3_WITH_MACVLAN)
 #include <netlink/route/link.h>
 #include <netlink/route/link/macvlan.h>
-bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) {
+bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) {
 	if (nsjconf->clone_newnet == false) {
 		return true;
 	}
@@ -117,7 +122,7 @@ bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) {
 }
 #else   // defined(NSJAIL_NL3_WITH_MACVLAN)
 
-bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) {
+bool initNsFromParent(struct nsjconf_t* nsjconf, int pid) {
 	if (nsjconf->clone_newnet == false) {
 		return true;
 	}
@@ -142,7 +147,7 @@ bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid) {
 }
 #endif  // defined(NSJAIL_NL3_WITH_MACVLAN)
 
-static bool netIsSocket(int fd) {
+static bool isSocket(int fd) {
 	int optval;
 	socklen_t optlen = sizeof(optval);
 	int ret = getsockopt(fd, SOL_SOCKET, SO_TYPE, &optval, &optlen);
@@ -152,7 +157,7 @@ static bool netIsSocket(int fd) {
 	return true;
 }
 
-bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) {
+bool limitConns(struct nsjconf_t* nsjconf, int connsock) {
 	/* 0 means 'unlimited' */
 	if (nsjconf->max_conns_per_ip == 0) {
 		return true;
@@ -160,7 +165,7 @@ bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) {
 
 	struct sockaddr_in6 addr;
 	char cs_addr[64];
-	netConnToText(connsock, true /* remote */, cs_addr, sizeof(cs_addr), &addr);
+	connToText(connsock, true /* remote */, cs_addr, sizeof(cs_addr), &addr);
 
 	unsigned int cnt = 0;
 	struct pids_t* p;
@@ -180,7 +185,7 @@ bool netLimitConns(struct nsjconf_t* nsjconf, int connsock) {
 	return true;
 }
 
-int netGetRecvSocket(const char* bindhost, int port) {
+int getRecvSocket(const char* bindhost, int port) {
 	if (port < 1 || port > 65535) {
 		LOG_F(
 		    "TCP port %d out of bounds (0 <= port <= 65535), specify one with --port "
@@ -232,13 +237,13 @@ int netGetRecvSocket(const char* bindhost, int port) {
 	}
 
 	char ss_addr[64];
-	netConnToText(sockfd, false /* remote */, ss_addr, sizeof(ss_addr), NULL);
+	connToText(sockfd, false /* remote */, ss_addr, sizeof(ss_addr), NULL);
 	LOG_I("Listening on %s", ss_addr);
 
 	return sockfd;
 }
 
-int netAcceptConn(int listenfd) {
+int acceptConn(int listenfd) {
 	struct sockaddr_in6 cli_addr;
 	socklen_t socklen = sizeof(cli_addr);
 	int connfd = accept(listenfd, (struct sockaddr*)&cli_addr, &socklen);
@@ -250,15 +255,15 @@ int netAcceptConn(int listenfd) {
 	}
 
 	char cs_addr[64], ss_addr[64];
-	netConnToText(connfd, true /* remote */, cs_addr, sizeof(cs_addr), NULL);
-	netConnToText(connfd, false /* remote */, ss_addr, sizeof(ss_addr), NULL);
+	connToText(connfd, true /* remote */, cs_addr, sizeof(cs_addr), NULL);
+	connToText(connfd, false /* remote */, ss_addr, sizeof(ss_addr), NULL);
 	LOG_I("New connection from: %s on: %s", cs_addr, ss_addr);
 
 	return connfd;
 }
 
-void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null) {
-	if (netIsSocket(fd) == false) {
+void connToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null) {
+	if (isSocket(fd) == false) {
 		snprintf(buf, s, "[STANDALONE_MODE]");
 		return;
 	}
@@ -293,7 +298,7 @@ void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6
 	return;
 }
 
-static bool netIfaceUp(const char* ifacename) {
+static bool ifaceUp(const char* ifacename) {
 	int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
 	if (sock == -1) {
 		PLOG_E("socket(AF_INET, SOCK_STREAM, IPPROTO_IP)");
@@ -367,7 +372,7 @@ static bool netConfigureVs(struct nsjconf_t* nsjconf) {
 		return false;
 	}
 
-	if (netIfaceUp(IFACE_NAME) == false) {
+	if (ifaceUp(IFACE_NAME) == false) {
 		close(sock);
 		return false;
 	}
@@ -397,7 +402,8 @@ static bool netConfigureVs(struct nsjconf_t* nsjconf) {
 	sgate->sin_addr = addr;
 
 	rt.rt_flags = RTF_UP | RTF_GATEWAY;
-	rt.rt_dev = IFACE_NAME;
+	char rt_dev[] = IFACE_NAME;
+	rt.rt_dev = rt_dev;
 
 	if (ioctl(sock, SIOCADDRT, &rt) == -1) {
 		PLOG_E("ioctl(SIOCADDRT, '%s')", nsjconf->iface_vs_gw);
@@ -409,12 +415,12 @@ static bool netConfigureVs(struct nsjconf_t* nsjconf) {
 	return true;
 }
 
-bool netInitNsFromChild(struct nsjconf_t* nsjconf) {
+bool initNsFromChild(struct nsjconf_t* nsjconf) {
 	if (nsjconf->clone_newnet == false) {
 		return true;
 	}
 	if (nsjconf->iface_no_lo == false) {
-		if (netIfaceUp("lo") == false) {
+		if (ifaceUp("lo") == false) {
 			return false;
 		}
 	}
@@ -425,3 +431,5 @@ bool netInitNsFromChild(struct nsjconf_t* nsjconf) {
 	}
 	return true;
 }
+
+}  // namespace net

net.h

@@ -27,19 +27,15 @@
 
 #include "nsjail.h"
 
-#ifdef __cplusplus
-extern "C" {
-#endif
+namespace net {
 
-bool netLimitConns(struct nsjconf_t* nsjconf, int connsock);
-int netGetRecvSocket(const char* bindhost, int port);
-int netAcceptConn(int listenfd);
-void netConnToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null);
-bool netInitNsFromParent(struct nsjconf_t* nsjconf, int pid);
-bool netInitNsFromChild(struct nsjconf_t* nsjconf);
+bool limitConns(struct nsjconf_t* nsjconf, int connsock);
+int getRecvSocket(const char* bindhost, int port);
+int acceptConn(int listenfd);
+void connToText(int fd, bool remote, char* buf, size_t s, struct sockaddr_in6* addr_or_null);
+bool initNsFromParent(struct nsjconf_t* nsjconf, int pid);
+bool initNsFromChild(struct nsjconf_t* nsjconf);
 
-#ifdef __cplusplus
-}  // extern "C"
-#endif
+}  // namespace net
 
 #endif /* _NET_H */

nsjail.cc

@@ -105,7 +105,7 @@ static bool nsjailSetTimer(struct nsjconf_t* nsjconf) {
 }
 
 static void nsjailListenMode(struct nsjconf_t* nsjconf) {
-	int listenfd = netGetRecvSocket(nsjconf->bindhost, nsjconf->port);
+	int listenfd = net::getRecvSocket(nsjconf->bindhost, nsjconf->port);
 	if (listenfd == -1) {
 		return;
 	}
@@ -120,7 +120,7 @@ static void nsjailListenMode(struct nsjconf_t* nsjconf) {
 			nsjailShowProc = false;
 			subproc::displayProc(nsjconf);
 		}
-		int connfd = netAcceptConn(listenfd);
+		int connfd = net::acceptConn(listenfd);
 		if (connfd >= 0) {
 			subproc::runChild(nsjconf, connfd, connfd, connfd);
 			close(connfd);

subproc.cc

@@ -43,13 +43,13 @@
 #include <unistd.h>
 
 #include "contain.h"
+#include "net.h"
 #include "sandbox.h"
 
 extern "C" {
 #include "cgroup.h"
 #include "common.h"
 #include "log.h"
-#include "net.h"
 #include "user.h"
 #include "util.h"
 
@@ -171,7 +171,7 @@ static int subprocNewProc(
 	TAILQ_FOREACH(p, &nsjconf->envs, pointers) { putenv((char*)p->val); }
 
 	char cs_addr[64];
-	netConnToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL);
+	net::connToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL);
 	LOG_I("Executing '%s' for '%s'", nsjconf->exec_file, cs_addr);
 
 	for (size_t i = 0; nsjconf->argv[i]; i++) {
@@ -203,7 +203,7 @@ static void addProc(struct nsjconf_t* nsjconf, pid_t pid, int sock) {
 	struct pids_t* p = reinterpret_cast<struct pids_t*>(utilMalloc(sizeof(struct pids_t)));
 	p->pid = pid;
 	p->start = time(NULL);
-	netConnToText(
+	net::connToText(
 	    sock, true /* remote */, p->remote_txt, sizeof(p->remote_txt), &p->remote_addr);
 
 	char fname[PATH_MAX];
@@ -376,7 +376,7 @@ void killAll(struct nsjconf_t* nsjconf) {
 }
 
 static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) {
-	if (netInitNsFromParent(nsjconf, pid) == false) {
+	if (net::initNsFromParent(nsjconf, pid) == false) {
 		LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid);
 		return false;
 	}
@@ -397,7 +397,7 @@ static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) {
 }
 
 void runChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
-	if (netLimitConns(nsjconf, fd_in) == false) {
+	if (net::limitConns(nsjconf, fd_in) == false) {
 		return;
 	}
 	unsigned long flags = 0UL;
@@ -459,7 +459,7 @@ void runChild(struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err) {
 
 	close(parent_fd);
 	char cs_addr[64];
-	netConnToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL);
+	net::connToText(fd_in, true /* remote */, cs_addr, sizeof(cs_addr), NULL);
 }
 
 }  // namespace subproc