net/pasta - more config options in config.proto

robertswiecki · robertswiecki · commit e65aeff3585b · 2025-11-23T21:27:45.000+01:00
diff --git a/cmdline.cc b/cmdline.cc
@@ -536,14 +536,25 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 	nsjconf->disable_tsc = false;
 	nsjconf->forward_signals = false;
 	nsjconf->user_net.use_pasta = false;
-	nsjconf->user_net.inbound = false;
-	nsjconf->user_net.ip = "10.0.0.2";
+	nsjconf->user_net.ip = "10.255.255.2";
 	nsjconf->user_net.mask = "255.255.255.0";
-	nsjconf->user_net.gw = "10.0.0.1";
+	nsjconf->user_net.gw = "10.255.255.1";
 	nsjconf->user_net.ip6 = "fc00::2";
 	nsjconf->user_net.mask6 = "64";
 	nsjconf->user_net.gw6 = "fc00::1";
 	nsjconf->user_net.nsiface = "eth0";
+	nsjconf->user_net.tcp_ports = "none";
+	nsjconf->user_net.udp_ports = "none";
+	nsjconf->user_net.enable_ipv4_dhcp = false;
+	nsjconf->user_net.enable_dns = false;
+	nsjconf->user_net.dns_forward = "";
+	nsjconf->user_net.enable_tcp = true;
+	nsjconf->user_net.enable_udp = true;
+	nsjconf->user_net.enable_icmp = true;
+	nsjconf->user_net.enable_icmp = true;
+	nsjconf->user_net.no_map_gw = false;
+	nsjconf->user_net.enable_ipv6_dhcp = false;
+	nsjconf->user_net.enable_ipv6_ra = false;
 	nsjconf->orig_uid = getuid();
 	nsjconf->orig_euid = geteuid();
 	nsjconf->seccomp_fprog.filter = NULL;
diff --git a/config.cc b/config.cc
@@ -286,14 +286,24 @@ static bool parseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig& njc) {
 
 	if (njc.has_user_net()) {
 		nsjconf->user_net.use_pasta = njc.user_net().enable();
-		nsjconf->user_net.inbound = njc.user_net().inbound();
 		nsjconf->user_net.ip = njc.user_net().ip();
 		nsjconf->user_net.mask = njc.user_net().mask();
 		nsjconf->user_net.gw = njc.user_net().gw();
 		nsjconf->user_net.ip6 = njc.user_net().ip6();
 		nsjconf->user_net.mask6 = njc.user_net().mask6();
 		nsjconf->user_net.gw6 = njc.user_net().gw6();
 		nsjconf->user_net.nsiface = njc.user_net().ns_iface();
+		nsjconf->user_net.tcp_ports = njc.user_net().tcp_ports();
+		nsjconf->user_net.udp_ports = njc.user_net().udp_ports();
+		nsjconf->user_net.enable_ipv4_dhcp = njc.user_net().enable_ipv4_dhcp();
+		nsjconf->user_net.enable_dns = njc.user_net().enable_dns();
+		nsjconf->user_net.dns_forward = njc.user_net().dns_forward();
+		nsjconf->user_net.enable_tcp = njc.user_net().enable_tcp();
+		nsjconf->user_net.enable_udp = njc.user_net().enable_udp();
+		nsjconf->user_net.enable_icmp = njc.user_net().enable_icmp();
+		nsjconf->user_net.no_map_gw = njc.user_net().no_map_gw();
+		nsjconf->user_net.enable_ipv6_dhcp = njc.user_net().enable_ipv6_dhcp();
+		nsjconf->user_net.enable_ipv6_ra = njc.user_net().enable_ipv6_ra();
 	}
 
 	if (njc.has_exec_bin()) {
diff --git a/config.proto b/config.proto
@@ -277,14 +277,24 @@ message NsJailConfig {
 
 	message UserNet {
 		optional bool enable = 1 [default = false];
-		optional bool inbound = 2 [default = false];
-		optional string ip = 3 [default = "10.0.0.2"];
-		optional string mask = 4 [default = "255.255.255.0"];
-		optional string gw = 5 [default = "10.0.0.1"];
-		optional string ip6 = 6 [default = "fc00::2"];
-		optional string mask6 = 7 [default = "64"];
-		optional string gw6 = 8 [default = "fc00::1"];
-		optional string ns_iface = 9 [default = "eth0"];
+		optional string ip = 2 [default = "10.255.255.2"];
+		optional string mask = 3 [default = "255.255.255.0"];
+		optional string gw = 4 [default = "10.255.255.1"];
+		optional string ip6 = 5 [default = "fc00::2"];
+		optional string mask6 = 6 [default = "64"];
+		optional string gw6 = 7 [default = "fc00::1"];
+		optional string ns_iface = 8 [default = "eth0"];
+		optional string tcp_ports = 9 [default = "none"];
+		optional string udp_ports = 10 [default = "none"];
+		optional bool enable_ipv4_dhcp = 11 [default = false];
+		optional bool enable_dns = 12 [default = false];
+		optional string dns_forward = 13 [default = ""];
+		optional bool enable_tcp = 14 [default = true];
+		optional bool enable_udp = 15 [default = true];
+		optional bool enable_icmp = 16 [default = true];
+		optional bool no_map_gw = 17 [default = false];
+		optional bool enable_ipv6_dhcp = 18 [default = false];
+		optional bool enable_ipv6_ra = 19 [default = false];
 	}
 	optional UserNet user_net = 96;
 }
diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg
@@ -63,7 +63,8 @@ clone_newcgroup: true
 
 user_net {
         enable: true
-	inbound: true
+	tcp_ports: "auto"
+	udp_ports: "auto"
 }
 
 uidmap {
diff --git a/configs/bash-with-fake-geteuid.json b/configs/bash-with-fake-geteuid.json
@@ -59,7 +59,9 @@
 	"cloneNewuts": true,
 	"cloneNewcgroup": true,
 	"userNet": {
-		"enable": true
+		"enable": true,
+		"tcpPorts": "auto",
+		"udpPorts": "auto"
 	},
 	"uidmap": [
 		{
diff --git a/configs/chromium-with-net-wayland.cfg b/configs/chromium-with-net-wayland.cfg
@@ -178,6 +178,11 @@ seccomp_string: "	ptrace,"
 seccomp_string: "	process_vm_readv,"
 seccomp_string: "	process_vm_writev"
 seccomp_string: "}"
+seccomp_string: "ERRNO(38) {"
+seccomp_string: "	io_uring_setup,"
+seccomp_string: "	io_uring_enter,"
+seccomp_string: "	io_uring_register"
+seccomp_string: "}"
 seccomp_string: "DEFAULT ALLOW"
 
 exec_bin {
diff --git a/configs/firefox-with-net-X11.cfg b/configs/firefox-with-net-X11.cfg
@@ -177,6 +177,18 @@ mount {
 	mandatory: false
 }
 
+seccomp_string: "KILL_PROCESS {"
+seccomp_string: "	ptrace,"
+seccomp_string: "	process_vm_readv,"
+seccomp_string: "	process_vm_writev"
+seccomp_string: "}"
+seccomp_string: "ERRNO(38) {"
+seccomp_string: "	io_uring_setup,"
+seccomp_string: "	io_uring_enter,"
+seccomp_string: "	io_uring_register"
+seccomp_string: "}"
+seccomp_string: "DEFAULT ALLOW"
+
 exec_bin {
 	path: "/usr/lib/firefox/firefox"
 	arg: "-private"
diff --git a/configs/firefox-with-net-wayland.cfg b/configs/firefox-with-net-wayland.cfg
@@ -172,6 +172,18 @@ mount {
         mandatory: false
 }
 
+seccomp_string: "KILL_PROCESS {"
+seccomp_string: "	ptrace,"
+seccomp_string: "	process_vm_readv,"
+seccomp_string: "	process_vm_writev"
+seccomp_string: "}"
+seccomp_string: "ERRNO(38) {"
+seccomp_string: "	io_uring_setup,"
+seccomp_string: "	io_uring_enter,"
+seccomp_string: "	io_uring_register"
+seccomp_string: "}"
+seccomp_string: "DEFAULT ALLOW"
+
 exec_bin {
 	path: "/usr/lib/firefox/firefox"
 	arg: "-private"
diff --git a/configs/weechat-with-net.cfg b/configs/weechat-with-net.cfg
@@ -129,15 +129,17 @@ mount {
 	mandatory: true
 }
 
-seccomp_string: "KILL_PROCESS {			"
-seccomp_string: "	ptrace,				"
-seccomp_string: "	process_vm_readv,	"
-seccomp_string: "	process_vm_writev	"
-seccomp_string: "},						"
-seccomp_string: "ERRNO(1) {				"
-seccomp_string: "	sched_setaffinity	"
-seccomp_string: "}						"
-seccomp_string: "DEFAULT ALLOW			"
+seccomp_string: "KILL_PROCESS {"
+seccomp_string: "	ptrace,"
+seccomp_string: "	process_vm_readv,"
+seccomp_string: "	process_vm_writev"
+seccomp_string: "}"
+seccomp_string: "ERRNO(38) {"
+seccomp_string: "	io_uring_setup,"
+seccomp_string: "	io_uring_enter,"
+seccomp_string: "	io_uring_register"
+seccomp_string: "}"
+seccomp_string: "DEFAULT ALLOW"
 
 exec_bin {
 	path: "/usr/bin/weechat"
diff --git a/configs/znc-with-net.cfg b/configs/znc-with-net.cfg
@@ -30,7 +30,7 @@ rlimit_nofile: 128
 clone_newnet: true
 user_net {
 	enable: true
-	inbound: true
+	tcp_ports: "auto"
 }
 
 mount {
@@ -125,15 +125,17 @@ mount {
 	mandatory: true
 }
 
-seccomp_string: "KILL_PROCESS {			"
-seccomp_string: "	ptrace,				"
-seccomp_string: "	process_vm_readv,	"
-seccomp_string: "	process_vm_writev	"
-seccomp_string: "},						"
-seccomp_string: "ERRNO(1) {				"
-seccomp_string: "	sched_setaffinity	"
-seccomp_string: "}						"
-seccomp_string: "DEFAULT ALLOW			"
+seccomp_string: "KILL_PROCESS {"
+seccomp_string: "	ptrace,"
+seccomp_string: "	process_vm_readv,"
+seccomp_string: "	process_vm_writev"
+seccomp_string: "}"
+seccomp_string: "ERRNO(38) {"
+seccomp_string: "	io_uring_setup,"
+seccomp_string: "	io_uring_enter,"
+seccomp_string: "	io_uring_register"
+seccomp_string: "}"
+seccomp_string: "DEFAULT ALLOW"
 
 exec_bin {
 	path: "/usr/bin/znc"
diff --git a/net.cc b/net.cc
@@ -187,20 +187,55 @@ static bool spawnPasta(nsjconf_t* nsjconf, int pid) {
 		std::string pid_str = std::to_string(pid);
 		std::vector<const char*> argv;
 		argv.push_back("pasta");
-		argv.push_back("--config-net");
+
+		if (!nsjconf->user_net.enable_ipv4_dhcp) {
+			argv.push_back("--no-dhcp");
+		}
+		if (!nsjconf->user_net.enable_ipv6_dhcp) {
+			argv.push_back("--no-dhcpv6");
+		}
+		if (!nsjconf->user_net.enable_ipv6_ra) {
+			argv.push_back("--no-ra");
+		}
+
+		if (!nsjconf->user_net.enable_ipv4_dhcp && !nsjconf->user_net.enable_ipv6_dhcp) {
+			argv.push_back("--config-net");
+		}
+
 		argv.push_back("-f");
 		argv.push_back("-q");
 
-		argv.push_back("-t");
-		if (nsjconf->user_net.inbound) {
-			argv.push_back("auto");
-		} else {
-			argv.push_back("none");
+		if (!nsjconf->user_net.tcp_ports.empty()) {
+			argv.push_back("-t");
+			argv.push_back(nsjconf->user_net.tcp_ports.c_str());
+		}
+		if (!nsjconf->user_net.udp_ports.empty()) {
+			argv.push_back("-u");
+			argv.push_back(nsjconf->user_net.udp_ports.c_str());
+		}
+
+		if (nsjconf->user_net.enable_dns) {
+			argv.push_back("--dhcp-dns");
+		}
+		if (!nsjconf->user_net.dns_forward.empty()) {
+			argv.push_back("--dns-forward");
+			argv.push_back(nsjconf->user_net.dns_forward.c_str());
+		}
+
+		if (!nsjconf->user_net.enable_tcp) {
+			argv.push_back("--no-tcp");
+		}
+		if (!nsjconf->user_net.enable_udp) {
+			argv.push_back("--no-udp");
+		}
+		if (!nsjconf->user_net.enable_icmp) {
+			argv.push_back("--no-icmp");
+		}
+		if (nsjconf->user_net.no_map_gw) {
+			argv.push_back("--no-map-gw");
 		}
 
-		if (nsjconf->user_net.ip.empty()) {
-			argv.push_back("-6");
-		} else {
+		if (!nsjconf->user_net.ip.empty()) {
 			argv.push_back("-a");
 			argv.push_back(nsjconf->user_net.ip.c_str());
 			if (!nsjconf->user_net.mask.empty()) {
@@ -213,9 +248,7 @@ static bool spawnPasta(nsjconf_t* nsjconf, int pid) {
 			}
 		}
 
-		if (nsjconf->user_net.ip6.empty()) {
-			argv.push_back("-4");
-		} else {
+		if (!nsjconf->user_net.ip6.empty()) {
 			argv.push_back("-a");
 			argv.push_back(nsjconf->user_net.ip6.c_str());
 
@@ -225,6 +258,10 @@ static bool spawnPasta(nsjconf_t* nsjconf, int pid) {
 			}
 		}
 
+		if (nsjconf->user_net.ip6.empty()) {
+			argv.push_back("-4");
+		}
+
 		if (!nsjconf->user_net.nsiface.empty()) {
 			argv.push_back("-I");
 			argv.push_back(nsjconf->user_net.nsiface.c_str());
diff --git a/nsjail.h b/nsjail.h
@@ -150,14 +150,24 @@ struct nsjconf_t {
 	bool forward_signals;
 	struct {
 		bool use_pasta;
-		bool inbound;
 		std::string ip;
 		std::string mask;
 		std::string gw;
 		std::string ip6;
 		std::string mask6;
 		std::string gw6;
 		std::string nsiface;
+		std::string tcp_ports;
+		std::string udp_ports;
+		bool enable_ipv4_dhcp;
+		bool enable_dns;
+		std::string dns_forward;
+		bool enable_tcp;
+		bool enable_udp;
+		bool enable_icmp;
+		bool no_map_gw;
+		bool enable_ipv6_dhcp;
+		bool enable_ipv6_ra;
 	} user_net;
 	std::string cgroup_mem_mount;
 	std::string cgroup_mem_parent;

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,8 @@ clone_newcgroup: true`
`63`	`63`
`64`	`64`	`user_net {`
`65`	`65`	`enable: true`
`66`		`- inbound: true`
	`66`	`+ tcp_ports: "auto"`
	`67`	`+ udp_ports: "auto"`
`67`	`68`	`}`
`68`	`69`
`69`	`70`	`uidmap {`