refactor

Author: evgeniy-scherbina

jail/linux.go

@@ -13,121 +13,6 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-type command struct {
-	description string
-	cmd         *exec.Cmd
-	ambientCaps []uintptr
-}
-
-type commandRunner struct {
-	commands []*command
-}
-
-func newCommandRunner(commands []*command) *commandRunner {
-	return &commandRunner{
-		commands: commands,
-	}
-}
-
-func (r *commandRunner) run() error {
-	for _, command := range r.commands {
-		command.cmd.SysProcAttr = &syscall.SysProcAttr{
-			AmbientCaps: command.ambientCaps,
-		}
-
-		output, err := command.cmd.CombinedOutput()
-		if err != nil {
-			return fmt.Errorf("failed to %s: %v, output: %s", command.description, err, output)
-		}
-	}
-
-	return nil
-}
-
-func (l *LinuxJail) configureParentNetworkingStep1() error {
-	// Create veth pair with short names (Linux interface names limited to 15 chars)
-	// Generate unique ID to avoid conflicts
-	uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
-	vethHostName := fmt.Sprintf("veth_h_%s", uniqueID)            // veth_h_1234567 = 14 chars
-	vethJailName := fmt.Sprintf("veth_n_%s", uniqueID)            // veth_n_1234567 = 14 chars
-
-	// Store veth interface name for iptables rules
-	l.vethHostName = vethHostName
-	l.vethJailName = vethJailName
-
-	runner := newCommandRunner([]*command{
-		{
-			"create veth pair",
-			exec.Command("ip", "link", "add", vethHostName, "type", "veth", "peer", "name", vethJailName),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-		{
-			"configure host veth",
-			exec.Command("ip", "addr", "add", "192.168.100.1/24", "dev", vethHostName),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-		{
-			"bring up host veth",
-			exec.Command("ip", "link", "set", vethHostName, "up"),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-	})
-	if err := runner.run(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// setupNetworking configures networking within the namespace
-func (l *LinuxJail) configureParentNetworkingStep2(pidInt int) error {
-	PID := fmt.Sprintf("%v", pidInt)
-
-	runner := newCommandRunner([]*command{
-		{
-			"move veth to namespace",
-			exec.Command("ip", "link", "set", l.vethJailName, "netns", PID),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-	})
-	if err := runner.run(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// setupChildNetworking configures networking within the namespace
-func SetupChildNetworking(vethNetJail string) error {
-	runner := newCommandRunner([]*command{
-		{
-			"configure namespace veth",
-			exec.Command("ip", "addr", "add", "192.168.100.2/24", "dev", vethNetJail),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-		{
-			"bring up namespace veth",
-			exec.Command("ip", "link", "set", vethNetJail, "up"),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-		{
-			"bring up loopback",
-			exec.Command("ip", "link", "set", "lo", "up"),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-		{
-			"set default route in namespace",
-			exec.Command("ip", "route", "add", "default", "via", "192.168.100.1"),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-	})
-	if err := runner.run(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 // LinuxJail implements Jailer using Linux network namespaces
 type LinuxJail struct {
 	logger        *slog.Logger
@@ -167,7 +52,7 @@ func (l *LinuxJail) ConfigureBeforeCommandExecution() error {
 
 	l.commandEnv = getEnvs(l.configDir, l.caCertPath)
 
-	if err := l.configureParentNetworkingStep1(); err != nil {
+	if err := l.configureHostNetworkBeforeCmdExec(); err != nil {
 		return err
 	}
 	if err := l.configureIptables(); err != nil {
@@ -202,7 +87,7 @@ func (l *LinuxJail) Command(command []string) *exec.Cmd {
 // With the child PID known, it moves the jail-side veth into the child’s network
 // namespace.
 func (l *LinuxJail) ConfigureAfterCommandExecution(pidInt int) error {
-	err := l.configureParentNetworkingStep2(pidInt)
+	err := l.configureHostNetworkAfterCmdExec(pidInt)
 	if err != nil {
 		return fmt.Errorf("failed to configure parent networking: %v", err)
 	}
@@ -354,3 +239,126 @@ func (l *LinuxJail) removeNamespace() error {
 	}
 	return nil
 }
+
+type command struct {
+	description string
+	cmd         *exec.Cmd
+	ambientCaps []uintptr
+}
+
+type commandRunner struct {
+	commands []*command
+}
+
+func newCommandRunner(commands []*command) *commandRunner {
+	return &commandRunner{
+		commands: commands,
+	}
+}
+
+func (r *commandRunner) run() error {
+	for _, command := range r.commands {
+		command.cmd.SysProcAttr = &syscall.SysProcAttr{
+			AmbientCaps: command.ambientCaps,
+		}
+
+		output, err := command.cmd.CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("failed to %s: %v, output: %s", command.description, err, output)
+		}
+	}
+
+	return nil
+}
+
+// configureHostNetworkBeforeCmdExec prepares host-side networking before the target
+// process is started. At this point the target process is not running, so its PID and network
+// namespace ID are not yet known.
+func (l *LinuxJail) configureHostNetworkBeforeCmdExec() error {
+	// Create veth pair with short names (Linux interface names limited to 15 chars)
+	// Generate unique ID to avoid conflicts
+	uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
+	vethHostName := fmt.Sprintf("veth_h_%s", uniqueID)            // veth_h_1234567 = 14 chars
+	vethJailName := fmt.Sprintf("veth_n_%s", uniqueID)            // veth_n_1234567 = 14 chars
+
+	// Store veth interface name for iptables rules
+	l.vethHostName = vethHostName
+	l.vethJailName = vethJailName
+
+	runner := newCommandRunner([]*command{
+		{
+			"create veth pair",
+			exec.Command("ip", "link", "add", vethHostName, "type", "veth", "peer", "name", vethJailName),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"configure host veth",
+			exec.Command("ip", "addr", "add", "192.168.100.1/24", "dev", vethHostName),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"bring up host veth",
+			exec.Command("ip", "link", "set", vethHostName, "up"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+	})
+	if err := runner.run(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// configureHostNetworkAfterCmdExec finalizes host-side networking after the target
+// process has started. It moves the jail-side veth into the target process's network
+// namespace using the provided PID. This requires the process to be running so
+// its PID (and thus its netns) are available.
+func (l *LinuxJail) configureHostNetworkAfterCmdExec(pidInt int) error {
+	PID := fmt.Sprintf("%v", pidInt)
+
+	runner := newCommandRunner([]*command{
+		{
+			"move veth to namespace",
+			exec.Command("ip", "link", "set", l.vethJailName, "netns", PID),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+	})
+	if err := runner.run(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// SetupChildNetworking configures networking within the target process's network
+// namespace. This runs inside the child process after it has been
+// created and moved to its own network namespace.
+func SetupChildNetworking(vethNetJail string) error {
+	runner := newCommandRunner([]*command{
+		{
+			"configure namespace veth",
+			exec.Command("ip", "addr", "add", "192.168.100.2/24", "dev", vethNetJail),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"bring up namespace veth",
+			exec.Command("ip", "link", "set", vethNetJail, "up"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"bring up loopback",
+			exec.Command("ip", "link", "set", "lo", "up"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"set default route in namespace",
+			exec.Command("ip", "route", "add", "default", "via", "192.168.100.1"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+	})
+	if err := runner.run(); err != nil {
+		return err
+	}
+
+	return nil
+}