Lowering perms to CAP_NET_ADMIN

Author: evgeniy-scherbina

boundary.go

@@ -78,6 +78,10 @@ func (b *Boundary) Command(command []string) *exec.Cmd {
 	return b.jailer.Command(command)
 }
 
+func (b *Boundary) ConfigureAfterRun(processPID int) {
+	b.jailer.ConfigureAfterRun(processPID)
+}
+
 func (b *Boundary) Close() error {
 	// Stop proxy server
 	if b.proxyServer != nil {

cli/cli.go

@@ -3,6 +3,7 @@ package cli
 import (
 	"context"
 	"fmt"
+	"log"
 	"log/slog"
 	"os"
 	"os/signal"
@@ -94,6 +95,36 @@ func BaseCommand() *serpent.Command {
 
 // Run executes the boundary command with the given configuration and arguments
 func Run(ctx context.Context, config Config, args []string) error {
+	isChild := os.Getenv("CHILD") == "true"
+	if isChild {
+		fmt.Printf("CHILD is started\n")
+		fmt.Printf("%v ||| %v\n", args[0], args[1:])
+		//fmt.Printf("%v\n", os.Environ())
+		time.Sleep(time.Second * 3) // wait for parent to configure env
+
+		// TODO: uncomment
+		vethNetJail := "veth_n_1111111"
+		err := jail.SetupChildNetworking(vethNetJail)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed setupChildNetworking: %v\n", err)
+			os.Exit(1)
+		}
+
+		// Program to run
+		bin := args[0]
+		args = args[1:]
+		env := os.Environ()
+		// syscall.Exec replaces the current process image
+		// with the new program, so nothing after this call runs.
+		if err := syscall.Exec(bin, args, env); err != nil {
+			log.Fatalf("exec failed: %v", err)
+		}
+
+		// This line is never reached if Exec succeeds.
+		log.Println("done")
+		return nil
+	}
+
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
@@ -191,13 +222,21 @@ func Run(ctx context.Context, config Config, args []string) error {
 	// Execute command in boundary
 	go func() {
 		defer cancel()
-		cmd := boundaryInstance.Command(args)
+		cmd := boundaryInstance.Command(os.Args)
+		cmd.Env = append(cmd.Env, "CHILD=true")
 		cmd.Stderr = os.Stderr
 		cmd.Stdout = os.Stdout
 		cmd.Stdin = os.Stdin
 
-		logger.Debug("Executing command in boundary", "command", strings.Join(args, " "))
-		err := cmd.Run()
+		logger.Debug("Executing command in boundary", "command", strings.Join(os.Args, " "))
+		err := cmd.Start()
+		if err != nil {
+			logger.Error("Command execution failed", "error", err)
+		}
+
+		boundaryInstance.ConfigureAfterRun(cmd.Process.Pid)
+
+		err = cmd.Wait()
 		if err != nil {
 			logger.Error("Command execution failed", "error", err)
 		}

jail/jail.go

@@ -10,6 +10,7 @@ import (
 type Jailer interface {
 	Start() error
 	Command(command []string) *exec.Cmd
+	ConfigureAfterRun(processPID int)
 	Close() error
 }
 

jail/linux.go

@@ -7,7 +7,10 @@ import (
 	"log/slog"
 	"os"
 	"os/exec"
+	"syscall"
 	"time"
+
+	"golang.org/x/sys/unix"
 )
 
 // LinuxJail implements Jailer using Linux network namespaces
@@ -46,47 +49,48 @@ func (l *LinuxJail) Start() error {
 	e := getEnvs(l.configDir, l.caCertPath)
 	l.commandEnv = mergeEnvs(e, map[string]string{})
 
-	// Setup DNS configuration BEFORE creating namespace
-	// This ensures the namespace-specific resolv.conf is available when namespace is created
-	err := l.setupDNS()
-	if err != nil {
-		return fmt.Errorf("failed to setup DNS: %v", err)
-	}
-
-	// Create namespace
-	err = l.createNamespace()
-	if err != nil {
-		return fmt.Errorf("failed to create namespace: %v", err)
-	}
-
-	// Setup networking within namespace
-	err = l.setupNetworking()
-	if err != nil {
-		return fmt.Errorf("failed to setup networking: %v", err)
-	}
-
-	// Setup iptables rules on host
-	err = l.setupIptables()
-	if err != nil {
-		return fmt.Errorf("failed to setup iptables: %v", err)
-	}
-
 	return nil
 }
 
 // Command returns an exec.Cmd configured to run within the network namespace
 func (l *LinuxJail) Command(command []string) *exec.Cmd {
 	l.logger.Debug("Creating command with namespace", "namespace", l.namespace)
 
-	cmdArgs := []string{"netns", "exec", l.namespace}
-	cmdArgs = append(cmdArgs, command...)
-
-	cmd := exec.Command("ip", cmdArgs...)
+	//cmdArgs := []string{"netns", "exec", l.namespace}
+	//cmdArgs = append(cmdArgs, command...)
+	//
+	//cmd := exec.Command("ip", cmdArgs...)
+	cmd := exec.Command(command[0], command[1:]...)
 	cmd.Env = l.commandEnv
+	cmd.Env = append(cmd.Env, "CHILD=true")
+
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Cloneflags: syscall.CLONE_NEWUSER | syscall.CLONE_NEWNET,
+		UidMappings: []syscall.SysProcIDMap{
+			{ContainerID: 0, HostID: os.Getuid(), Size: 1},
+		},
+		GidMappings: []syscall.SysProcIDMap{
+			{ContainerID: 0, HostID: os.Getgid(), Size: 1},
+		},
+	}
 
 	return cmd
 }
 
+func (l *LinuxJail) ConfigureAfterRun(pidInt int) {
+	err := l.setupParentNetworking(pidInt)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "failed setupParentNetworking: %v\n", err)
+		os.Exit(1)
+	}
+
+	err = l.setupIptables()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "can't setup iptables: %v\n", err)
+		os.Exit(1)
+	}
+}
+
 // Close removes the network namespace and iptables rules
 func (l *LinuxJail) Close() error {
 	l.logger.Debug("Close called")
@@ -133,31 +137,51 @@ func (l *LinuxJail) createNamespace() error {
 }
 
 // setupNetworking configures networking within the namespace
-func (l *LinuxJail) setupNetworking() error {
+func (l *LinuxJail) setupParentNetworking(pidInt int) error {
+	PID := fmt.Sprintf("%v", pidInt)
+
 	// Create veth pair with short names (Linux interface names limited to 15 chars)
 	// Generate unique ID to avoid conflicts
 	uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
-	vethHost := fmt.Sprintf("veth_h_%s", uniqueID)                // veth_h_1234567 = 14 chars
-	vethNetJail := fmt.Sprintf("veth_n_%s", uniqueID)             // veth_n_1234567 = 14 chars
+	uniqueID = "1111111"
+	vethHost := fmt.Sprintf("veth_h_%s", uniqueID)    // veth_h_1234567 = 14 chars
+	vethNetJail := fmt.Sprintf("veth_n_%s", uniqueID) // veth_n_1234567 = 14 chars
 
 	// Store veth interface name for iptables rules
 	l.vethHost = vethHost
 
 	setupCmds := []struct {
 		description string
 		command     *exec.Cmd
+		ambientCaps []uintptr
 	}{
-		{"create veth pair", exec.Command("ip", "link", "add", vethHost, "type", "veth", "peer", "name", vethNetJail)},
-		{"move veth to namespace", exec.Command("ip", "link", "set", vethNetJail, "netns", l.namespace)},
-		{"configure host veth", exec.Command("ip", "addr", "add", "192.168.100.1/24", "dev", vethHost)},
-		{"bring up host veth", exec.Command("ip", "link", "set", vethHost, "up")},
-		{"configure namespace veth", exec.Command("ip", "netns", "exec", l.namespace, "ip", "addr", "add", "192.168.100.2/24", "dev", vethNetJail)},
-		{"bring up namespace veth", exec.Command("ip", "netns", "exec", l.namespace, "ip", "link", "set", vethNetJail, "up")},
-		{"bring up loopback", exec.Command("ip", "netns", "exec", l.namespace, "ip", "link", "set", "lo", "up")},
-		{"set default route in namespace", exec.Command("ip", "netns", "exec", l.namespace, "ip", "route", "add", "default", "via", "192.168.100.1")},
+		{
+			"create veth pair",
+			exec.Command("ip", "link", "add", vethHost, "type", "veth", "peer", "name", vethNetJail),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"move veth to namespace",
+			exec.Command("ip", "link", "set", vethNetJail, "netns", PID),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"configure host veth",
+			exec.Command("ip", "addr", "add", "192.168.100.1/24", "dev", vethHost),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"bring up host veth",
+			exec.Command("ip", "link", "set", vethHost, "up"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
 	}
 
 	for _, command := range setupCmds {
+		command.command.SysProcAttr = &syscall.SysProcAttr{
+			AmbientCaps: command.ambientCaps,
+		}
+
 		if err := command.command.Run(); err != nil {
 			return fmt.Errorf("failed to %s: %v", command.description, err)
 		}
@@ -166,6 +190,48 @@ func (l *LinuxJail) setupNetworking() error {
 	return nil
 }
 
+// setupChildNetworking configures networking within the namespace
+func SetupChildNetworking(vethNetJail string) error {
+	setupCmds := []struct {
+		description string
+		command     *exec.Cmd
+		ambientCaps []uintptr
+	}{
+		{
+			"configure namespace veth",
+			exec.Command("ip", "addr", "add", "192.168.100.2/24", "dev", vethNetJail),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"bring up namespace veth",
+			exec.Command("ip", "link", "set", vethNetJail, "up"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"bring up loopback",
+			exec.Command("ip", "link", "set", "lo", "up"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"set default route in namespace",
+			exec.Command("ip", "route", "add", "default", "via", "192.168.100.1"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+	}
+
+	for _, command := range setupCmds {
+		command.command.SysProcAttr = &syscall.SysProcAttr{
+			AmbientCaps: command.ambientCaps,
+		}
+
+		if output, err := command.command.CombinedOutput(); err != nil {
+			return fmt.Errorf("failed to %s: %v, output: %s, args: %v", command.description, err, output, command.command.Args)
+		}
+	}
+
+	return nil
+}
+
 // setupDNS configures DNS resolution for the namespace
 // This ensures reliable DNS resolution by using public DNS servers
 // instead of relying on the host's potentially complex DNS configuration
@@ -204,6 +270,9 @@ func (l *LinuxJail) setupIptables() error {
 
 	// NAT rules for outgoing traffic (MASQUERADE for return traffic)
 	cmd = exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-s", "192.168.100.0/24", "-j", "MASQUERADE")
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		AmbientCaps: []uintptr{uintptr(unix.CAP_NET_ADMIN)},
+	}
 	err := cmd.Run()
 	if err != nil {
 		return fmt.Errorf("failed to add NAT rule: %v", err)
@@ -212,22 +281,31 @@ func (l *LinuxJail) setupIptables() error {
 	// COMPREHENSIVE APPROACH: Route ALL TCP traffic to HTTP proxy
 	// The HTTP proxy will intelligently handle both HTTP and TLS traffic
 	cmd = exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort))
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		AmbientCaps: []uintptr{uintptr(unix.CAP_NET_ADMIN)},
+	}
 	err = cmd.Run()
 	if err != nil {
 		return fmt.Errorf("failed to add comprehensive TCP redirect rule: %v", err)
 	}
 
 	// TODO: clean up this rules
 	cmd = exec.Command("iptables", "-A", "FORWARD", "-s", "192.168.100.0/24", "-j", "ACCEPT")
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		AmbientCaps: []uintptr{uintptr(unix.CAP_NET_ADMIN)},
+	}
 	err = cmd.Run()
 	if err != nil {
-		return err
+		return fmt.Errorf("forward -s error: %v, output: %v")
 	}
 
 	cmd = exec.Command("iptables", "-A", "FORWARD", "-d", "192.168.100.0/24", "-j", "ACCEPT")
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		AmbientCaps: []uintptr{uintptr(unix.CAP_NET_ADMIN)},
+	}
 	err = cmd.Run()
 	if err != nil {
-		return err
+		return fmt.Errorf("forward -r error: %v", err)
 	}
 
 	l.logger.Debug("Comprehensive TCP boundarying enabled", "interface", l.vethHost, "proxy_port", l.httpProxyPort)

jail/macos.go

@@ -340,3 +340,5 @@ func (n *MacOSJail) cleanupTempFiles() {
 		}
 	}
 }
+
+func (u *MacOSJail) ConfigureAfterRun(processPID int) {}

jail/unprivileged.go

@@ -60,3 +60,5 @@ func (u *Unprivileged) Close() error {
 	u.logger.Debug("Closing unprivileged jail")
 	return nil
 }
+
+func (u *Unprivileged) ConfigureAfterRun(processPID int) {}