1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
// SPDX-License-Identifier: MIT

use crate::Error;
use nix::{
    fcntl::OFlag,
    sched::CloneFlags,
    sys::{
        stat::Mode,
        wait::{waitpid, WaitStatus},
    },
    unistd::{fork, ForkResult},
};
use std::{option::Option, path::Path, process::exit};

// if "only" smol or smol+tokio were enabled, we use smol because
// it doesn't require an active tokio runtime - just to be sure.
#[cfg(feature = "smol_socket")]
async fn try_spawn_blocking<F, R>(fut: F) -> R
where
    F: FnOnce() -> R + Send + 'static,
    R: Send + 'static,
{
    async_global_executor::spawn_blocking(fut).await
}

// only tokio enabled, so use tokio
#[cfg(all(not(feature = "smol_socket"), feature = "tokio_socket"))]
async fn try_spawn_blocking<F, R>(fut: F) -> R
where
    F: FnOnce() -> R + Send + 'static,
    R: Send + 'static,
{
    match tokio::task::spawn_blocking(fut).await {
        Ok(v) => v,
        Err(err) => {
            std::panic::resume_unwind(err.into_panic());
        }
    }
}

// neither smol nor tokio - just run blocking op directly.
// hopefully not too blocking...
#[cfg(all(not(feature = "smol_socket"), not(feature = "tokio_socket")))]
async fn try_spawn_blocking<F, R>(fut: F) -> R
where
    F: FnOnce() -> R + Send + 'static,
    R: Send + 'static,
{
    fut()
}

pub const NETNS_PATH: &str = "/run/netns/";
pub const SELF_NS_PATH: &str = "/proc/self/ns/net";
pub const NONE_FS: &str = "none";

pub struct NetworkNamespace();

impl NetworkNamespace {
    /// Add a new network namespace.
    /// This is equivalent to `ip netns add NS_NAME`.
    pub async fn add(ns_name: String) -> Result<(), Error> {
        // Forking process to avoid moving caller into new namespace
        NetworkNamespace::prep_for_fork()?;
        log::trace!("Forking...");
        match unsafe { fork() } {
            Ok(ForkResult::Parent { child, .. }) => NetworkNamespace::parent_process(child),
            Ok(ForkResult::Child) => {
                NetworkNamespace::child_process(ns_name);
            }
            Err(e) => {
                let err_msg = format!("Fork failed: {}", e);
                Err(Error::NamespaceError(err_msg))
            }
        }
    }

    /// Remove a network namespace
    /// This is equivalent to `ip netns del NS_NAME`.
    pub async fn del(ns_name: String) -> Result<(), Error> {
        try_spawn_blocking(move || {
            let mut netns_path = String::new();
            netns_path.push_str(NETNS_PATH);
            netns_path.push_str(&ns_name);
            let ns_path = Path::new(&netns_path);

            if nix::mount::umount2(ns_path, nix::mount::MntFlags::MNT_DETACH).is_err() {
                let err_msg = String::from("Namespace unmount failed (are you running as root?)");
                return Err(Error::NamespaceError(err_msg));
            }

            if nix::unistd::unlink(ns_path).is_err() {
                let err_msg =
                    String::from("Namespace file remove failed (are you running as root?)");
                return Err(Error::NamespaceError(err_msg));
            }

            Ok(())
        })
        .await
    }

    pub fn prep_for_fork() -> Result<(), Error> {
        // Placeholder function, nothing to do here.
        Ok(())
    }

    /// This is the parent process form the fork, it waits for the
    /// child to exit properly
    pub fn parent_process(child: nix::unistd::Pid) -> Result<(), Error> {
        log::trace!("parent_process child PID: {}", child);
        log::trace!("Waiting for child to finish...");
        match waitpid(child, None) {
            Ok(wait_status) => match wait_status {
                WaitStatus::Exited(_, res) => {
                    log::trace!("Child exited with: {}", res);
                    if res == 0 {
                        return Ok(());
                    }
                    log::error!("Error child result: {}", res);
                    let err_msg = format!("Error child result: {}", res);
                    Err(Error::NamespaceError(err_msg))
                }
                WaitStatus::Signaled(_, signal, has_dump) => {
                    log::error!("Error child killed by signal: {}", signal);
                    let err_msg = format!(
                        "Error child process was killed by signal: {} with core dump {}",
                        signal, has_dump
                    );
                    Err(Error::NamespaceError(err_msg))
                }
                _ => {
                    log::error!("Unknown child process status");
                    let err_msg = String::from("Unknown child process status");
                    Err(Error::NamespaceError(err_msg))
                }
            },
            Err(e) => {
                log::error!("wait error: {}", e);
                let err_msg = format!("wait error: {}", e);
                Err(Error::NamespaceError(err_msg))
            }
        }
    }

    fn child_process(ns_name: String) -> ! {
        let res = std::panic::catch_unwind(|| -> Result<(), Error> {
            let netns_path = NetworkNamespace::child_process_create_ns(ns_name)?;
            NetworkNamespace::unshare_processing(netns_path)?;
            Ok(())
        });
        match res {
            Err(_panic) => {
                // panic should have already been printed by the handler
                log::error!("child process crashed");
                std::process::abort()
            }
            Ok(Err(fail)) => {
                log::error!("child process failed: {}", fail);
                exit(1)
            }
            Ok(Ok(())) => exit(0),
        }
    }

    /// This is the child process, it will actually create the namespace
    /// resources. It creates the folder and namespace file.
    /// Returns the namespace file path
    pub fn child_process_create_ns(ns_name: String) -> Result<String, Error> {
        log::trace!("child_process will create the namespace");

        let mut netns_path = String::new();

        let dir_path = Path::new(NETNS_PATH);
        let mut mkdir_mode = Mode::empty();
        let mut open_flags = OFlag::empty();
        let mut mount_flags = nix::mount::MsFlags::empty();
        let none_fs = Path::new(&NONE_FS);
        let none_p4: Option<&Path> = None;

        // flags in mkdir
        mkdir_mode.insert(Mode::S_IRWXU);
        mkdir_mode.insert(Mode::S_IRGRP);
        mkdir_mode.insert(Mode::S_IXGRP);
        mkdir_mode.insert(Mode::S_IROTH);
        mkdir_mode.insert(Mode::S_IXOTH);

        open_flags.insert(OFlag::O_RDONLY);
        open_flags.insert(OFlag::O_CREAT);
        open_flags.insert(OFlag::O_EXCL);

        netns_path.push_str(NETNS_PATH);
        netns_path.push_str(&ns_name);

        // creating namespaces folder if not exists
        #[allow(clippy::collapsible_if)]
        if nix::sys::stat::stat(dir_path).is_err() {
            if let Err(e) = nix::unistd::mkdir(dir_path, mkdir_mode) {
                log::error!("mkdir error: {}", e);
                let err_msg = format!("mkdir error: {}", e);
                return Err(Error::NamespaceError(err_msg));
            }
        }

        // Try to mount /run/netns, with MS_REC | MS_SHARED
        // If it fails, creates the mount with MS_BIND | MS_REC
        // This is the same strategy used by `ip netns add NS`
        mount_flags.insert(nix::mount::MsFlags::MS_REC);
        mount_flags.insert(nix::mount::MsFlags::MS_SHARED);
        if nix::mount::mount(
            Some(Path::new("")),
            dir_path,
            Some(none_fs),
            mount_flags,
            none_p4,
        )
        .is_err()
        {
            mount_flags = nix::mount::MsFlags::empty();
            mount_flags.insert(nix::mount::MsFlags::MS_BIND);
            mount_flags.insert(nix::mount::MsFlags::MS_REC);

            if let Err(e) = nix::mount::mount(
                Some(Path::new(dir_path)),
                dir_path,
                Some(none_fs),
                mount_flags,
                none_p4,
            ) {
                log::error!("mount error: {}", e);
                let err_msg = format!("mount error: {}", e);
                return Err(Error::NamespaceError(err_msg));
            }
        }

        mount_flags = nix::mount::MsFlags::empty();
        mount_flags.insert(nix::mount::MsFlags::MS_REC);
        mount_flags.insert(nix::mount::MsFlags::MS_SHARED);
        if let Err(e) = nix::mount::mount(
            Some(Path::new("")),
            dir_path,
            Some(none_fs),
            mount_flags,
            none_p4,
        ) {
            log::error!("mount error: {}", e);
            let err_msg = format!("mount error: {}", e);
            return Err(Error::NamespaceError(err_msg));
        }

        let ns_path = Path::new(&netns_path);

        // creating the netns file
        let fd = match nix::fcntl::open(ns_path, open_flags, Mode::empty()) {
            Ok(raw_fd) => raw_fd,
            Err(e) => {
                log::error!("open error: {}", e);
                let err_msg = format!("open error: {}", e);
                return Err(Error::NamespaceError(err_msg));
            }
        };

        if let Err(e) = nix::unistd::close(fd) {
            log::error!("close error: {}", e);
            let err_msg = format!("close error: {}", e);
            let _ = nix::unistd::unlink(ns_path);
            return Err(Error::NamespaceError(err_msg));
        }

        Ok(netns_path)
    }

    /// This function unshare the calling process and move into
    /// the given network namespace
    #[allow(unused)]
    pub fn unshare_processing(netns_path: String) -> Result<(), Error> {
        let mut setns_flags = CloneFlags::empty();
        let mut open_flags = OFlag::empty();
        let ns_path = Path::new(&netns_path);

        let none_fs = Path::new(&NONE_FS);
        let none_p4: Option<&Path> = None;

        // unshare to the new network namespace
        if let Err(e) = nix::sched::unshare(CloneFlags::CLONE_NEWNET) {
            log::error!("unshare error: {}", e);
            let err_msg = format!("unshare error: {}", e);
            let _ = nix::unistd::unlink(ns_path);
            return Err(Error::NamespaceError(err_msg));
        }

        open_flags = OFlag::empty();
        open_flags.insert(OFlag::O_RDONLY);
        open_flags.insert(OFlag::O_CLOEXEC);

        let fd = match nix::fcntl::open(Path::new(&SELF_NS_PATH), open_flags, Mode::empty()) {
            Ok(raw_fd) => raw_fd,
            Err(e) => {
                log::error!("open error: {}", e);
                let err_msg = format!("open error: {}", e);
                return Err(Error::NamespaceError(err_msg));
            }
        };

        let self_path = Path::new(&SELF_NS_PATH);

        // bind to the netns
        if let Err(e) = nix::mount::mount(
            Some(self_path),
            ns_path,
            Some(none_fs),
            nix::mount::MsFlags::MS_BIND,
            none_p4,
        ) {
            log::error!("mount error: {}", e);
            let err_msg = format!("mount error: {}", e);
            let _ = nix::unistd::unlink(ns_path);
            return Err(Error::NamespaceError(err_msg));
        }

        setns_flags.insert(CloneFlags::CLONE_NEWNET);
        if let Err(e) = nix::sched::setns(fd, setns_flags) {
            log::error!("setns error: {}", e);
            let err_msg = format!("setns error: {}", e);
            let _ = nix::unistd::unlink(ns_path);
            return Err(Error::NamespaceError(err_msg));
        }

        Ok(())
    }
}