forks/linsk
forks/linsk
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Restricted VM networking

Browse source
This commit is contained in:
AlexSSD7 2023-08-26 16:43:04 +01:00
commit 34e66cb01c
5 changed files with 31 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cmd/ls.go
View file

@ -27,7 +27,7 @@ var lsCmd = &cobra.Command{
fmt.Print(string(lsblkOut))
return 0
}, nil))
}, nil, false))
return nil
},

2
cmd/run.go
View file

@ -63,7 +63,7 @@ var runCmd = &cobra.Command{
HostIP: net.ParseIP("127.0.0.1"), // TODO: Make this changeable.
HostPort: networkSharePort,
VMPort: 445,
}}))
}}, false))
return nil
},

21
cmd/shell.go
View file

@ -4,6 +4,7 @@ import (
"context"
"log/slog"
"os"
"strings"
"github.com/AlexSSD7/linsk/vm"
"github.com/spf13/cobra"
@ -22,6 +23,22 @@ var shellCmd = &cobra.Command{
passthroughArg = args[0]
}
var forwardPortsConfig []vm.PortForwardingConfig
for i, fp := range strings.Split(forwardPortsFlagStr, ",") {
if fp == "" {
continue
}
fpc, err := vm.ParsePortForwardString(fp)
if err != nil {
slog.Error("Failed to parse port forward string", "index", i, "value", fp, "error", err)
os.Exit(1)
}
forwardPortsConfig = append(forwardPortsConfig, fpc)
}
os.Exit(runVM(passthroughArg, func(ctx context.Context, i *vm.Instance, fm *vm.FileManager) int {
sc, err := i.DialSSH()
if err != nil {
@ -103,14 +120,16 @@ var shellCmd = &cobra.Command{
}
return 0
}, nil))
}, forwardPortsConfig, unrestrictedNetworkingFlag))
return nil
},
}
var forwardPortsFlagStr string
var unrestrictedNetworkingFlag bool
func init() {
shellCmd.Flags().BoolVar(&unrestrictedNetworkingFlag, "unsafe-unrestricted-networking", false, "(UNSAFE) Enable unrestricted networking. This will allow the VM to connect to the internet.")
shellCmd.Flags().StringVar(&forwardPortsFlagStr, "forward-ports", "", "Extra TCP port forwarding rules. Syntax: '<HOST PORT>:<VM PORT>' OR '<HOST BIND IP>:<HOST PORT>:<VM PORT>'. Multiple rules split by comma are accepted.")
}

23
cmd/utils.go
View file

@ -7,7 +7,6 @@ import (
"os"
"os/signal"
"os/user"
"strings"
"sync"
"syscall"
@ -38,7 +37,7 @@ func doRootCheck() {
}
}
func runVM(passthroughArg string, fn func(context.Context, *vm.Instance, *vm.FileManager) int, forwardPorts []vm.PortForwardingConfig) int {
func runVM(passthroughArg string, fn func(context.Context, *vm.Instance, *vm.FileManager) int, forwardPorts []vm.PortForwardingConfig, unrestrictedNetworking bool) int {
doRootCheck()
var passthroughConfig []vm.USBDevicePassthroughConfig
@ -47,26 +46,8 @@ func runVM(passthroughArg string, fn func(context.Context, *vm.Instance, *vm.Fil
passthroughConfig = []vm.USBDevicePassthroughConfig{getDevicePassthroughConfig(passthroughArg)}
}
var forwardPortsConfig []vm.PortForwardingConfig
for i, fp := range strings.Split(forwardPortsFlagStr, ",") {
if fp == "" {
continue
}
fpc, err := vm.ParsePortForwardString(fp)
if err != nil {
slog.Error("Failed to parse port forward string", "index", i, "value", fp, "error", err)
os.Exit(1)
}
forwardPortsConfig = append(forwardPortsConfig, fpc)
}
forwardPortsConfig = append(forwardPortsConfig, forwardPorts...)
// TODO: Alpine image should be downloaded from somewhere.
vi, err := vm.NewInstance(slog.Default().With("caller", "vm"), "alpine-img/alpine.qcow2", passthroughConfig, vmDebugFlag, forwardPortsConfig)
vi, err := vm.NewInstance(slog.Default().With("caller", "vm"), "alpine-img/alpine.qcow2", passthroughConfig, vmDebugFlag, forwardPorts, unrestrictedNetworking)
if err != nil {
slog.Error("Failed to create vm instance", "error", err)
os.Exit(1)

10
vm/vm.go
View file

@ -51,7 +51,7 @@ type Instance struct {
canceled uint32
}
func NewInstance(logger *slog.Logger, alpineImagePath string, usbDevices []USBDevicePassthroughConfig, debug bool, extraPortForwardings []PortForwardingConfig) (*Instance, error) {
func NewInstance(logger *slog.Logger, alpineImagePath string, usbDevices []USBDevicePassthroughConfig, debug bool, extraPortForwardings []PortForwardingConfig, unrestrictedNetworking bool) (*Instance, error) {
alpineImagePath = filepath.Clean(alpineImagePath)
_, err := os.Stat(alpineImagePath)
if err != nil {
@ -63,8 +63,6 @@ func NewInstance(logger *slog.Logger, alpineImagePath string, usbDevices []USBDe
return nil, errors.Wrap(err, "get free port for ssh server")
}
// TODO: Disable internet access
// TODO: Configurable memory allocation
baseCmd := "qemu-system-x86_64"
@ -72,6 +70,12 @@ func NewInstance(logger *slog.Logger, alpineImagePath string, usbDevices []USBDe
netdevOpts := "user,id=net0,hostfwd=tcp:127.0.0.1:" + fmt.Sprint(sshPort) + "-:22"
if !unrestrictedNetworking {
netdevOpts += ",restrict=on"
} else {
logger.Warn("Running with unsafe unrestricted networking")
}
for _, pf := range extraPortForwardings {
hostIPStr := ""
if pf.HostIP != nil {