Network is accessible even though clone_netnet=false

[pomo-mondreganto]

I'm using the following nsjail configuration:

name: "some-runner"

mode: ONCE
hostname: "hname"

log_level: INFO

envar: "PATH"

rlimit_fsize: 256
rlimit_nofile: 16
rlimit_core: 0
max_cpus: 1

clone_newnet: false

uidmap {
   inside_id: "99999"
   outside_id: "99999"
}

gidmap {
   inside_id: "99999"
   outside_id: "99999"
}

mount_proc: true

mount {
	src_content: "jail:x:99999:99999:jail:/:/bin/false"
	dst: "/etc/passwd"
}

mount {
	src_content: "jail:x:99999:"
	dst: "/etc/group"
}

mount {
	dst: "/tmp"
	fstype: "tmpfs"
	rw: true
}

mount {
	dst: "/run"
	fstype: "tmpfs"
	rw: true
}

mount {
	src: "/dev/urandom"
	dst: "/dev/urandom"
	is_bind: true
}

mount {
	src: "/dev/null"
	dst: "/dev/null"
	is_bind: true
	rw: true
}

mount {
	dst: "/dev/shm"
	fstype: "tmpfs"
	rw: true
}

mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
}

mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
}

mount {
	src: "/bin"
	dst: "/bin"
	is_bind: true
}

mount {
	src: "/etc/alternatives"
	dst: "/etc/alternatives"
	is_bind: true
}

mount {
	src: "/usr"
	dst: "/usr"
	is_bind: true
}

mount {
	src: "/opt"
	dst: "/opt"
	is_bind: true
}

And when running nsjail with the following command: nsjail --config runner.cfg -- /bin/bash I'm getting the following ifconfig output:

[I][2021-03-09T15:09:24+0000] Mode: STANDALONE_ONCE
[I][2021-03-09T15:09:24+0000] Jail parameters: hostname:'hname', chroot:'', process:'/bin/bash', bind:[::]:0, max_conns_per_ip:0, time_limit:600, personality:0, daemonize:false, clone_newnet:false, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, keep_caps:false, disable_no_new_privs:false, max_cpus:1
[I][2021-03-09T15:09:24+0000] Mount: '/' flags:MS_RDONLY type:'tmpfs' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/etc/passwd' flags:MS_RDONLY type:'' options:'' dir:false src_content_len:36
[I][2021-03-09T15:09:24+0000] Mount: '/etc/group' flags:MS_RDONLY type:'' options:'' dir:false src_content_len:13
[I][2021-03-09T15:09:24+0000] Mount: '/tmp' flags: type:'tmpfs' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/run' flags: type:'tmpfs' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/dev/urandom' -> '/dev/urandom' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:false
[I][2021-03-09T15:09:24+0000] Mount: '/dev/null' -> '/dev/null' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:false
[I][2021-03-09T15:09:24+0000] Mount: '/dev/shm' flags: type:'tmpfs' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/lib64' -> '/lib64' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/lib' -> '/lib' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/bin' -> '/bin' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/etc/alternatives' -> '/etc/alternatives' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/usr' -> '/usr' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/sbin' -> '/sbin' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/opt' -> '/opt' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2021-03-09T15:09:24+0000] Uid map: inside_uid:99999 outside_uid:99999 count:1 newuidmap:false
[I][2021-03-09T15:09:24+0000] Gid map: inside_gid:99999 outside_gid:99999 count:1 newgidmap:false
[I][2021-03-09T15:09:24+0000] Executing '/bin/bash' for '[STANDALONE MODE]'
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 8580  bytes 31079068 (31.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2325  bytes 160013 (160.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And some other network commands (e.g. running urlopen with IP address from python) work too.

It's either I've misconfigured nsjail somehow or the clone_newnet: false doesn't have the documented behavior of disabling the global networking inside the jail.

[MihanixA]

I have the same issue.

[fluxchief]

Hi,

Where is it documented that this is not the intended behavior? The readme states

 --disable_clone_newnet|-N 
	Don't use CLONE_NEWNET. Enable global networking inside the jail

which is correct - not using clone_newnet will disable network isolation.

[pomo-mondreganto]

Sorry, definitely my mistake