init: Set up a dummy network interface with TSI

Some applications check for network availability by looking for a
network device configured for Internet access.  When TSI is used, there
is no such device available by default, although Internet is accessible.
Then those applications behave like when the connection is not
available.

Let's solve this problem by setting up a dummy network interface.  The
dummy interface is automatically created when CONFIG_DUMMY is enabled in
kernel or the corresponding kernel module is loaded.  This means a
sufficiently recent libkrunfw version is needed (see
containers/libkrunfw#116).  The dummy interface
is initially down.

In order to make the applications happy, the interface must be brought
up and set up for Internet connections.  This is ensured by setting the
IP address to 10.0.0.1/0 (an arbitrary choice without any special
reason) in init.c if TSI is enabled.  TSI availability is determined by
checking the presence of `tsi_hijack' in the kernel command line.

The dummy interface simply swallows all packets.  But it is effectively
bypassed by TSI for practical purposes.  Things like ICMP don't work in
either case.

When the kernel support is not available, the device is not present and
init.c cannot set it up.  We skip the configuration silently in such a
case, to not spam users with errors if they use older libkrunfw or
custom kernels.

Fixes: #576

Signed-off-by: Milan Zamazal <mzamazal@redhat.com>

Author: mz-pdm

init/init.c

@@ -11,6 +11,7 @@
 #include <time.h>
 #include <unistd.h>
 
+#include <arpa/inet.h>
 #include <net/if.h>
 #include <sys/ioctl.h>
 #include <sys/mount.h>
@@ -1059,6 +1060,107 @@ int try_mount(const char *source, const char *target, const char *fstype,
     return mount_status;
 }
 
+bool tsi_enabled()
+{
+    const char *const option = "tsi_hijack";
+    size_t length = strlen(option);
+    bool enabled = false;
+    FILE *f;
+    unsigned int i = 0;
+
+    f = fopen("/proc/cmdline", "r");
+    if (f == NULL) {
+        perror("fopen(/proc/cmdline)");
+        return false;
+    }
+
+    while (1) {
+        int c = fgetc(f);
+        if (c == ' ' || c == EOF) {
+            if (i == length) {
+                enabled = true;
+                break;
+            }
+            if (c == EOF) {
+                break;
+            }
+            i = 0;
+        } else if (c == option[i]) {
+            i++;
+        } else {
+            do {
+                c = fgetc(f);
+            } while (c != EOF && c != ' ');
+            i = 0;
+        }
+    }
+
+    fclose(f);
+
+    return enabled;
+}
+
+int enable_dummy_interface()
+{
+    // See https://www.man7.org/linux/man-pages/man7/netdevice.7.html
+
+    const char *const name = "dummy0";
+    struct ifreq ifr;
+    int sockfd;
+    struct sockaddr_in *addr = (struct sockaddr_in *)&ifr.ifr_addr;
+    struct sockaddr_in *netmask = (struct sockaddr_in *)&ifr.ifr_netmask;
+
+    if (snprintf(ifr.ifr_name, IFNAMSIZ, "%s", name) >= IFNAMSIZ) {
+        perror("dummy interface name too long");
+        return -1;
+    }
+
+    sockfd = socket(PF_INET, SOCK_DGRAM, 0);
+    if (sockfd < 0) {
+        perror("dummy interface socket");
+        return -1;
+    }
+
+    ifr.ifr_flags = IFF_UP;
+    if (ioctl(sockfd, SIOCSIFFLAGS, &ifr) < 0) {
+        if (errno == ENODEV) {
+            // Most likely not enabled in the kernel, ignore quietly
+            close(sockfd);
+            return 0;
+        }
+        perror("dummy interface up");
+        close(sockfd);
+        return -1;
+    }
+
+    addr->sin_family = AF_INET;
+    if (inet_pton(AF_INET, "10.0.0.1", &addr->sin_addr) <= 0) {
+        perror("inet_pton address");
+        close(sockfd);
+        return -1;
+    }
+    if (ioctl(sockfd, SIOCSIFADDR, &ifr) < 0) {
+        perror("dummy interface address");
+        close(sockfd);
+        return -1;
+    }
+
+    netmask->sin_family = AF_INET;
+    if (inet_pton(AF_INET, "0.0.0.0", &netmask->sin_addr) <= 0) {
+        perror("inet_pton mask");
+        close(sockfd);
+        return -1;
+    }
+    if (ioctl(sockfd, SIOCSIFNETMASK, &ifr) < 0) {
+        perror("dummy interface mask");
+        close(sockfd);
+        return -1;
+    }
+
+    close(sockfd);
+    return 0;
+}
+
 int main(int argc, char **argv)
 {
     struct ifreq ifr;
@@ -1171,6 +1273,12 @@ int main(int argc, char **argv)
         close(sockfd);
     }
 
+    if (tsi_enabled()) {
+        if (enable_dummy_interface() < 0) {
+            printf("Warning: Couldn't enable dummy interface\n");
+        }
+    }
+
     config_argv = NULL;
     config_workdir = NULL;