#!/bin/sh # Copyright (c) 2012 Igor Bogomazov # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # revision 2012101100 set -e # remove DIR_ROOT and build from scratch DIR_REFRESH="${DIR_REFRESH:-}" # network end-point in main netspace IF_SKYPE_M="${IF_SKYPE_M:-skype-m}" # IP-address in main netspace IP_M="${IP_M:-172.31.255.254}" # network end-point in jailed netspace IF_SKYPE_S="${IF_SKYPE_S:-skype-s}" # IP-address in jail IP_S="${IP_S:-172.31.255.255}" # network namespace NS_SKYPE="${NS_SKYPE:-skype-ns}" # routing network interface IF="${IF:-eth0}" # always pingable IP-address to test network IP_AVAIL="${IP_AVAIL:-8.8.8.8}" # chroot location DIR_ROOT="${DIR_ROOT:-/opt/skype-root}" # bind directories from main filesystem DIR_MOUNT="${DIR_MOUNT:-/dev /sys /proc /tmp/.X11-unix}" # address length test -n "$MACH" || { uname -m | grep -q '[^0-9]64' && MACH=64 || MACH=32 } # skype URL URL_SKYPE="${URL_SKYPE:-http://www.skype.com/go/getskype-linux-deb-$MACH}" # skype user UID UID_SKYPE="${UID_SKYPE:-43981}" # skype username USER_SKYPE="${USER_SKYPE:-skype}" # protect PID-space mount_opts="$( cat /proc/self/mounts | \ awk '($2 ~ "^/proc/*$") {print $1 " " $2 " -o " $4}' )" mount -t proc $mount_opts,remount,hidepid=2 # isolating network space ip netns list | grep -q -x "$NS_SKYPE" || \ ip netns add "$NS_SKYPE" ip link show "$IF_SKYPE_M" >/dev/null 2>&1 || { ip link show "$IF_SKYPE_S" >/dev/null 2>&1 \ && ip link del "$IF_SKYPE_S" \ || true ip netns exec "$NS_SKYPE" ip link show "$IF_SKYPE_S" >/dev/null 2>&2 \ && ip netns exec "$NS_SKYPE" ip link del "$IF_SKYPE_S" \ || true ip link add name "$IF_SKYPE_M" type veth peer name "$IF_SKYPE_S" \ && ip link set "$IF_SKYPE_S" netns "$NS_SKYPE" } # private network configuration ip link set "$IF_SKYPE_M" up ip route get to "$IP_S" | grep -q '^'"$IP_S"' dev '"$IF_SKYPE_M" || { ip addr flush dev "$IF_SKYPE_M" \ && ip addr add "$IP_M"/31 dev "$IF_SKYPE_M" } ip netns exec "$NS_SKYPE" ip link set "$IF_SKYPE_S" up ip netns exec "$NS_SKYPE" ip route get to "$IP_M" \ | grep -Eq '^'"$IP_M"' dev '"$IF_SKYPE_S"'[[:space:]]+' || { ip netns exec "$NS_SKYPE" ip addr flush dev "$IF_SKYPE_S" \ && ip netns exec "$NS_SKYPE" ip addr add "$IP_S"/31 dev "$IF_SKYPE_S" \ && ip netns exec "$NS_SKYPE" ip route add default via "$IP_M" } # enabling forwarding iptables -t filter -S FORWARD | \ grep -q -E -- '-i[[:space:]]+'"$IF_SKYPE_M"'[[:space:]]+' || \ iptables -A FORWARD -i "$IF_SKYPE_M" -o "$IF" \ -m state \! --state INVALID,UNTRACKED \ -j ACCEPT \ -m comment --comment 'fwd Skype outgoing traffic' iptables -t filter -S FORWARD | \ grep -q -E -- '-o[[:space:]]+'"$IF_SKYPE_M"'[[:space:]]+' || \ iptables -A FORWARD -o "$IF_SKYPE_M" -i "$IF" \ -m state --state RELATED,ESTABLISHED \ -j ACCEPT \ -m comment --comment 'fwd Skype incoming traffic' sysctl -w net.ipv4.conf."$IF_SKYPE_M".rp_filter=1 sysctl -w net.ipv4.conf."$IF_SKYPE_M".forwarding=1 sysctl -w net.ipv4.conf."$IF".forwarding=1 # also NAT iptables -t nat -S POSTROUTING | \ grep -q -E -- '-o[[:space:]]+'"$IF"'[[:space:]]+.*-j[[:space:]]+MASQUERADE' || \ iptables -t nat -A POSTROUTING -o "$IF" \ -j MASQUERADE \ -m comment --comment 'NAT Skype traffic' # assert internet availability at this step test -z "$IP_AVAIL" || \ ip netns exec "$NS_SKYPE" ping -c1 "$IP_AVAIL" >/dev/null 2>/dev/null # if the given directory is a mountpoint? mounted() { cat /proc/self/mounts | \ cut -f2 -d' ' | \ grep -q -x "$1"'/*' && return 0 return 1 } # remove target directory if requested test -z "$DIR_REFRESH" || { for dir in $DIR_MOUNT ; do mounted "$DIR_ROOT""$dir" \ || continue \ && umount "$DIR_ROOT""$dir" || exit $? done rm --one-file-system -rf "$DIR_ROOT" } # filesystem isolating chroot= if test -z "$chroot" ; then mkdir "$DIR_ROOT" && chroot=1 || true ; fi if test -z "$chroot" ; then cat "$DIR_ROOT""/etc/debian_version" || chroot=1 ; fi test -z "$chroot" || { # FIXME W: Cannot check Release signature; keyring file not available /usr/share/keyrings/debian-archive-keyring.gpg debootstrap --variant=minbase --include=aptitude testing "$DIR_ROOT" || exit $? chroot "$DIR_ROOT" aptitude --without-recommends --assume-yes --allow-untrusted install xauth fontconfig alsa-base || exit $? chroot "$DIR_ROOT" aptitude clean cat /etc/localtime >"$DIR_ROOT"'/etc/localtime' test -f /etc/asound.conf \ && cat /etc/asound.conf >"$DIR_ROOT"'/etc/asound.conf' } # create skype user in the chroot chroot "$DIR_ROOT" getent passwd "$USER_SKYPE" || { chroot "$DIR_ROOT" useradd "$USER_SKYPE" --uid "$UID_SKYPE" --comment 'skype user' --no-user-group --gid nogroup --groups audio,video --home '/home/'"$USER_SKYPE" --create-home || exit $? chroot "$DIR_ROOT" sh -c "echo 'XAUTHORITY=\"\${HOME}\"/.Xauthority' >> '/home/$USER_SKYPE/.profile'" || exit $? } chroot "$DIR_ROOT" su -l "$USER_SKYPE" -c "rm -f \"\$XAUTHORITY\" ; xauth add $(xauth list "$(hostname)"/unix:0)" # add necessary mountpoints # /dev may be more restricted for dir in $DIR_MOUNT ; do mkdir -p "$DIR_ROOT""$dir" mounted "$DIR_ROOT""$dir" \ && continue \ || mount --bind "$dir" "$DIR_ROOT""$dir" done # install skype in chrooted env test -f "$DIR_ROOT"/tmp/skype-install.deb || { wget -O "$DIR_ROOT"/tmp/skype-install.deb "$URL_SKYPE" || exit $? chroot "$DIR_ROOT" dpkg -i --force-depends /tmp/skype-install.deb || exit $? chroot "$DIR_ROOT" aptitude --safe-resolver --without-recommends --assume-yes --allow-untrusted install || exit $? chroot "$DIR_ROOT" aptitude clean } # run skype # FIXME process 6425: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": No such file or directory exec ip netns exec "$NS_SKYPE" chroot "$DIR_ROOT" su -l "$USER_SKYPE" -c "exec skype"