#!/bin/sh

# Copyright (c) 2012 Igor Bogomazov <[email protected]>

# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:

# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

# revision 2012101100

set -e

# remove DIR_ROOT and build from scratch
DIR_REFRESH="${DIR_REFRESH:-}"

# network end-point in main netspace
IF_SKYPE_M="${IF_SKYPE_M:-skype-m}"
# IP-address in main netspace
IP_M="${IP_M:-172.31.255.254}"
# network end-point in jailed netspace
IF_SKYPE_S="${IF_SKYPE_S:-skype-s}"
# IP-address in jail
IP_S="${IP_S:-172.31.255.255}"
# network namespace
NS_SKYPE="${NS_SKYPE:-skype-ns}"
# routing network interface
IF="${IF:-eth0}"
# always pingable IP-address to test network
IP_AVAIL="${IP_AVAIL:-8.8.8.8}"
# chroot location
DIR_ROOT="${DIR_ROOT:-/opt/skype-root}"
# bind directories from main filesystem
DIR_MOUNT="${DIR_MOUNT:-/dev /sys /proc /tmp/.X11-unix}"
# address length
test -n "$MACH" || {
       uname -m | grep -q '[^0-9]64' && MACH=64 || MACH=32
}
# skype URL
URL_SKYPE="${URL_SKYPE:-http://www.skype.com/go/getskype-linux-deb-$MACH}"
# skype user UID
UID_SKYPE="${UID_SKYPE:-43981}"
# skype username
USER_SKYPE="${USER_SKYPE:-skype}"

# protect PID-space
mount_opts="$(
       cat /proc/self/mounts | \
       awk '($2 ~ "^/proc/*$") {print $1 " " $2 " -o " $4}'
)"
mount -t proc $mount_opts,remount,hidepid=2

# isolating network space
ip netns list | grep -q -x "$NS_SKYPE" || \
       ip netns add "$NS_SKYPE"
ip link show "$IF_SKYPE_M" >/dev/null 2>&1 || {
       ip link show "$IF_SKYPE_S" >/dev/null 2>&1 \
               && ip link del "$IF_SKYPE_S" \
               || true
       ip netns exec "$NS_SKYPE" ip link show "$IF_SKYPE_S" >/dev/null 2>&2 \
               && ip netns exec "$NS_SKYPE" ip link del "$IF_SKYPE_S" \
               || true
       ip link add name "$IF_SKYPE_M" type veth peer name "$IF_SKYPE_S" \
               && ip link set "$IF_SKYPE_S" netns "$NS_SKYPE"
}
# private network configuration
ip link set "$IF_SKYPE_M" up
ip route get to "$IP_S" | grep -q '^'"$IP_S"' dev '"$IF_SKYPE_M" || {
       ip addr flush dev "$IF_SKYPE_M" \
               && ip addr add "$IP_M"/31 dev "$IF_SKYPE_M"
}
ip netns exec "$NS_SKYPE" ip link set "$IF_SKYPE_S" up
ip netns exec "$NS_SKYPE" ip route get to "$IP_M" \
       | grep -Eq '^'"$IP_M"' dev '"$IF_SKYPE_S"'[[:space:]]+' || {
       ip netns exec "$NS_SKYPE" ip addr flush dev "$IF_SKYPE_S" \
               && ip netns exec "$NS_SKYPE" ip addr add "$IP_S"/31 dev "$IF_SKYPE_S" \
               && ip netns exec "$NS_SKYPE" ip route add default via "$IP_M"
}
# enabling forwarding
iptables -t filter -S FORWARD | \
       grep -q -E -- '-i[[:space:]]+'"$IF_SKYPE_M"'[[:space:]]+' || \
       iptables -A FORWARD -i "$IF_SKYPE_M" -o "$IF" \
               -m state \! --state INVALID,UNTRACKED \
               -j ACCEPT \
               -m comment --comment 'fwd Skype outgoing traffic'
iptables -t filter -S FORWARD | \
       grep -q -E -- '-o[[:space:]]+'"$IF_SKYPE_M"'[[:space:]]+' || \
       iptables -A FORWARD -o "$IF_SKYPE_M" -i "$IF" \
               -m state --state RELATED,ESTABLISHED \
               -j ACCEPT \
               -m comment --comment 'fwd Skype incoming traffic'
sysctl -w net.ipv4.conf."$IF_SKYPE_M".rp_filter=1
sysctl -w net.ipv4.conf."$IF_SKYPE_M".forwarding=1
sysctl -w net.ipv4.conf."$IF".forwarding=1
# also NAT
iptables -t nat -S POSTROUTING | \
       grep -q -E -- '-o[[:space:]]+'"$IF"'[[:space:]]+.*-j[[:space:]]+MASQUERADE' || \
       iptables -t nat -A POSTROUTING -o "$IF" \
               -j MASQUERADE \
               -m comment --comment 'NAT Skype traffic'

# assert internet availability at this step
test -z "$IP_AVAIL" || \
       ip netns exec "$NS_SKYPE" ping -c1 "$IP_AVAIL" >/dev/null 2>/dev/null

# if the given directory is a mountpoint?
mounted() {
       cat /proc/self/mounts | \
               cut -f2 -d' ' | \
               grep -q -x "$1"'/*' && return 0
       return 1
}

# remove target directory if requested
test -z "$DIR_REFRESH" || {
       for dir in $DIR_MOUNT ; do
               mounted "$DIR_ROOT""$dir" \
                       || continue \
                       && umount "$DIR_ROOT""$dir" || exit $?
       done
       rm --one-file-system -rf "$DIR_ROOT"
}

# filesystem isolating
chroot=
if test -z "$chroot" ; then mkdir "$DIR_ROOT" && chroot=1 || true ; fi
if test -z "$chroot" ; then
   cat "$DIR_ROOT""/etc/debian_version" || chroot=1 ;
fi
test -z "$chroot" || {
       # FIXME W: Cannot check Release signature; keyring file not available /usr/share/keyrings/debian-archive-keyring.gpg
       debootstrap --variant=minbase --include=aptitude testing "$DIR_ROOT" || exit $?
       chroot "$DIR_ROOT" aptitude --without-recommends --assume-yes --allow-untrusted install xauth fontconfig alsa-base || exit $?
       chroot "$DIR_ROOT" aptitude clean
       cat /etc/localtime >"$DIR_ROOT"'/etc/localtime'
       test -f /etc/asound.conf \
               && cat /etc/asound.conf >"$DIR_ROOT"'/etc/asound.conf'
}

# create skype user in the chroot
chroot "$DIR_ROOT" getent passwd "$USER_SKYPE" || {
       chroot "$DIR_ROOT" useradd "$USER_SKYPE" --uid "$UID_SKYPE" --comment 'skype user' --no-user-group --gid nogroup --groups audio,video --home '/home/'"$USER_SKYPE" --create-home || exit $?
       chroot "$DIR_ROOT" sh -c "echo 'XAUTHORITY=\"\${HOME}\"/.Xauthority' >> '/home/$USER_SKYPE/.profile'" || exit $?
}

chroot "$DIR_ROOT" su -l "$USER_SKYPE" -c "rm -f \"\$XAUTHORITY\" ; xauth add $(xauth list "$(hostname)"/unix:0)"

# add necessary mountpoints
# /dev may be more restricted
for dir in $DIR_MOUNT ; do
       mkdir -p "$DIR_ROOT""$dir"
       mounted "$DIR_ROOT""$dir" \
               && continue \
               || mount --bind "$dir" "$DIR_ROOT""$dir"
done

# install skype in chrooted env
test -f "$DIR_ROOT"/tmp/skype-install.deb || {
       wget -O "$DIR_ROOT"/tmp/skype-install.deb "$URL_SKYPE" || exit $?
       chroot "$DIR_ROOT" dpkg -i --force-depends /tmp/skype-install.deb || exit $?
       chroot "$DIR_ROOT" aptitude --safe-resolver --without-recommends --assume-yes --allow-untrusted install || exit $?
       chroot "$DIR_ROOT" aptitude clean
}

# run skype
# FIXME process 6425: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": No such file or directory
exec ip netns exec "$NS_SKYPE" chroot "$DIR_ROOT" su -l "$USER_SKYPE" -c "exec skype"

You are viewing proxied material from ygrex.ru. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.