diff options
author | Yuriy M. Kaminskiy <yumkam@gmail.com> | 2016-02-22 02:15:45 +0300 |
---|---|---|
committer | Yuriy M. Kaminskiy <yumkam@gmail.com> | 2016-02-23 18:13:23 +0300 |
commit | 4db1a65a0775ce3cc65febc41ac84f5cfc81a51c (patch) | |
tree | 5083d243e9f6959e64ea4c0a377ceb6bf385ae70 | |
parent | x11 work (diff) | |
download | firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.tar.gz firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.tar.zst firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.zip |
Add compile-time option to restrict --net= to root only
./configure --enable-network=restricted allows only --net=none to
non-root users.
Other variants delegate too much power to non-root users and dangerous (it
completely bypasses system-wide firewall and routing, it allows introducing
arbitrary-chosen MAC and IP interfaces on LAN [disregarding DHCP
policy], etc).
Root already had power to twiddle with anything, so no sense to restrain
her, and --net=none looks safe enough (and still useful) for ordinary
users.
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 6 |
2 files changed, 9 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index f9d0a3f65..f39b0d780 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -38,6 +38,9 @@ AC_ARG_ENABLE([network], | |||
38 | AS_HELP_STRING([--disable-network], [disable network])) | 38 | AS_HELP_STRING([--disable-network], [disable network])) |
39 | AS_IF([test "x$enable_network" != "xno"], [ | 39 | AS_IF([test "x$enable_network" != "xno"], [ |
40 | HAVE_NETWORK="-DHAVE_NETWORK" | 40 | HAVE_NETWORK="-DHAVE_NETWORK" |
41 | AS_IF([test "x$enable_network" = "xrestricted"], [ | ||
42 | HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" | ||
43 | ]) | ||
41 | AC_SUBST(HAVE_NETWORK) | 44 | AC_SUBST(HAVE_NETWORK) |
42 | ]) | 45 | ]) |
43 | 46 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a5ded984..be3dbd324 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1090,6 +1090,12 @@ int main(int argc, char **argv) { | |||
1090 | cfg.interface3.configured = 0; | 1090 | cfg.interface3.configured = 0; |
1091 | continue; | 1091 | continue; |
1092 | } | 1092 | } |
1093 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1094 | if (getuid() != 0) { | ||
1095 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); | ||
1096 | exit(1); | ||
1097 | } | ||
1098 | #endif | ||
1093 | if (strcmp(argv[i] + 6, "lo") == 0) { | 1099 | if (strcmp(argv[i] + 6, "lo") == 0) { |
1094 | fprintf(stderr, "Error: cannot attach to lo device\n"); | 1100 | fprintf(stderr, "Error: cannot attach to lo device\n"); |
1095 | exit(1); | 1101 | exit(1); |