diff options
author | The Fox in the Shell <KellerFuchs@hashbang.sh> | 2016-05-25 15:51:26 +0200 |
---|---|---|
committer | The Fox in the Shell <KellerFuchs@hashbang.sh> | 2016-05-25 15:51:26 +0200 |
commit | 99d9a32bfabe97a6eeeccb024a68feed331d8f74 (patch) | |
tree | 44e9886a02f97fe5092b63e63b835cf420440e17 | |
parent | 0.9.40 testing (diff) | |
download | firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.tar.gz firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.tar.zst firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.zip |
Make `restricted-network` prevent use of netfilter
-rw-r--r-- | src/firejail/main.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index a540d468b..a2342843b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1675,6 +1675,18 @@ int main(int argc, char **argv) { | |||
1675 | 1675 | ||
1676 | #ifdef HAVE_NETWORK | 1676 | #ifdef HAVE_NETWORK |
1677 | else if (strcmp(argv[i], "--netfilter") == 0) { | 1677 | else if (strcmp(argv[i], "--netfilter") == 0) { |
1678 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1679 | // compile time restricted networking | ||
1680 | if (getuid() != 0) { | ||
1681 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1682 | exit(1); | ||
1683 | } | ||
1684 | #endif | ||
1685 | // run time restricted networking | ||
1686 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1687 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1688 | exit(1); | ||
1689 | } | ||
1678 | if (checkcfg(CFG_NETWORK)) { | 1690 | if (checkcfg(CFG_NETWORK)) { |
1679 | arg_netfilter = 1; | 1691 | arg_netfilter = 1; |
1680 | } | 1692 | } |
@@ -1685,6 +1697,18 @@ int main(int argc, char **argv) { | |||
1685 | } | 1697 | } |
1686 | 1698 | ||
1687 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1699 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
1700 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1701 | // compile time restricted networking | ||
1702 | if (getuid() != 0) { | ||
1703 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1704 | exit(1); | ||
1705 | } | ||
1706 | #endif | ||
1707 | // run time restricted networking | ||
1708 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1709 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1710 | exit(1); | ||
1711 | } | ||
1688 | if (checkcfg(CFG_NETWORK)) { | 1712 | if (checkcfg(CFG_NETWORK)) { |
1689 | arg_netfilter = 1; | 1713 | arg_netfilter = 1; |
1690 | arg_netfilter_file = argv[i] + 12; | 1714 | arg_netfilter_file = argv[i] + 12; |