diff options
author | netblue30 <netblue30@yahoo.com> | 2018-07-11 06:42:59 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-07-11 06:42:59 -0400 |
commit | 261d08d394559a05d804a76e52183f6e26d871f5 (patch) | |
tree | 0f17c4d61ad92290863590ed4347c5e14729eb20 | |
parent | Add documentation for keep-dev-shm option (diff) | |
download | firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.gz firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.zst firejail-261d08d394559a05d804a76e52183f6e26d871f5.zip |
tunneling support - tap interface in --net option
-rw-r--r-- | README.md | 19 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 13 | ||||
-rw-r--r-- | src/man/firejail.txt | 14 |
5 files changed, 44 insertions, 5 deletions
@@ -118,6 +118,17 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
118 | $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox | 118 | $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox |
119 | $ firejail --net=wlan0 firefox | 119 | $ firejail --net=wlan0 firefox |
120 | 120 | ||
121 | --net=tap_interface | ||
122 | Enable a new network namespace and connect it to this ethernet | ||
123 | tap interface using the standard Linux macvlan driver. If the | ||
124 | tap interface is not configured, the sandbox will not try to | ||
125 | configure the interface inside the sandbox. Please use --ip, | ||
126 | --netmask and --defaultgw to specify the configuration. | ||
127 | |||
128 | Example: | ||
129 | $ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0 | ||
130 | --defaultgw=10.10.20.1 firefox | ||
131 | |||
121 | --netmask=address | 132 | --netmask=address |
122 | Use this option when you want to assign an IP address in a new | 133 | Use this option when you want to assign an IP address in a new |
123 | namespace and the parent interface specified by --net is not | 134 | namespace and the parent interface specified by --net is not |
@@ -131,7 +142,13 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
131 | $ firejail --ip=10.10.20.67 --netmask=255.255.255.0 | 142 | $ firejail --ip=10.10.20.67 --netmask=255.255.255.0 |
132 | --defaultgw=10.10.20.1 | 143 | --defaultgw=10.10.20.1 |
133 | 144 | ||
134 | --nou2f | 145 | --keep-dev-shm |
146 | /dev/shm directory is untouched (even with --private-dev) | ||
147 | |||
148 | Example: | ||
149 | $ firejail --keep-dev-shm --private-dev | ||
150 | |||
151 | --nou2f | ||
135 | Disable U2F devices. | 152 | Disable U2F devices. |
136 | 153 | ||
137 | Example: | 154 | Example: |
@@ -2,6 +2,7 @@ firejail (0.9.55) baseline; urgency=low | |||
2 | * work in progress | 2 | * work in progress |
3 | * modif: removed CFG_CHROOT_DESKTOP configuration option | 3 | * modif: removed CFG_CHROOT_DESKTOP configuration option |
4 | * support wireless devices in --net option | 4 | * support wireless devices in --net option |
5 | * support tap devices in --net option (tunneling support) | ||
5 | * allow IP address configuration if the parent interface specified | 6 | * allow IP address configuration if the parent interface specified |
6 | by --net is not configured (--netmask) | 7 | by --net is not configured (--netmask) |
7 | * disable U2F devices (--nou2f) | 8 | * disable U2F devices (--nou2f) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c57e5910a..ef8d8172f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -264,7 +264,7 @@ static void check_network(Bridge *br) { | |||
264 | assert(br); | 264 | assert(br); |
265 | if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address | 265 | if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address |
266 | net_configure_sandbox_ip(br); | 266 | net_configure_sandbox_ip(br); |
267 | else if (br->ipsandbox) { // for macvlan check network range | 267 | else if (br->ipsandbox && br->ip && br->mask) { // for macvlan check network range |
268 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); | 268 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); |
269 | if (rv) { | 269 | if (rv) { |
270 | fprintf(stderr, "%s", rv); | 270 | fprintf(stderr, "%s", rv); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 767cf89f4..e29cf4f4b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -589,16 +589,23 @@ configured as default gateway is the bridge device IP address. Up to four \-\-ne | |||
589 | bridge devices can be defined. Mixing bridge and macvlan devices is allowed. | 589 | bridge devices can be defined. Mixing bridge and macvlan devices is allowed. |
590 | 590 | ||
591 | .TP | 591 | .TP |
592 | \fBnet ethernet_interface | 592 | \fBnet ethernet_interface|wireless_interface |
593 | Enable a new network namespace and connect it | 593 | Enable a new network namespace and connect it |
594 | to this ethernet interface using the standard Linux macvlan | 594 | to this ethernet interface using the standard Linux macvlan or ipvlan |
595 | driver. Unless specified with option \-\-ip and \-\-defaultgw, an | 595 | driver. Unless specified with option \-\-ip and \-\-defaultgw, an |
596 | IP address and a default gateway will be assigned automatically | 596 | IP address and a default gateway will be assigned automatically |
597 | to the sandbox. The IP address is verified using ARP before | 597 | to the sandbox. The IP address is verified using ARP before |
598 | assignment. The address configured as default gateway is the | 598 | assignment. The address configured as default gateway is the |
599 | default gateway of the host. Up to four \-\-net devices can | 599 | default gateway of the host. Up to four \-\-net devices can |
600 | be defined. Mixing bridge and macvlan devices is allowed. | 600 | be defined. Mixing bridge and macvlan devices is allowed. |
601 | Note: wlan devices are not supported for this option. | 601 | |
602 | .TP | ||
603 | \fBnet tap_interface | ||
604 | Enable a new network namespace and connect it | ||
605 | to this ethernet tap interface using the standard Linux macvlan | ||
606 | driver. If the tap interface is not configured, the sandbox | ||
607 | will not try to configure the interface inside the sandbox. | ||
608 | Please use ip, netmask and defaultgw to specify the configuration. | ||
602 | 609 | ||
603 | .TP | 610 | .TP |
604 | \fBnet none | 611 | \fBnet none |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 74a9a9da9..f29d9cddf 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -816,6 +816,20 @@ $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox | |||
816 | $ firejail \-\-net=wlan0 firefox | 816 | $ firejail \-\-net=wlan0 firefox |
817 | 817 | ||
818 | .TP | 818 | .TP |
819 | \fB\-\-net=tap_interface | ||
820 | Enable a new network namespace and connect it | ||
821 | to this ethernet tap interface using the standard Linux macvlan | ||
822 | driver. If the tap interface is not configured, the sandbox | ||
823 | will not try to configure the interface inside the sandbox. | ||
824 | Please use \-\-ip, \-\-netmask and \-\-defaultgw to specify the configuration. | ||
825 | .br | ||
826 | |||
827 | .br | ||
828 | Example: | ||
829 | .br | ||
830 | $ firejail \-\-net=tap0 \-\-ip=10.10.20.80 \-\-netmask=255.255.255.0 \-\-defaultgw=10.10.20.1 firefox | ||
831 | |||
832 | .TP | ||
819 | \fB\-\-net=none | 833 | \fB\-\-net=none |
820 | Enable a new, unconnected network namespace. The only interface | 834 | Enable a new, unconnected network namespace. The only interface |
821 | available in the new namespace is a new loopback interface (lo). | 835 | available in the new namespace is a new loopback interface (lo). |