support for firetunnel utility

author: netblue30 <netblue30@yahoo.com> 2018-09-09 13:04:32 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-09-09 13:04:32 -0400
commit: 419d876d9fef926e183c0b3bc0961a9abe9e7ba5 (patch)
tree: 6efbebbfc552bb8651c98923c42ad00493544066
parent: remove blacklist /usr/lib/llvm* in dusable-devel.inc - problems with hardware... (diff)
download: firejail-419d876d9fef926e183c0b3bc0961a9abe9e7ba5.tar.gz
firejail-419d876d9fef926e183c0b3bc0961a9abe9e7ba5.tar.zst
firejail-419d876d9fef926e183c0b3bc0961a9abe9e7ba5.zip
5 files changed, 67 insertions, 0 deletions
diff --git a/README.md b/README.md
index 78764eb9c..0c145079b 100644
--- a/README.md
+++ b/README.md
@@ -162,6 +162,24 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
              Example:
              $ firejail --private-cache
+       --tunnel[=devname]
+              Connect  the sandbox to a network overlay/VPN tunnel created by
+              firetunnel utility. This options tries first the client side of
+              the  tunnel. If this fails, it tries the server side. If multi‐
+              ple tunnels are active, please specify the tunnel device  using
+              --tunnel=devname.
+              The  available  tunnel  devices  are  listed in /etc/firetunnel
+              directory, one file for each device.   The  files  are  regular
+              firejail  profile  files  containing the network configuration,
+              and are created and managed by firetunnel utility.  By  default
+              ftc  is  the  client-side  device  and  fts  is the server-side
+              device. For more information please see man 1 firetunnel.
+              Example:
+              $ firejail --tunnel firefox
 `````
 ## New profiles
diff --git a/RELNOTES b/RELNOTES
index cb7fee0d4..4f7c7a0ee 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -10,6 +10,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
  * support tap devices in --net option (tunneling support)
  * allow IP address configuration if the parent interface specified
     by --net is not configured (--netmask)
+  * support for firetunnel utility
  * disable U2F devices (--nou2f)
  * add --private-cache to support private ~/.cache
  * support full paths in private-lib
diff --git a/src/firejail/main.c b/src/firejail/main.c
index fe9118580..da052320c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1447,6 +1447,32 @@ int main(int argc, char **argv) {
                                exit_err_feature("overlayfs");
                }
 #endif
+                else if (strcmp(argv[i], "--tunnel") == 0) {
+                        // try to connect to the default client side of the tunnel
+                        // if this fails, try the default server side of the tunnel
+                        if (access("/run/firetunnel/ftc", R_OK) == 0)
+                                profile_read("/run/firetunnel/ftc");
+                        else if (access("/run/firetunnel/fts", R_OK) == 0)
+                                profile_read("/run/firetunnel/fts");
+                        else {
+                                fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
+                        char *fname;
+                        if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+                        invalid_filename(fname, 0); // no globbing
+                        if (access(fname, R_OK) == 0)
+                                profile_read(fname);
+                        else {
+                                fprintf(stderr, "Error: tunnel not found\n");
+                                exit(1);
+                        }
+                }
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
                        // multiple profile files are allowed!
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c8866da3a..f54e6f744 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -214,6 +214,8 @@ static char *usage_str =
        "    --tracelog - add a syslog message for every access to files or\n"
        "\tdirectories blacklisted by the security profile.\n"
        "    --tree - print a tree of all sandboxed processes.\n"
+        "    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
+        "\tfiretunnel utility.\n"
        "    --version - print program version and exit.\n"
 #ifdef HAVE_NETWORK
        "    --veth-name=name - use this name for the interface connected to the bridge.\n"
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c09684596..4d24bdd7e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2130,6 +2130,26 @@ $ firejail \-\-tree
  11970:netblue:transmission-gtk
 .TP
+\fB\-\-tunnel[=devname]
+Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
+tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
+please specify the tunnel device using \-\-tunnel=devname.
+.br
+.br
+The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
+The files are regular firejail profile files containing the network configuration,
+and are created and managed by firetunnel utility.
+By default ftc is the client-side device and fts is the server-side device. For more information
+please see man 1 firetunnel.
+.br
+.br
+Example:
+.br
+$ firejail --tunnel firefox
+.br
+.TP
 \fB\-\-version
 Print program version and exit.
 .br
author	netblue30 <netblue30@yahoo.com>	2018-09-09 13:04:32 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-09-09 13:04:32 -0400
commit	419d876d9fef926e183c0b3bc0961a9abe9e7ba5 (patch)
tree	6efbebbfc552bb8651c98923c42ad00493544066
parent	remove blacklist /usr/lib/llvm* in dusable-devel.inc - problems with hardware... (diff)
download	firejail-419d876d9fef926e183c0b3bc0961a9abe9e7ba5.tar.gz firejail-419d876d9fef926e183c0b3bc0961a9abe9e7ba5.tar.zst firejail-419d876d9fef926e183c0b3bc0961a9abe9e7ba5.zip

diff --git a/README.md b/README.md index 78764eb9c..0c145079b 100644 --- a/README.md +++ b/README.md
@@ -162,6 +162,24 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
162		162
163	Example:	163	Example:
164	$ firejail --private-cache	164	$ firejail --private-cache
		165
		166	--tunnel[=devname]
		167	Connect the sandbox to a network overlay/VPN tunnel created by
		168	firetunnel utility. This options tries first the client side of
		169	the tunnel. If this fails, it tries the server side. If multi‐
		170	ple tunnels are active, please specify the tunnel device using
		171	--tunnel=devname.
		172
		173	The available tunnel devices are listed in /etc/firetunnel
		174	directory, one file for each device. The files are regular
		175	firejail profile files containing the network configuration,
		176	and are created and managed by firetunnel utility. By default
		177	ftc is the client-side device and fts is the server-side
		178	device. For more information please see man 1 firetunnel.
		179
		180	Example:
		181	$ firejail --tunnel firefox
		182
165	`````	183	`````
166		184
167	## New profiles	185	## New profiles


diff --git a/RELNOTES b/RELNOTES index cb7fee0d4..4f7c7a0ee 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -10,6 +10,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
10	* support tap devices in --net option (tunneling support)	10	* support tap devices in --net option (tunneling support)
11	* allow IP address configuration if the parent interface specified	11	* allow IP address configuration if the parent interface specified
12	by --net is not configured (--netmask)	12	by --net is not configured (--netmask)
		13	* support for firetunnel utility
13	* disable U2F devices (--nou2f)	14	* disable U2F devices (--nou2f)
14	* add --private-cache to support private ~/.cache	15	* add --private-cache to support private ~/.cache
15	* support full paths in private-lib	16	* support full paths in private-lib


diff --git a/src/firejail/main.c b/src/firejail/main.c index fe9118580..da052320c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1447,6 +1447,32 @@ int main(int argc, char **argv) {
1447	exit_err_feature("overlayfs");	1447	exit_err_feature("overlayfs");
1448	}	1448	}
1449	#endif	1449	#endif
		1450	else if (strcmp(argv[i], "--tunnel") == 0) {
		1451	// try to connect to the default client side of the tunnel
		1452	// if this fails, try the default server side of the tunnel
		1453	if (access("/run/firetunnel/ftc", R_OK) == 0)
		1454	profile_read("/run/firetunnel/ftc");
		1455	else if (access("/run/firetunnel/fts", R_OK) == 0)
		1456	profile_read("/run/firetunnel/fts");
		1457	else {
		1458	fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
		1459	exit(1);
		1460	}
		1461	}
		1462	else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
		1463	char *fname;
		1464
		1465	if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
		1466	errExit("asprintf");
		1467	invalid_filename(fname, 0); // no globbing
		1468	if (access(fname, R_OK) == 0)
		1469	profile_read(fname);
		1470	else {
		1471	fprintf(stderr, "Error: tunnel not found\n");
		1472	exit(1);
		1473	}
		1474	}
		1475
1450	else if (strncmp(argv[i], "--profile=", 10) == 0) {	1476	else if (strncmp(argv[i], "--profile=", 10) == 0) {
1451	// multiple profile files are allowed!	1477	// multiple profile files are allowed!
1452		1478


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c8866da3a..f54e6f744 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -214,6 +214,8 @@ static char *usage_str =
214	" --tracelog - add a syslog message for every access to files or\n"	214	" --tracelog - add a syslog message for every access to files or\n"
215	"\tdirectories blacklisted by the security profile.\n"	215	"\tdirectories blacklisted by the security profile.\n"
216	" --tree - print a tree of all sandboxed processes.\n"	216	" --tree - print a tree of all sandboxed processes.\n"
		217	" --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
		218	"\tfiretunnel utility.\n"
217	" --version - print program version and exit.\n"	219	" --version - print program version and exit.\n"
218	#ifdef HAVE_NETWORK	220	#ifdef HAVE_NETWORK
219	" --veth-name=name - use this name for the interface connected to the bridge.\n"	221	" --veth-name=name - use this name for the interface connected to the bridge.\n"


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c09684596..4d24bdd7e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -2130,6 +2130,26 @@ $ firejail \-\-tree
2130	11970:netblue:transmission-gtk	2130	11970:netblue:transmission-gtk
2131		2131
2132	.TP	2132	.TP
		2133	\fB\-\-tunnel[=devname]
		2134	Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
		2135	tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
		2136	please specify the tunnel device using \-\-tunnel=devname.
		2137	.br
		2138
		2139	.br
		2140	The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
		2141	The files are regular firejail profile files containing the network configuration,
		2142	and are created and managed by firetunnel utility.
		2143	By default ftc is the client-side device and fts is the server-side device. For more information
		2144	please see man 1 firetunnel.
		2145	.br
		2146
		2147	.br
		2148	Example:
		2149	.br
		2150	$ firejail --tunnel firefox
		2151	.br
		2152	.TP
2133	\fB\-\-version	2153	\fB\-\-version
2134	Print program version and exit.	2154	Print program version and exit.
2135	.br	2155	.br