diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-07-28 10:54:05 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-07-28 10:54:05 -0400 |
| commit | 340a6b2eeb010367180e530af976810c9d762580 (patch) | |
| tree | 7c264554e4ef98d7c7fdcc876f253e0af7eac392 | |
| parent | whitelist fix (diff) | |
| download | firejail-340a6b2eeb010367180e530af976810c9d762580.tar.gz firejail-340a6b2eeb010367180e530af976810c9d762580.tar.zst firejail-340a6b2eeb010367180e530af976810c9d762580.zip | |
added netfilter-default config option in /etc/firejail/firejail.config
| -rw-r--r-- | RELNOTES | 3 | ||||
| -rw-r--r-- | etc/firejail.config | 7 | ||||
| -rw-r--r-- | etc/nolocal.net | 3 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 23 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/netfilter.c | 2 |
6 files changed, 37 insertions, 2 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | firejail (0.9.42~rc1) baseline; urgency=low | 1 | firejail (0.9.42~rc2) baseline; urgency=low |
| 2 | * deprecated --user option, please use "sudo -u username firejail" instead | 2 | * deprecated --user option, please use "sudo -u username firejail" instead |
| 3 | * --read-write option rework | 3 | * --read-write option rework |
| 4 | * allow symlinks in home directory for --whitelist option | 4 | * allow symlinks in home directory for --whitelist option |
| @@ -12,6 +12,7 @@ firejail (0.9.42~rc1) baseline; urgency=low | |||
| 12 | * seccomp filter updated | 12 | * seccomp filter updated |
| 13 | * compile time and run time support to disable whitelists | 13 | * compile time and run time support to disable whitelists |
| 14 | * compile time support to disable global configuration file | 14 | * compile time support to disable global configuration file |
| 15 | * added netfilter-default config option in /etc/firejail/firejail.config | ||
| 15 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice | 16 | * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice |
| 16 | * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less | 17 | * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less |
| 17 | * new profiles: Atom Beta, Atom, jitsi, eom | 18 | * new profiles: Atom Beta, Atom, jitsi, eom |
diff --git a/etc/firejail.config b/etc/firejail.config index 59bbd77a5..20c4d7a5f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -27,6 +27,13 @@ | |||
| 27 | # --netfilter only to root user. Regular users are only allowed --net=none. | 27 | # --netfilter only to root user. Regular users are only allowed --net=none. |
| 28 | # restricted-network no | 28 | # restricted-network no |
| 29 | 29 | ||
| 30 | # Change default netfilter configuration. When using --netfilter option without | ||
| 31 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | ||
| 32 | # configuration entry allows the user to change the default by specifying | ||
| 33 | # a file containing the filter configuration. The filter file format is the | ||
| 34 | # format of iptables-save and iptable-restore commands. Example: | ||
| 35 | # netfilter-default /etc/iptables.iptables.rules | ||
| 36 | |||
| 30 | # Enable or disable seccomp support, default enabled. | 37 | # Enable or disable seccomp support, default enabled. |
| 31 | # seccomp yes | 38 | # seccomp yes |
| 32 | 39 | ||
diff --git a/etc/nolocal.net b/etc/nolocal.net index 9c0c6e125..9fa785450 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net | |||
| @@ -4,7 +4,8 @@ | |||
| 4 | :OUTPUT ACCEPT [0:0] | 4 | :OUTPUT ACCEPT [0:0] |
| 5 | 5 | ||
| 6 | ################################################################### | 6 | ################################################################### |
| 7 | # Client filter rejecting local network traffic, with the exception of DNS traffic | 7 | # Client filter rejecting local network traffic, with the exception of |
| 8 | # DNS traffic | ||
| 8 | # | 9 | # |
| 9 | # Usage: | 10 | # Usage: |
| 10 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox | 11 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6636e7efe..6929988ae 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -26,6 +26,7 @@ static int initialized = 0; | |||
| 26 | static int cfg_val[CFG_MAX]; | 26 | static int cfg_val[CFG_MAX]; |
| 27 | char *xephyr_screen = "800x600"; | 27 | char *xephyr_screen = "800x600"; |
| 28 | char *xephyr_extra_params = ""; | 28 | char *xephyr_extra_params = ""; |
| 29 | char *netfilter_default = NULL; | ||
| 29 | 30 | ||
| 30 | int checkcfg(int val) { | 31 | int checkcfg(int val) { |
| 31 | EUID_ASSERT(); | 32 | EUID_ASSERT(); |
| @@ -159,6 +160,28 @@ int checkcfg(int val) { | |||
| 159 | else | 160 | else |
| 160 | goto errout; | 161 | goto errout; |
| 161 | } | 162 | } |
| 163 | // netfilter | ||
| 164 | else if (strncmp(ptr, "netfilter-default ", 18) == 0) { | ||
| 165 | char *fname = ptr + 18; | ||
| 166 | while (*fname == ' ' || *fname == '\t') | ||
| 167 | ptr++; | ||
| 168 | char *end = strchr(fname, ' '); | ||
| 169 | if (end) | ||
| 170 | *end = '\0'; | ||
| 171 | |||
| 172 | // is the file present? | ||
| 173 | struct stat s; | ||
| 174 | if (stat(fname, &s) == -1) { | ||
| 175 | fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); | ||
| 176 | exit(1); | ||
| 177 | } | ||
| 178 | |||
| 179 | netfilter_default = strdup(fname); | ||
| 180 | if (!netfilter_default) | ||
| 181 | errExit("strdup"); | ||
| 182 | if (arg_debug) | ||
| 183 | printf("netfilter default file %s\n", fname); | ||
| 184 | } | ||
| 162 | 185 | ||
| 163 | // Xephyr screen size | 186 | // Xephyr screen size |
| 164 | else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { | 187 | else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 29bb6c494..7a538327d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -582,6 +582,7 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
| 582 | #define CFG_MAX 11 // this should always be the last entry | 582 | #define CFG_MAX 11 // this should always be the last entry |
| 583 | extern char *xephyr_screen; | 583 | extern char *xephyr_screen; |
| 584 | extern char *xephyr_extra_params; | 584 | extern char *xephyr_extra_params; |
| 585 | extern char *netfilter_default; | ||
| 585 | int checkcfg(int val); | 586 | int checkcfg(int val); |
| 586 | 587 | ||
| 587 | // appimage.c | 588 | // appimage.c |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 71abfb53d..b50d61039 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
| @@ -66,6 +66,8 @@ void netfilter(const char *fname) { | |||
| 66 | 66 | ||
| 67 | // custom filter | 67 | // custom filter |
| 68 | int allocated = 0; | 68 | int allocated = 0; |
| 69 | if (netfilter_default) | ||
| 70 | fname = netfilter_default; | ||
| 69 | if (fname) { | 71 | if (fname) { |
| 70 | // buffer the filter | 72 | // buffer the filter |
| 71 | struct stat s; | 73 | struct stat s; |