diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-24 11:08:08 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-24 11:08:08 -0500 |
commit | 56481386538977f006fd0579bb0acef9347a53cd (patch) | |
tree | b826823ed61d2ee2d4b48f816f3d214a32fb18d9 | |
parent | ./configure --enable-network=restricted (diff) | |
download | firejail-56481386538977f006fd0579bb0acef9347a53cd.tar.gz firejail-56481386538977f006fd0579bb0acef9347a53cd.tar.zst firejail-56481386538977f006fd0579bb0acef9347a53cd.zip |
allow --interface only to root user for --enable-network=restricted
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | todo | 1 |
2 files changed, 10 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 3cbaf658e..5a8f564f4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -249,6 +249,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
249 | #ifndef HAVE_NETWORK | 249 | #ifndef HAVE_NETWORK |
250 | printf("Networking support is disabled.\n"); | 250 | printf("Networking support is disabled.\n"); |
251 | #endif | 251 | #endif |
252 | #ifdef HAVE_NETWORK_RESTRICTED | ||
253 | printf("Networking support is allowed only to root user.\n"); | ||
254 | #endif | ||
252 | #ifndef HAVE_USERNS | 255 | #ifndef HAVE_USERNS |
253 | printf("User namespace support is disabled.\n"); | 256 | printf("User namespace support is disabled.\n"); |
254 | #endif | 257 | #endif |
@@ -1044,6 +1047,12 @@ int main(int argc, char **argv) { | |||
1044 | //************************************* | 1047 | //************************************* |
1045 | #ifdef HAVE_NETWORK | 1048 | #ifdef HAVE_NETWORK |
1046 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 1049 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
1050 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1051 | if (getuid() != 0) { | ||
1052 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); | ||
1053 | exit(1); | ||
1054 | } | ||
1055 | #endif | ||
1047 | // checks | 1056 | // checks |
1048 | if (arg_nonetwork) { | 1057 | if (arg_nonetwork) { |
1049 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); | 1058 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); |
@@ -30,4 +30,5 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock | |||
30 | 30 | ||
31 | 6. --shutdown does not clear sandboxes started with --join | 31 | 6. --shutdown does not clear sandboxes started with --join |
32 | 32 | ||
33 | 7. profile for okular | ||
33 | 34 | ||