tunneling support - tap interface in --net option

author: netblue30 <netblue30@yahoo.com> 2018-07-11 06:42:59 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-07-11 06:42:59 -0400
commit: 261d08d394559a05d804a76e52183f6e26d871f5 (patch)
tree: 0f17c4d61ad92290863590ed4347c5e14729eb20
parent: Add documentation for keep-dev-shm option (diff)
download: firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.gz
firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.zst
firejail-261d08d394559a05d804a76e52183f6e26d871f5.zip
5 files changed, 44 insertions, 5 deletions
diff --git a/README.md b/README.md
index 616930e8a..b6e6fb89e 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,17 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
              $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
              $ firejail --net=wlan0 firefox
+      --net=tap_interface
+              Enable a new network namespace and connect it to this  ethernet
+              tap  interface  using the standard Linux macvlan driver. If the
+              tap interface is not configured, the sandbox will  not  try  to
+              configure  the  interface inside the sandbox.  Please use --ip,
+              --netmask and --defaultgw to specify the configuration.
+              Example:
+              $ firejail --net=tap0 --ip=10.10.20.80  --netmask=255.255.255.0
+              --defaultgw=10.10.20.1 firefox
       --netmask=address
              Use this option when you want to assign an IP address in a  new
              namespace  and  the  parent interface specified by --net is not
@@ -131,7 +142,13 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
              $     firejail     --ip=10.10.20.67     --netmask=255.255.255.0
              --defaultgw=10.10.20.1
-      --nou2f
+       --keep-dev-shm
+              /dev/shm directory is untouched (even with --private-dev)
+              Example:
+              $ firejail --keep-dev-shm --private-dev
+     --nou2f
              Disable U2F devices.
              Example:
diff --git a/RELNOTES b/RELNOTES
index e5c9b0fc1..7eb075e4c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.55) baseline; urgency=low
  * work in progress
  * modif: removed CFG_CHROOT_DESKTOP configuration option
  * support wireless devices in --net option
+  * support tap devices in --net option (tunneling support)
  * allow IP address configuration if the parent interface specified
     by --net is not configured (--netmask)
  * disable U2F devices (--nou2f)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c57e5910a..ef8d8172f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -264,7 +264,7 @@ static void check_network(Bridge *br) {
        assert(br);
        if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address
                net_configure_sandbox_ip(br);
-        else if (br->ipsandbox) { // for macvlan check network range
+        else if (br->ipsandbox && br->ip && br->mask) { // for macvlan check network range
                char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
                if (rv) {
                        fprintf(stderr, "%s", rv);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 767cf89f4..e29cf4f4b 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -589,16 +589,23 @@ configured as default gateway is the bridge device IP address. Up to four \-\-ne
 bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
 .TP
-\fBnet ethernet_interface
+\fBnet ethernet_interface|wireless_interface
 Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan
+to this ethernet interface using the standard Linux macvlan or ipvlan
 driver. Unless specified with option \-\-ip and \-\-defaultgw, an
 IP address and a default gateway will be assigned automatically
 to the sandbox. The IP address is verified using ARP before
 assignment. The address configured as default gateway is the
 default gateway of the host. Up to four \-\-net devices can
 be defined. Mixing bridge and macvlan devices is allowed.
-Note: wlan devices are not supported for this option.
+.TP
+\fBnet tap_interface
+Enable a new network namespace and connect it
+to this ethernet tap interface using the standard Linux macvlan
+driver.  If the tap interface is not configured, the sandbox
+will not try to configure the interface inside the sandbox.
+Please use ip, netmask and defaultgw to specify the configuration.
 .TP
 \fBnet none
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 74a9a9da9..f29d9cddf 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -816,6 +816,20 @@ $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
 $ firejail \-\-net=wlan0 firefox
 .TP
+\fB\-\-net=tap_interface
+Enable a new network namespace and connect it
+to this ethernet tap interface using the standard Linux macvlan
+driver. If the tap interface is not configured, the sandbox
+will not try to configure the interface inside the sandbox.
+Please use \-\-ip, \-\-netmask and \-\-defaultgw to specify the configuration.
+.br
+.br
+Example:
+.br
+$ firejail \-\-net=tap0 \-\-ip=10.10.20.80 \-\-netmask=255.255.255.0 \-\-defaultgw=10.10.20.1 firefox
+.TP
 \fB\-\-net=none
 Enable a new, unconnected network namespace. The only interface
 available in the new namespace is a new loopback interface (lo).
author	netblue30 <netblue30@yahoo.com>	2018-07-11 06:42:59 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-07-11 06:42:59 -0400
commit	261d08d394559a05d804a76e52183f6e26d871f5 (patch)
tree	0f17c4d61ad92290863590ed4347c5e14729eb20
parent	Add documentation for keep-dev-shm option (diff)
download	firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.gz firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.zst firejail-261d08d394559a05d804a76e52183f6e26d871f5.zip

diff --git a/README.md b/README.md index 616930e8a..b6e6fb89e 100644 --- a/README.md +++ b/README.md
@@ -118,6 +118,17 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
118	$ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox	118	$ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
119	$ firejail --net=wlan0 firefox	119	$ firejail --net=wlan0 firefox
120		120
		121	--net=tap_interface
		122	Enable a new network namespace and connect it to this ethernet
		123	tap interface using the standard Linux macvlan driver. If the
		124	tap interface is not configured, the sandbox will not try to
		125	configure the interface inside the sandbox. Please use --ip,
		126	--netmask and --defaultgw to specify the configuration.
		127
		128	Example:
		129	$ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0
		130	--defaultgw=10.10.20.1 firefox
		131
121	--netmask=address	132	--netmask=address
122	Use this option when you want to assign an IP address in a new	133	Use this option when you want to assign an IP address in a new
123	namespace and the parent interface specified by --net is not	134	namespace and the parent interface specified by --net is not
@@ -131,7 +142,13 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
131	$ firejail --ip=10.10.20.67 --netmask=255.255.255.0	142	$ firejail --ip=10.10.20.67 --netmask=255.255.255.0
132	--defaultgw=10.10.20.1	143	--defaultgw=10.10.20.1
133		144
134	--nou2f	145	--keep-dev-shm
		146	/dev/shm directory is untouched (even with --private-dev)
		147
		148	Example:
		149	$ firejail --keep-dev-shm --private-dev
		150
		151	--nou2f
135	Disable U2F devices.	152	Disable U2F devices.
136		153
137	Example:	154	Example:


diff --git a/RELNOTES b/RELNOTES index e5c9b0fc1..7eb075e4c 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.55) baseline; urgency=low
2	* work in progress	2	* work in progress
3	* modif: removed CFG_CHROOT_DESKTOP configuration option	3	* modif: removed CFG_CHROOT_DESKTOP configuration option
4	* support wireless devices in --net option	4	* support wireless devices in --net option
		5	* support tap devices in --net option (tunneling support)
5	* allow IP address configuration if the parent interface specified	6	* allow IP address configuration if the parent interface specified
6	by --net is not configured (--netmask)	7	by --net is not configured (--netmask)
7	* disable U2F devices (--nou2f)	8	* disable U2F devices (--nou2f)


diff --git a/src/firejail/main.c b/src/firejail/main.c index c57e5910a..ef8d8172f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -264,7 +264,7 @@ static void check_network(Bridge *br) {
264	assert(br);	264	assert(br);
265	if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address	265	if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address
266	net_configure_sandbox_ip(br);	266	net_configure_sandbox_ip(br);
267	else if (br->ipsandbox) { // for macvlan check network range	267	else if (br->ipsandbox && br->ip && br->mask) { // for macvlan check network range
268	char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);	268	char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
269	if (rv) {	269	if (rv) {
270	fprintf(stderr, "%s", rv);	270	fprintf(stderr, "%s", rv);


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 767cf89f4..e29cf4f4b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -589,16 +589,23 @@ configured as default gateway is the bridge device IP address. Up to four \-\-ne
589	bridge devices can be defined. Mixing bridge and macvlan devices is allowed.	589	bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
590		590
591	.TP	591	.TP
592	\fBnet ethernet_interface	592	\fBnet ethernet_interface\|wireless_interface
593	Enable a new network namespace and connect it	593	Enable a new network namespace and connect it
594	to this ethernet interface using the standard Linux macvlan	594	to this ethernet interface using the standard Linux macvlan or ipvlan
595	driver. Unless specified with option \-\-ip and \-\-defaultgw, an	595	driver. Unless specified with option \-\-ip and \-\-defaultgw, an
596	IP address and a default gateway will be assigned automatically	596	IP address and a default gateway will be assigned automatically
597	to the sandbox. The IP address is verified using ARP before	597	to the sandbox. The IP address is verified using ARP before
598	assignment. The address configured as default gateway is the	598	assignment. The address configured as default gateway is the
599	default gateway of the host. Up to four \-\-net devices can	599	default gateway of the host. Up to four \-\-net devices can
600	be defined. Mixing bridge and macvlan devices is allowed.	600	be defined. Mixing bridge and macvlan devices is allowed.
601	Note: wlan devices are not supported for this option.	601
		602	.TP
		603	\fBnet tap_interface
		604	Enable a new network namespace and connect it
		605	to this ethernet tap interface using the standard Linux macvlan
		606	driver. If the tap interface is not configured, the sandbox
		607	will not try to configure the interface inside the sandbox.
		608	Please use ip, netmask and defaultgw to specify the configuration.
602		609
603	.TP	610	.TP
604	\fBnet none	611	\fBnet none


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 74a9a9da9..f29d9cddf 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -816,6 +816,20 @@ $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
816	$ firejail \-\-net=wlan0 firefox	816	$ firejail \-\-net=wlan0 firefox
817		817
818	.TP	818	.TP
		819	\fB\-\-net=tap_interface
		820	Enable a new network namespace and connect it
		821	to this ethernet tap interface using the standard Linux macvlan
		822	driver. If the tap interface is not configured, the sandbox
		823	will not try to configure the interface inside the sandbox.
		824	Please use \-\-ip, \-\-netmask and \-\-defaultgw to specify the configuration.
		825	.br
		826
		827	.br
		828	Example:
		829	.br
		830	$ firejail \-\-net=tap0 \-\-ip=10.10.20.80 \-\-netmask=255.255.255.0 \-\-defaultgw=10.10.20.1 firefox
		831
		832	.TP
819	\fB\-\-net=none	833	\fB\-\-net=none
820	Enable a new, unconnected network namespace. The only interface	834	Enable a new, unconnected network namespace. The only interface
821	available in the new namespace is a new loopback interface (lo).	835	available in the new namespace is a new loopback interface (lo).