diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-05-26 09:07:31 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-05-26 09:07:31 -0400 |
| commit | 6f56bfe78bbb6970660c06f48b0a39b34c47189f (patch) | |
| tree | bbbab8fcb2e0be4ebd6e91f918d8a57b2ee67f96 | |
| parent | fixes (diff) | |
| parent | Document the restricted-network change (diff) | |
| download | firejail-6f56bfe78bbb6970660c06f48b0a39b34c47189f.tar.gz firejail-6f56bfe78bbb6970660c06f48b0a39b34c47189f.tar.zst firejail-6f56bfe78bbb6970660c06f48b0a39b34c47189f.zip | |
Merge pull request #537 from KellerFuchs/restricted-netfilter
Make `restricted-network` prevent use of netfilter
| -rw-r--r-- | README.md | 6 | ||||
| -rw-r--r-- | etc/firejail.config | 4 | ||||
| -rw-r--r-- | src/firejail/main.c | 24 | ||||
| -rw-r--r-- | src/man/firejail-config.txt | 4 |
4 files changed, 31 insertions, 7 deletions
| @@ -197,9 +197,9 @@ The following features can be enabled or disabled: | |||
| 197 | restricted-network | 197 | restricted-network |
| 198 | Enable or disable restricted network support, default disabled. | 198 | Enable or disable restricted network support, default disabled. |
| 199 | If enabled, networking features should also be enabled (network | 199 | If enabled, networking features should also be enabled (network |
| 200 | yes). Restricted networking grants access to --interface and | 200 | yes). Restricted networking grants access to --interface, |
| 201 | --net=ethXXX only to root user. Regular users are only allowed | 201 | --net=ethXXX and --netfilter only to root user. Regular users |
| 202 | --net=none. | 202 | are only allowed --net=none. Default disabled |
| 203 | 203 | ||
| 204 | secomp Enable or disable seccomp support, default enabled. | 204 | secomp Enable or disable seccomp support, default enabled. |
| 205 | 205 | ||
diff --git a/etc/firejail.config b/etc/firejail.config index caaeb6792..55d2faa9f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -17,8 +17,8 @@ | |||
| 17 | 17 | ||
| 18 | # Enable or disable restricted network support, default disabled. If enabled, | 18 | # Enable or disable restricted network support, default disabled. If enabled, |
| 19 | # networking features should also be enabled (network yes). | 19 | # networking features should also be enabled (network yes). |
| 20 | # Restricted networking grants access to --interface and --net=ethXXX | 20 | # Restricted networking grants access to --interface, --net=ethXXX and |
| 21 | # only to root user. Regular users are only allowed --net=none. | 21 | # --netfilter only to root user. Regular users are only allowed --net=none. |
| 22 | # restricted-network no | 22 | # restricted-network no |
| 23 | 23 | ||
| 24 | # Enable or disable seccomp support, default enabled. | 24 | # Enable or disable seccomp support, default enabled. |
diff --git a/src/firejail/main.c b/src/firejail/main.c index cda9e788e..955bd36bf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1684,6 +1684,18 @@ int main(int argc, char **argv) { | |||
| 1684 | 1684 | ||
| 1685 | #ifdef HAVE_NETWORK | 1685 | #ifdef HAVE_NETWORK |
| 1686 | else if (strcmp(argv[i], "--netfilter") == 0) { | 1686 | else if (strcmp(argv[i], "--netfilter") == 0) { |
| 1687 | #ifdef HAVE_NETWORK_RESTRICTED | ||
| 1688 | // compile time restricted networking | ||
| 1689 | if (getuid() != 0) { | ||
| 1690 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
| 1691 | exit(1); | ||
| 1692 | } | ||
| 1693 | #endif | ||
| 1694 | // run time restricted networking | ||
| 1695 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
| 1696 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
| 1697 | exit(1); | ||
| 1698 | } | ||
| 1687 | if (checkcfg(CFG_NETWORK)) { | 1699 | if (checkcfg(CFG_NETWORK)) { |
| 1688 | arg_netfilter = 1; | 1700 | arg_netfilter = 1; |
| 1689 | } | 1701 | } |
| @@ -1694,6 +1706,18 @@ int main(int argc, char **argv) { | |||
| 1694 | } | 1706 | } |
| 1695 | 1707 | ||
| 1696 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1708 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
| 1709 | #ifdef HAVE_NETWORK_RESTRICTED | ||
| 1710 | // compile time restricted networking | ||
| 1711 | if (getuid() != 0) { | ||
| 1712 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
| 1713 | exit(1); | ||
| 1714 | } | ||
| 1715 | #endif | ||
| 1716 | // run time restricted networking | ||
| 1717 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
| 1718 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
| 1719 | exit(1); | ||
| 1720 | } | ||
| 1697 | if (checkcfg(CFG_NETWORK)) { | 1721 | if (checkcfg(CFG_NETWORK)) { |
| 1698 | arg_netfilter = 1; | 1722 | arg_netfilter = 1; |
| 1699 | arg_netfilter_file = argv[i] + 12; | 1723 | arg_netfilter_file = argv[i] + 12; |
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index dcede2ec6..026765f1a 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt | |||
| @@ -33,8 +33,8 @@ Enable or disable networking features, default enabled. | |||
| 33 | \fBrestricted-network | 33 | \fBrestricted-network |
| 34 | Enable or disable restricted network support, default disabled. If enabled, | 34 | Enable or disable restricted network support, default disabled. If enabled, |
| 35 | networking features should also be enabled (network yes). | 35 | networking features should also be enabled (network yes). |
| 36 | Restricted networking grants access to --interface and --net=ethXXX | 36 | Restricted networking grants access to --interface, --net=ethXXX and |
| 37 | only to root user. Regular users are only allowed --net=none. | 37 | \-\-netfilter only to root user. Regular users are only allowed --net=none. |
| 38 | 38 | ||
| 39 | .TP | 39 | .TP |
| 40 | \fBsecomp | 40 | \fBsecomp |