diff options
| author |  Yuriy M. Kaminskiy <yumkam@gmail.com> | 2016-02-22 02:15:45 +0300 |
|---|---|---|
| committer | Yuriy M. Kaminskiy <yumkam@gmail.com> | 2016-02-23 18:13:23 +0300 |
| commit | 4db1a65a0775ce3cc65febc41ac84f5cfc81a51c (patch) | |
| tree | 5083d243e9f6959e64ea4c0a377ceb6bf385ae70 /configure.ac | |
| parent | x11 work (diff) | |
| download | firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.tar.gz firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.tar.zst firejail-4db1a65a0775ce3cc65febc41ac84f5cfc81a51c.zip | |
Add compile-time option to restrict --net= to root only
./configure --enable-network=restricted allows only --net=none to
non-root users.
Other variants delegate too much power to non-root users and dangerous (it
completely bypasses system-wide firewall and routing, it allows introducing
arbitrary-chosen MAC and IP interfaces on LAN [disregarding DHCP
policy], etc).
Root already had power to twiddle with anything, so no sense to restrain
her, and --net=none looks safe enough (and still useful) for ordinary
users.
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index f9d0a3f65..f39b0d780 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -38,6 +38,9 @@ AC_ARG_ENABLE([network], | |||
| 38 | AS_HELP_STRING([--disable-network], [disable network])) | 38 | AS_HELP_STRING([--disable-network], [disable network])) |
| 39 | AS_IF([test "x$enable_network" != "xno"], [ | 39 | AS_IF([test "x$enable_network" != "xno"], [ |
| 40 | HAVE_NETWORK="-DHAVE_NETWORK" | 40 | HAVE_NETWORK="-DHAVE_NETWORK" |
| 41 | AS_IF([test "x$enable_network" = "xrestricted"], [ | ||
| 42 | HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" | ||
| 43 | ]) | ||
| 41 | AC_SUBST(HAVE_NETWORK) | 44 | AC_SUBST(HAVE_NETWORK) |
| 42 | ]) | 45 | ]) |
| 43 | 46 | ||