diff options
author | 2017-11-18 08:39:02 -0500 | |
---|---|---|
committer | 2017-11-18 08:39:02 -0500 | |
commit | ead4ec3089b97eda1b438da248caf76f169345ad (patch) | |
tree | 31bc22bcba4e6530b5f0daba3f332702efa7a4b9 /src/firejail/netfilter.c | |
parent | Consistent home directory nomenclature (diff) | |
download | firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.gz firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.zst firejail-ead4ec3089b97eda1b438da248caf76f169345ad.zip |
netfilter template support
Diffstat (limited to 'src/firejail/netfilter.c')
-rw-r--r-- | src/firejail/netfilter.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index e1d0edd01..dd4009a2e 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -24,7 +24,6 @@ | |||
24 | #include <sys/wait.h> | 24 | #include <sys/wait.h> |
25 | #include <fcntl.h> | 25 | #include <fcntl.h> |
26 | 26 | ||
27 | |||
28 | void check_netfilter_file(const char *fname) { | 27 | void check_netfilter_file(const char *fname) { |
29 | EUID_ASSERT(); | 28 | EUID_ASSERT(); |
30 | 29 | ||
@@ -44,7 +43,6 @@ void check_netfilter_file(const char *fname) { | |||
44 | free(tmp); | 43 | free(tmp); |
45 | } | 44 | } |
46 | 45 | ||
47 | |||
48 | void netfilter(const char *fname) { | 46 | void netfilter(const char *fname) { |
49 | // find iptables command | 47 | // find iptables command |
50 | struct stat s; | 48 | struct stat s; |
@@ -150,6 +148,16 @@ void netfilter_print(pid_t pid, int ipv6) { | |||
150 | } | 148 | } |
151 | free(comm); | 149 | free(comm); |
152 | 150 | ||
151 | // check privileges for non-root users | ||
152 | uid_t uid = getuid(); | ||
153 | if (uid != 0) { | ||
154 | uid_t sandbox_uid = pid_get_uid(pid); | ||
155 | if (uid != sandbox_uid) { | ||
156 | fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); | ||
157 | exit(1); | ||
158 | } | ||
159 | } | ||
160 | |||
153 | // check network namespace | 161 | // check network namespace |
154 | char *name; | 162 | char *name; |
155 | if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) | 163 | if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) |
@@ -196,4 +204,3 @@ void netfilter_print(pid_t pid, int ipv6) { | |||
196 | 204 | ||
197 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); | 205 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); |
198 | } | 206 | } |
199 | |||