netfilter template support

1 files changed, 10 insertions, 3 deletions

diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index e1d0edd01..dd4009a2e 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -24,7 +24,6 @@
 #include <sys/wait.h>
 #include <fcntl.h>
 
-
 void check_netfilter_file(const char *fname) {
         EUID_ASSERT();
 
@@ -44,7 +43,6 @@ void check_netfilter_file(const char *fname) {
         free(tmp);
 }
 
-
 void netfilter(const char *fname) {
         // find iptables command
         struct stat s;
@@ -150,6 +148,16 @@ void netfilter_print(pid_t pid, int ipv6) {
         }
         free(comm);
 
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n");
+                        exit(1);
+                }
+        }
+
         // check network namespace
         char *name;
         if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
@@ -196,4 +204,3 @@ void netfilter_print(pid_t pid, int ipv6) {
 
         sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
 }
-