support for firetunnel utility

3 files changed, 48 insertions, 0 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index fe9118580..da052320c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1447,6 +1447,32 @@ int main(int argc, char **argv) {
                                 exit_err_feature("overlayfs");
                 }
 #endif
+                else if (strcmp(argv[i], "--tunnel") == 0) {
+                        // try to connect to the default client side of the tunnel
+                        // if this fails, try the default server side of the tunnel
+                        if (access("/run/firetunnel/ftc", R_OK) == 0)
+                                profile_read("/run/firetunnel/ftc");
+                        else if (access("/run/firetunnel/fts", R_OK) == 0)
+                                profile_read("/run/firetunnel/fts");
+                        else {
+                                fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
+                        char *fname;
+
+                        if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+                        invalid_filename(fname, 0); // no globbing
+                        if (access(fname, R_OK) == 0)
+                                profile_read(fname);
+                        else {
+                                fprintf(stderr, "Error: tunnel not found\n");
+                                exit(1);
+                        }
+                }
+
                 else if (strncmp(argv[i], "--profile=", 10) == 0) {
                         // multiple profile files are allowed!
 
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c8866da3a..f54e6f744 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -214,6 +214,8 @@ static char *usage_str =
         "    --tracelog - add a syslog message for every access to files or\n"
         "\tdirectories blacklisted by the security profile.\n"
         "    --tree - print a tree of all sandboxed processes.\n"
+        "    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
+        "\tfiretunnel utility.\n"
         "    --version - print program version and exit.\n"
 #ifdef HAVE_NETWORK
         "    --veth-name=name - use this name for the interface connected to the bridge.\n"
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c09684596..4d24bdd7e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2130,6 +2130,26 @@ $ firejail \-\-tree
   11970:netblue:transmission-gtk
 
 .TP
+\fB\-\-tunnel[=devname]
+Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
+tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
+please specify the tunnel device using \-\-tunnel=devname.
+.br
+
+.br
+The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
+The files are regular firejail profile files containing the network configuration,
+and are created and managed by firetunnel utility.
+By default ftc is the client-side device and fts is the server-side device. For more information
+please see man 1 firetunnel.
+.br
+
+.br
+Example:
+.br
+$ firejail --tunnel firefox
+.br
+.TP
 \fB\-\-version
 Print program version and exit.
 .br