--disable-network --disable-userns compile time options

author: netblue30 <netblue30@yahoo.com> 2016-01-25 10:48:23 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-01-25 10:48:23 -0500
commit: 9edc43cc488a8ed701159ef07627097205708678 (patch)
tree: db9968caa02f67219eb7aaa1c4d1590516446457 /src
parent: 0.9.38 testing (diff)
download: firejail-9edc43cc488a8ed701159ef07627097205708678.tar.gz
firejail-9edc43cc488a8ed701159ef07627097205708678.tar.zst
firejail-9edc43cc488a8ed701159ef07627097205708678.zip
4 files changed, 45 insertions, 10 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 87cda9ab2..83a2b0592 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -12,13 +12,15 @@ HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_CHROOT=@HAVE_CHROOT@
 HAVE_BIND=@HAVE_BIND@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 %.o : %.c $(H_FILE_LIST)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 014ea8cae..2fda8f1ab 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -208,7 +208,7 @@ static void check_network(Bridge *br) {
        }
 }
+#ifdef HAVE_USERNS
 void check_user_namespace(void) {
        if (getuid() == 0) {
                fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n");
@@ -228,6 +228,7 @@ void check_user_namespace(void) {
                arg_noroot = 0;
        }
 }
+#endif
 // exit commands
 static void run_cmd_and_exit(int i, int argc, char **argv) {
@@ -243,6 +244,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                printf("firejail version %s\n", VERSION);
                exit(0);
        }
+#ifdef HAVE_NETWORK     
        else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                logargs(argc, argv);
                
@@ -303,7 +305,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        bandwidth_name(argv[i] + 12, cmd, dev, down, up);
                exit(0);
        }
+#endif
        //*************************************
        // independent commands - the program will exit!
        //*************************************
@@ -382,10 +384,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                top();
                exit(0);
        }
+#ifdef HAVE_NETWORK     
        else if (strcmp(argv[i], "--netstats") == 0) {
                netstats();
                exit(0);
        }
+#endif  
        else if (strncmp(argv[i], "--join=", 7) == 0) {
                logargs(argc, argv);
                
@@ -397,6 +401,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1);
                exit(0);
        }
+#ifdef HAVE_NETWORK     
        else if (strncmp(argv[i], "--join-network=", 15) == 0) {
                logargs(argc, argv);
                arg_join_network = 1;
@@ -413,6 +418,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1);
                exit(0);
        }
+#endif
        else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) {
                logargs(argc, argv);
                arg_join_filesystem = 1;
@@ -962,9 +968,11 @@ int main(int argc, char **argv) {
                }
                else if (strcmp(argv[i], "--nogroups") == 0)
                        arg_nogroups = 1;
+#ifdef HAVE_USERNS
                else if (strcmp(argv[i], "--noroot") == 0) {
                        check_user_namespace();
                }
+#endif
                else if (strncmp(argv[i], "--env=", 6) == 0)
                        env_store(argv[i] + 6);
                else if (strncmp(argv[i], "--nosound", 9) == 0) {
@@ -975,6 +983,7 @@ int main(int argc, char **argv) {
                //*************************************
                // network
                //*************************************
+#ifdef HAVE_NETWORK     
                else if (strncmp(argv[i], "--interface=", 12) == 0) {
                        // checks
                        if (arg_nonetwork) {
@@ -1164,6 +1173,7 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+#endif          
                else if (strncmp(argv[i], "--dns=", 6) == 0) {
                        uint32_t dns;
                        if (atoip(argv[i] + 6, &dns)) {
@@ -1182,6 +1192,7 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+#ifdef HAVE_NETWORK
                else if (strcmp(argv[i], "--netfilter") == 0)
                        arg_netfilter = 1;
                else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
@@ -1194,7 +1205,7 @@ int main(int argc, char **argv) {
                        arg_netfilter6_file = argv[i] + 13;
                        check_netfilter_file(arg_netfilter6_file);
                }
+#endif
                //*************************************
                // command
                //*************************************
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f6b062d2b..2d7b07c6d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -110,7 +110,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        }
        // seccomp, caps, private, user namespace
        else if (strcmp(ptr, "noroot") == 0) {
+#if HAVE_USERNS
                check_user_namespace();
+#endif
                return 0;
        }
        else if (strcmp(ptr, "seccomp") == 0) {
@@ -146,31 +148,39 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        else if (strcmp(ptr, "netfilter") == 0) {
+#ifdef HAVE_NETWORK
                arg_netfilter = 1;
+#endif
                return 0;
        }
        else if (strncmp(ptr, "netfilter ", 10) == 0) {
+#ifdef HAVE_NETWORK
                arg_netfilter = 1;
                arg_netfilter_file = strdup(ptr + 10);
                if (!arg_netfilter_file)
                        errExit("strdup");
                check_netfilter_file(arg_netfilter_file);
+#endif
                return 0;
        }
        else if (strncmp(ptr, "netfilter6 ", 11) == 0) {
+#ifdef HAVE_NETWORK
                arg_netfilter6 = 1;
                arg_netfilter6_file = strdup(ptr + 11);
                if (!arg_netfilter6_file)
                        errExit("strdup");
                check_netfilter_file(arg_netfilter6_file);
+#endif
                return 0;
        }
        else if (strcmp(ptr, "net none") == 0) {
+#ifdef HAVE_NETWORK
                arg_nonetwork  = 1;
                cfg.bridge0.configured = 0;
                cfg.bridge1.configured = 0;
                cfg.bridge2.configured = 0;
                cfg.bridge3.configured = 0;
+#endif
                return 0;
        }
        
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d3ebefaae..6a033b922 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -34,10 +34,12 @@ void usage(void) {
        printf("\n");
        printf("Options:\n\n");
        printf("\t-- - signal the end of options and disables further option processing.\n\n");
+#ifdef HAVE_NETWORK     
        printf("\t--bandwidth=name - set  bandwidth  limits  for  the sandbox identified\n");
        printf("\t\tby name, see Traffic Shaping section for more details.\n\n");
        printf("\t--bandwidth=pid - set  bandwidth  limits  for  the sandbox identified\n");
        printf("\t\tby PID, see Traffic Shaping section for more details.\n\n");
+#endif
 #ifdef HAVE_BIND                
        printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
        printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n");
@@ -81,8 +83,10 @@ void usage(void) {
+#ifdef HAVE_NETWORK     
        printf("\t--defaultgw=address - use this address as default gateway in the new\n");
        printf("\t\tnetwork namespace.\n\n");
+#endif
        printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n");
        printf("\t\tservers can be defined.\n\n");
        printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n");
@@ -99,15 +103,16 @@ void usage(void) {
        printf("\t--help, -? - this help screen.\n\n");
        printf("\t--hostname=name - set sandbox hostname.\n\n");
        printf("\t--ignore=command - ignore command in profile files.\n\n");
+#ifdef HAVE_NETWORK     
        printf("\t--interface=name - move interface in a new network namespace. Up to\n");
        printf("\t\tfour --interface options can be sepcified.\n\n");
-        
        printf("\t--ip=address - set interface IP address.\n\n");
        printf("\t--ip=none - no IP address and no default gateway address are configured\n");
        printf("\t\tin the new network namespace. Use this option in case you intend\n");
        printf("\t\tto start an external DHCP client in the sandbox.\n\n");
        printf("\t--ip6=address - set interface IPv6 address.\n\n");
        printf("\t--iprange=address,address - configure an IP address in this range\n\n");
+#endif
        printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n");
        printf("\t\tas a regular user. IPC namespace is enabled by default only if\n");
        printf("\t\tthe sandbox is started as root.\n\n");
@@ -117,14 +122,19 @@ void usage(void) {
        printf("\t\tidentified by name.\n\n");
        printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
        printf("\t\tidentified by PID.\n\n");
+#ifdef HAVE_NETWORK     
        printf("\t--join-network=name - join the network namespace of the sandbox\n");
        printf("\t\tidentified by name.\n\n");
        printf("\t--join-network=pid - join the network namespace of the sandbox\n");
        printf("\t\tidentified by PID.\n\n");
+#endif
        printf("\t--list - list all sandboxes.\n\n");
+#ifdef HAVE_NETWORK     
        printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
        printf("\t--mtu=number - set interface MTU.\n\n");
+#endif
        printf("\t--name=name - set sandbox name.\n\n");
+#ifdef HAVE_NETWORK     
        printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n");
        printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n");
        printf("\t\tIP address and a default gateway will be assigned automatically\n");
@@ -163,6 +173,7 @@ void usage(void) {
        printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
        printf("\t\tnetwork namespace.\n\n");
+#endif
        printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n");
        printf("\t\tor file.\n\n");
        printf("\t--nogroups - disable supplementary groups. Without this option,\n");
@@ -175,11 +186,11 @@ void usage(void) {
        printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
        printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
        printf("\t\troot.\n\n");
-                        
+#ifdef HAVE_USERNS                      
        printf("\t--noroot - install a user namespace with a single user - the current\n");
        printf("\t\tuser. root user does not exist in the new namespace. This option\n");
        printf("\t\tis not supported for --chroot and --overlay configurations.\n\n");
+#endif
        printf("\t--nosound - disable sound system\n\n");
                
        printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n");
@@ -239,11 +250,11 @@ void usage(void) {
        printf("\t\tcreated for the real user ID of the calling process.\n\n");
        printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n");
        printf("\t\tfor a process.\n\n");
+#ifdef HAVE_NETWORK     
        printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n");
        printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n");
        printf("\t\trunning on the current host.\n\n");
-        
+#endif  
 #ifdef HAVE_SECCOMP
        printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n");
        printf("\t\tlist. The default list is as follows: mount, umount2,\n");
@@ -294,6 +305,7 @@ void usage(void) {
        printf("\n");
+#ifdef HAVE_NETWORK     
        printf("Traffic Shaping\n\n");
        
        printf("Network bandwidth is an expensive resource shared among  all  sandboxes\n");
@@ -323,7 +335,7 @@ void usage(void) {
            printf("\t$ firejail --bandwidth=mybrowser clear eth0\n");
        printf("\n");
        printf("\n");
+#endif
        printf("Monitoring\n\n");
author	netblue30 <netblue30@yahoo.com>	2016-01-25 10:48:23 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-01-25 10:48:23 -0500
commit	9edc43cc488a8ed701159ef07627097205708678 (patch)
tree	db9968caa02f67219eb7aaa1c4d1590516446457 /src
parent	0.9.38 testing (diff)
download	firejail-9edc43cc488a8ed701159ef07627097205708678.tar.gz firejail-9edc43cc488a8ed701159ef07627097205708678.tar.zst firejail-9edc43cc488a8ed701159ef07627097205708678.zip

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 87cda9ab2..83a2b0592 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in
@@ -12,13 +12,15 @@ HAVE_SECCOMP=@HAVE_SECCOMP@
12	HAVE_CHROOT=@HAVE_CHROOT@	12	HAVE_CHROOT=@HAVE_CHROOT@
13	HAVE_BIND=@HAVE_BIND@	13	HAVE_BIND=@HAVE_BIND@
14	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@	14	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
		15	HAVE_NETWORK=@HAVE_NETWORK@
		16	HAVE_USERNS=@HAVE_USERNS@
15		17
16		18
17	H_FILE_LIST = $(sort $(wildcard *.[h]))	19	H_FILE_LIST = $(sort $(wildcard *.[h]))
18	C_FILE_LIST = $(sort $(wildcard *.c))	20	C_FILE_LIST = $(sort $(wildcard *.c))
19	OBJS = $(C_FILE_LIST:.c=.o)	21	OBJS = $(C_FILE_LIST:.c=.o)
20	BINOBJS = $(foreach file, $(OBJS), $file)	22	BINOBJS = $(foreach file, $(OBJS), $file)
21	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security	23	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
22	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread	24	LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
23		25
24	%.o : %.c $(H_FILE_LIST)	26	%.o : %.c $(H_FILE_LIST)


diff --git a/src/firejail/main.c b/src/firejail/main.c index 014ea8cae..2fda8f1ab 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -208,7 +208,7 @@ static void check_network(Bridge *br) {
208	}	208	}
209	}	209	}
210		210
211		211	#ifdef HAVE_USERNS
212	void check_user_namespace(void) {	212	void check_user_namespace(void) {
213	if (getuid() == 0) {	213	if (getuid() == 0) {
214	fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n");	214	fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n");
@@ -228,6 +228,7 @@ void check_user_namespace(void) {
228	arg_noroot = 0;	228	arg_noroot = 0;
229	}	229	}
230	}	230	}
		231	#endif
231		232
232	// exit commands	233	// exit commands
233	static void run_cmd_and_exit(int i, int argc, char **argv) {	234	static void run_cmd_and_exit(int i, int argc, char **argv) {
@@ -243,6 +244,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
243	printf("firejail version %s\n", VERSION);	244	printf("firejail version %s\n", VERSION);
244	exit(0);	245	exit(0);
245	}	246	}
		247	#ifdef HAVE_NETWORK
246	else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {	248	else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
247	logargs(argc, argv);	249	logargs(argc, argv);
248		250
@@ -303,7 +305,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
303	bandwidth_name(argv[i] + 12, cmd, dev, down, up);	305	bandwidth_name(argv[i] + 12, cmd, dev, down, up);
304	exit(0);	306	exit(0);
305	}	307	}
306		308	#endif
307	//*************************************	309	//*************************************
308	// independent commands - the program will exit!	310	// independent commands - the program will exit!
309	//*************************************	311	//*************************************
@@ -382,10 +384,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
382	top();	384	top();
383	exit(0);	385	exit(0);
384	}	386	}
		387	#ifdef HAVE_NETWORK
385	else if (strcmp(argv[i], "--netstats") == 0) {	388	else if (strcmp(argv[i], "--netstats") == 0) {
386	netstats();	389	netstats();
387	exit(0);	390	exit(0);
388	}	391	}
		392	#endif
389	else if (strncmp(argv[i], "--join=", 7) == 0) {	393	else if (strncmp(argv[i], "--join=", 7) == 0) {
390	logargs(argc, argv);	394	logargs(argc, argv);
391		395
@@ -397,6 +401,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
397	join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1);	401	join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1);
398	exit(0);	402	exit(0);
399	}	403	}
		404	#ifdef HAVE_NETWORK
400	else if (strncmp(argv[i], "--join-network=", 15) == 0) {	405	else if (strncmp(argv[i], "--join-network=", 15) == 0) {
401	logargs(argc, argv);	406	logargs(argc, argv);
402	arg_join_network = 1;	407	arg_join_network = 1;
@@ -413,6 +418,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
413	join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1);	418	join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1);
414	exit(0);	419	exit(0);
415	}	420	}
		421	#endif
416	else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) {	422	else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) {
417	logargs(argc, argv);	423	logargs(argc, argv);
418	arg_join_filesystem = 1;	424	arg_join_filesystem = 1;
@@ -962,9 +968,11 @@ int main(int argc, char **argv) {
962	}	968	}
963	else if (strcmp(argv[i], "--nogroups") == 0)	969	else if (strcmp(argv[i], "--nogroups") == 0)
964	arg_nogroups = 1;	970	arg_nogroups = 1;
		971	#ifdef HAVE_USERNS
965	else if (strcmp(argv[i], "--noroot") == 0) {	972	else if (strcmp(argv[i], "--noroot") == 0) {
966	check_user_namespace();	973	check_user_namespace();
967	}	974	}
		975	#endif
968	else if (strncmp(argv[i], "--env=", 6) == 0)	976	else if (strncmp(argv[i], "--env=", 6) == 0)
969	env_store(argv[i] + 6);	977	env_store(argv[i] + 6);
970	else if (strncmp(argv[i], "--nosound", 9) == 0) {	978	else if (strncmp(argv[i], "--nosound", 9) == 0) {
@@ -975,6 +983,7 @@ int main(int argc, char **argv) {
975	//*************************************	983	//*************************************
976	// network	984	// network
977	//*************************************	985	//*************************************
		986	#ifdef HAVE_NETWORK
978	else if (strncmp(argv[i], "--interface=", 12) == 0) {	987	else if (strncmp(argv[i], "--interface=", 12) == 0) {
979	// checks	988	// checks
980	if (arg_nonetwork) {	989	if (arg_nonetwork) {
@@ -1164,6 +1173,7 @@ int main(int argc, char **argv) {
1164	return 1;	1173	return 1;
1165	}	1174	}
1166	}	1175	}
		1176	#endif
1167	else if (strncmp(argv[i], "--dns=", 6) == 0) {	1177	else if (strncmp(argv[i], "--dns=", 6) == 0) {
1168	uint32_t dns;	1178	uint32_t dns;
1169	if (atoip(argv[i] + 6, &dns)) {	1179	if (atoip(argv[i] + 6, &dns)) {
@@ -1182,6 +1192,7 @@ int main(int argc, char **argv) {
1182	return 1;	1192	return 1;
1183	}	1193	}
1184	}	1194	}
		1195	#ifdef HAVE_NETWORK
1185	else if (strcmp(argv[i], "--netfilter") == 0)	1196	else if (strcmp(argv[i], "--netfilter") == 0)
1186	arg_netfilter = 1;	1197	arg_netfilter = 1;
1187	else if (strncmp(argv[i], "--netfilter=", 12) == 0) {	1198	else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
@@ -1194,7 +1205,7 @@ int main(int argc, char **argv) {
1194	arg_netfilter6_file = argv[i] + 13;	1205	arg_netfilter6_file = argv[i] + 13;
1195	check_netfilter_file(arg_netfilter6_file);	1206	check_netfilter_file(arg_netfilter6_file);
1196	}	1207	}
1197		1208	#endif
1198	//*************************************	1209	//*************************************
1199	// command	1210	// command
1200	//*************************************	1211	//*************************************


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f6b062d2b..2d7b07c6d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -110,7 +110,9 @@ int profile_check_line(char ptr, int lineno, const char fname) {
110	}	110	}
111	// seccomp, caps, private, user namespace	111	// seccomp, caps, private, user namespace
112	else if (strcmp(ptr, "noroot") == 0) {	112	else if (strcmp(ptr, "noroot") == 0) {
		113	#if HAVE_USERNS
113	check_user_namespace();	114	check_user_namespace();
		115	#endif
114	return 0;	116	return 0;
115	}	117	}
116	else if (strcmp(ptr, "seccomp") == 0) {	118	else if (strcmp(ptr, "seccomp") == 0) {
@@ -146,31 +148,39 @@ int profile_check_line(char ptr, int lineno, const char fname) {
146	return 0;	148	return 0;
147	}	149	}
148	else if (strcmp(ptr, "netfilter") == 0) {	150	else if (strcmp(ptr, "netfilter") == 0) {
		151	#ifdef HAVE_NETWORK
149	arg_netfilter = 1;	152	arg_netfilter = 1;
		153	#endif
150	return 0;	154	return 0;
151	}	155	}
152	else if (strncmp(ptr, "netfilter ", 10) == 0) {	156	else if (strncmp(ptr, "netfilter ", 10) == 0) {
		157	#ifdef HAVE_NETWORK
153	arg_netfilter = 1;	158	arg_netfilter = 1;
154	arg_netfilter_file = strdup(ptr + 10);	159	arg_netfilter_file = strdup(ptr + 10);
155	if (!arg_netfilter_file)	160	if (!arg_netfilter_file)
156	errExit("strdup");	161	errExit("strdup");
157	check_netfilter_file(arg_netfilter_file);	162	check_netfilter_file(arg_netfilter_file);
		163	#endif
158	return 0;	164	return 0;
159	}	165	}
160	else if (strncmp(ptr, "netfilter6 ", 11) == 0) {	166	else if (strncmp(ptr, "netfilter6 ", 11) == 0) {
		167	#ifdef HAVE_NETWORK
161	arg_netfilter6 = 1;	168	arg_netfilter6 = 1;
162	arg_netfilter6_file = strdup(ptr + 11);	169	arg_netfilter6_file = strdup(ptr + 11);
163	if (!arg_netfilter6_file)	170	if (!arg_netfilter6_file)
164	errExit("strdup");	171	errExit("strdup");
165	check_netfilter_file(arg_netfilter6_file);	172	check_netfilter_file(arg_netfilter6_file);
		173	#endif
166	return 0;	174	return 0;
167	}	175	}
168	else if (strcmp(ptr, "net none") == 0) {	176	else if (strcmp(ptr, "net none") == 0) {
		177	#ifdef HAVE_NETWORK
169	arg_nonetwork = 1;	178	arg_nonetwork = 1;
170	cfg.bridge0.configured = 0;	179	cfg.bridge0.configured = 0;
171	cfg.bridge1.configured = 0;	180	cfg.bridge1.configured = 0;
172	cfg.bridge2.configured = 0;	181	cfg.bridge2.configured = 0;
173	cfg.bridge3.configured = 0;	182	cfg.bridge3.configured = 0;
		183	#endif
174	return 0;	184	return 0;
175	}	185	}
176		186


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3ebefaae..6a033b922 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -34,10 +34,12 @@ void usage(void) {
34	printf("\n");	34	printf("\n");
35	printf("Options:\n\n");	35	printf("Options:\n\n");
36	printf("\t-- - signal the end of options and disables further option processing.\n\n");	36	printf("\t-- - signal the end of options and disables further option processing.\n\n");
		37	#ifdef HAVE_NETWORK
37	printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n");	38	printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n");
38	printf("\t\tby name, see Traffic Shaping section for more details.\n\n");	39	printf("\t\tby name, see Traffic Shaping section for more details.\n\n");
39	printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n");	40	printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n");
40	printf("\t\tby PID, see Traffic Shaping section for more details.\n\n");	41	printf("\t\tby PID, see Traffic Shaping section for more details.\n\n");
		42	#endif
41	#ifdef HAVE_BIND	43	#ifdef HAVE_BIND
42	printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");	44	printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n");
43	printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n");	45	printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n");
@@ -81,8 +83,10 @@ void usage(void) {
81		83
82		84
83		85
		86	#ifdef HAVE_NETWORK
84	printf("\t--defaultgw=address - use this address as default gateway in the new\n");	87	printf("\t--defaultgw=address - use this address as default gateway in the new\n");
85	printf("\t\tnetwork namespace.\n\n");	88	printf("\t\tnetwork namespace.\n\n");
		89	#endif
86	printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n");	90	printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n");
87	printf("\t\tservers can be defined.\n\n");	91	printf("\t\tservers can be defined.\n\n");
88	printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n");	92	printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n");
@@ -99,15 +103,16 @@ void usage(void) {
99	printf("\t--help, -? - this help screen.\n\n");	103	printf("\t--help, -? - this help screen.\n\n");
100	printf("\t--hostname=name - set sandbox hostname.\n\n");	104	printf("\t--hostname=name - set sandbox hostname.\n\n");
101	printf("\t--ignore=command - ignore command in profile files.\n\n");	105	printf("\t--ignore=command - ignore command in profile files.\n\n");
		106	#ifdef HAVE_NETWORK
102	printf("\t--interface=name - move interface in a new network namespace. Up to\n");	107	printf("\t--interface=name - move interface in a new network namespace. Up to\n");
103	printf("\t\tfour --interface options can be sepcified.\n\n");	108	printf("\t\tfour --interface options can be sepcified.\n\n");
104
105	printf("\t--ip=address - set interface IP address.\n\n");	109	printf("\t--ip=address - set interface IP address.\n\n");
106	printf("\t--ip=none - no IP address and no default gateway address are configured\n");	110	printf("\t--ip=none - no IP address and no default gateway address are configured\n");
107	printf("\t\tin the new network namespace. Use this option in case you intend\n");	111	printf("\t\tin the new network namespace. Use this option in case you intend\n");
108	printf("\t\tto start an external DHCP client in the sandbox.\n\n");	112	printf("\t\tto start an external DHCP client in the sandbox.\n\n");
109	printf("\t--ip6=address - set interface IPv6 address.\n\n");	113	printf("\t--ip6=address - set interface IPv6 address.\n\n");
110	printf("\t--iprange=address,address - configure an IP address in this range\n\n");	114	printf("\t--iprange=address,address - configure an IP address in this range\n\n");
		115	#endif
111	printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n");	116	printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n");
112	printf("\t\tas a regular user. IPC namespace is enabled by default only if\n");	117	printf("\t\tas a regular user. IPC namespace is enabled by default only if\n");
113	printf("\t\tthe sandbox is started as root.\n\n");	118	printf("\t\tthe sandbox is started as root.\n\n");
@@ -117,14 +122,19 @@ void usage(void) {
117	printf("\t\tidentified by name.\n\n");	122	printf("\t\tidentified by name.\n\n");
118	printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");	123	printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n");
119	printf("\t\tidentified by PID.\n\n");	124	printf("\t\tidentified by PID.\n\n");
		125	#ifdef HAVE_NETWORK
120	printf("\t--join-network=name - join the network namespace of the sandbox\n");	126	printf("\t--join-network=name - join the network namespace of the sandbox\n");
121	printf("\t\tidentified by name.\n\n");	127	printf("\t\tidentified by name.\n\n");
122	printf("\t--join-network=pid - join the network namespace of the sandbox\n");	128	printf("\t--join-network=pid - join the network namespace of the sandbox\n");
123	printf("\t\tidentified by PID.\n\n");	129	printf("\t\tidentified by PID.\n\n");
		130	#endif
124	printf("\t--list - list all sandboxes.\n\n");	131	printf("\t--list - list all sandboxes.\n\n");
		132	#ifdef HAVE_NETWORK
125	printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");	133	printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n");
126	printf("\t--mtu=number - set interface MTU.\n\n");	134	printf("\t--mtu=number - set interface MTU.\n\n");
		135	#endif
127	printf("\t--name=name - set sandbox name.\n\n");	136	printf("\t--name=name - set sandbox name.\n\n");
		137	#ifdef HAVE_NETWORK
128	printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n");	138	printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n");
129	printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n");	139	printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n");
130	printf("\t\tIP address and a default gateway will be assigned automatically\n");	140	printf("\t\tIP address and a default gateway will be assigned automatically\n");
@@ -163,6 +173,7 @@ void usage(void) {
163		173
164	printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");	174	printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
165	printf("\t\tnetwork namespace.\n\n");	175	printf("\t\tnetwork namespace.\n\n");
		176	#endif
166	printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n");	177	printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n");
167	printf("\t\tor file.\n\n");	178	printf("\t\tor file.\n\n");
168	printf("\t--nogroups - disable supplementary groups. Without this option,\n");	179	printf("\t--nogroups - disable supplementary groups. Without this option,\n");
@@ -175,11 +186,11 @@ void usage(void) {
175	printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);	186	printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
176	printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);	187	printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
177	printf("\t\troot.\n\n");	188	printf("\t\troot.\n\n");
178		189	#ifdef HAVE_USERNS
179	printf("\t--noroot - install a user namespace with a single user - the current\n");	190	printf("\t--noroot - install a user namespace with a single user - the current\n");
180	printf("\t\tuser. root user does not exist in the new namespace. This option\n");	191	printf("\t\tuser. root user does not exist in the new namespace. This option\n");
181	printf("\t\tis not supported for --chroot and --overlay configurations.\n\n");	192	printf("\t\tis not supported for --chroot and --overlay configurations.\n\n");
182		193	#endif
183	printf("\t--nosound - disable sound system\n\n");	194	printf("\t--nosound - disable sound system\n\n");
184		195
185	printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n");	196	printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n");
@@ -239,11 +250,11 @@ void usage(void) {
239	printf("\t\tcreated for the real user ID of the calling process.\n\n");	250	printf("\t\tcreated for the real user ID of the calling process.\n\n");
240	printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n");	251	printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n");
241	printf("\t\tfor a process.\n\n");	252	printf("\t\tfor a process.\n\n");
242		253	#ifdef HAVE_NETWORK
243	printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n");	254	printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n");
244	printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n");	255	printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n");
245	printf("\t\trunning on the current host.\n\n");	256	printf("\t\trunning on the current host.\n\n");
246		257	#endif
247	#ifdef HAVE_SECCOMP	258	#ifdef HAVE_SECCOMP
248	printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n");	259	printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n");
249	printf("\t\tlist. The default list is as follows: mount, umount2,\n");	260	printf("\t\tlist. The default list is as follows: mount, umount2,\n");
@@ -294,6 +305,7 @@ void usage(void) {
294	printf("\n");	305	printf("\n");
295		306
296		307
		308	#ifdef HAVE_NETWORK
297	printf("Traffic Shaping\n\n");	309	printf("Traffic Shaping\n\n");
298		310
299	printf("Network bandwidth is an expensive resource shared among all sandboxes\n");	311	printf("Network bandwidth is an expensive resource shared among all sandboxes\n");
@@ -323,7 +335,7 @@ void usage(void) {
323	printf("\t$ firejail --bandwidth=mybrowser clear eth0\n");	335	printf("\t$ firejail --bandwidth=mybrowser clear eth0\n");
324	printf("\n");	336	printf("\n");
325	printf("\n");	337	printf("\n");
326		338	#endif
327		339
328		340
329	printf("Monitoring\n\n");	341	printf("Monitoring\n\n");