--nettrace only available when running the sandbox as root

2 files changed, 10 insertions, 2 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index f3b656e2e..e1f19dd14 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -409,6 +409,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifdef HAVE_NETWORK
         else if (strcmp(argv[i], "--nettrace") == 0) {
                 if (checkcfg(CFG_NETWORK)) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --nettrace is only available to root user\n");
+                                exit(1);
+                        }
                         netfilter_trace(0);
                 }
                 else
@@ -417,6 +421,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
         else if (strncmp(argv[i], "--nettrace=", 11) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --nettrace is only available to root user\n");
+                                exit(1);
+                        }
                         pid_t pid = require_pid(argv[i] + 11);
                         netfilter_trace(pid);
                 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f78b75346..5f352c843 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1528,7 +1528,7 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .TP
 \fB\-\-nettrace[=name|pid]
 Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes
-created with \-\-net are supported.
+created with \-\-net are supported. This option is only available when running the sandbox as root.
 .br
 
 .br
@@ -1536,7 +1536,7 @@ Without a name/pid, Firejail will monitor the main system network namespace.
 .br
 
 .br
- $ firejail --nettrace=browser
+ $ sudo firejail --nettrace=browser
 .br
 
 .br