diff options
author | netblue30 <netblue30@yahoo.com> | 2016-01-25 10:48:23 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-01-25 10:48:23 -0500 |
commit | 9edc43cc488a8ed701159ef07627097205708678 (patch) | |
tree | db9968caa02f67219eb7aaa1c4d1590516446457 /src | |
parent | 0.9.38 testing (diff) | |
download | firejail-9edc43cc488a8ed701159ef07627097205708678.tar.gz firejail-9edc43cc488a8ed701159ef07627097205708678.tar.zst firejail-9edc43cc488a8ed701159ef07627097205708678.zip |
--disable-network --disable-userns compile time options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/Makefile.in | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 17 | ||||
-rw-r--r-- | src/firejail/profile.c | 10 | ||||
-rw-r--r-- | src/firejail/usage.c | 24 |
4 files changed, 45 insertions, 10 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 87cda9ab2..83a2b0592 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -12,13 +12,15 @@ HAVE_SECCOMP=@HAVE_SECCOMP@ | |||
12 | HAVE_CHROOT=@HAVE_CHROOT@ | 12 | HAVE_CHROOT=@HAVE_CHROOT@ |
13 | HAVE_BIND=@HAVE_BIND@ | 13 | HAVE_BIND=@HAVE_BIND@ |
14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 14 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
15 | HAVE_NETWORK=@HAVE_NETWORK@ | ||
16 | HAVE_USERNS=@HAVE_USERNS@ | ||
15 | 17 | ||
16 | 18 | ||
17 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 19 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
18 | C_FILE_LIST = $(sort $(wildcard *.c)) | 20 | C_FILE_LIST = $(sort $(wildcard *.c)) |
19 | OBJS = $(C_FILE_LIST:.c=.o) | 21 | OBJS = $(C_FILE_LIST:.c=.o) |
20 | BINOBJS = $(foreach file, $(OBJS), $file) | 22 | BINOBJS = $(foreach file, $(OBJS), $file) |
21 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 23 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
22 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 24 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
23 | 25 | ||
24 | %.o : %.c $(H_FILE_LIST) | 26 | %.o : %.c $(H_FILE_LIST) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 014ea8cae..2fda8f1ab 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -208,7 +208,7 @@ static void check_network(Bridge *br) { | |||
208 | } | 208 | } |
209 | } | 209 | } |
210 | 210 | ||
211 | 211 | #ifdef HAVE_USERNS | |
212 | void check_user_namespace(void) { | 212 | void check_user_namespace(void) { |
213 | if (getuid() == 0) { | 213 | if (getuid() == 0) { |
214 | fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); | 214 | fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); |
@@ -228,6 +228,7 @@ void check_user_namespace(void) { | |||
228 | arg_noroot = 0; | 228 | arg_noroot = 0; |
229 | } | 229 | } |
230 | } | 230 | } |
231 | #endif | ||
231 | 232 | ||
232 | // exit commands | 233 | // exit commands |
233 | static void run_cmd_and_exit(int i, int argc, char **argv) { | 234 | static void run_cmd_and_exit(int i, int argc, char **argv) { |
@@ -243,6 +244,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
243 | printf("firejail version %s\n", VERSION); | 244 | printf("firejail version %s\n", VERSION); |
244 | exit(0); | 245 | exit(0); |
245 | } | 246 | } |
247 | #ifdef HAVE_NETWORK | ||
246 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 248 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
247 | logargs(argc, argv); | 249 | logargs(argc, argv); |
248 | 250 | ||
@@ -303,7 +305,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
303 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | 305 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); |
304 | exit(0); | 306 | exit(0); |
305 | } | 307 | } |
306 | 308 | #endif | |
307 | //************************************* | 309 | //************************************* |
308 | // independent commands - the program will exit! | 310 | // independent commands - the program will exit! |
309 | //************************************* | 311 | //************************************* |
@@ -382,10 +384,12 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
382 | top(); | 384 | top(); |
383 | exit(0); | 385 | exit(0); |
384 | } | 386 | } |
387 | #ifdef HAVE_NETWORK | ||
385 | else if (strcmp(argv[i], "--netstats") == 0) { | 388 | else if (strcmp(argv[i], "--netstats") == 0) { |
386 | netstats(); | 389 | netstats(); |
387 | exit(0); | 390 | exit(0); |
388 | } | 391 | } |
392 | #endif | ||
389 | else if (strncmp(argv[i], "--join=", 7) == 0) { | 393 | else if (strncmp(argv[i], "--join=", 7) == 0) { |
390 | logargs(argc, argv); | 394 | logargs(argc, argv); |
391 | 395 | ||
@@ -397,6 +401,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
397 | join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1); | 401 | join_name(argv[i] + 7, cfg.homedir, argc, argv, i + 1); |
398 | exit(0); | 402 | exit(0); |
399 | } | 403 | } |
404 | #ifdef HAVE_NETWORK | ||
400 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { | 405 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { |
401 | logargs(argc, argv); | 406 | logargs(argc, argv); |
402 | arg_join_network = 1; | 407 | arg_join_network = 1; |
@@ -413,6 +418,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
413 | join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1); | 418 | join_name(argv[i] + 15, cfg.homedir, argc, argv, i + 1); |
414 | exit(0); | 419 | exit(0); |
415 | } | 420 | } |
421 | #endif | ||
416 | else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) { | 422 | else if (strncmp(argv[i], "--join-filesystem=", 18) == 0) { |
417 | logargs(argc, argv); | 423 | logargs(argc, argv); |
418 | arg_join_filesystem = 1; | 424 | arg_join_filesystem = 1; |
@@ -962,9 +968,11 @@ int main(int argc, char **argv) { | |||
962 | } | 968 | } |
963 | else if (strcmp(argv[i], "--nogroups") == 0) | 969 | else if (strcmp(argv[i], "--nogroups") == 0) |
964 | arg_nogroups = 1; | 970 | arg_nogroups = 1; |
971 | #ifdef HAVE_USERNS | ||
965 | else if (strcmp(argv[i], "--noroot") == 0) { | 972 | else if (strcmp(argv[i], "--noroot") == 0) { |
966 | check_user_namespace(); | 973 | check_user_namespace(); |
967 | } | 974 | } |
975 | #endif | ||
968 | else if (strncmp(argv[i], "--env=", 6) == 0) | 976 | else if (strncmp(argv[i], "--env=", 6) == 0) |
969 | env_store(argv[i] + 6); | 977 | env_store(argv[i] + 6); |
970 | else if (strncmp(argv[i], "--nosound", 9) == 0) { | 978 | else if (strncmp(argv[i], "--nosound", 9) == 0) { |
@@ -975,6 +983,7 @@ int main(int argc, char **argv) { | |||
975 | //************************************* | 983 | //************************************* |
976 | // network | 984 | // network |
977 | //************************************* | 985 | //************************************* |
986 | #ifdef HAVE_NETWORK | ||
978 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 987 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
979 | // checks | 988 | // checks |
980 | if (arg_nonetwork) { | 989 | if (arg_nonetwork) { |
@@ -1164,6 +1173,7 @@ int main(int argc, char **argv) { | |||
1164 | return 1; | 1173 | return 1; |
1165 | } | 1174 | } |
1166 | } | 1175 | } |
1176 | #endif | ||
1167 | else if (strncmp(argv[i], "--dns=", 6) == 0) { | 1177 | else if (strncmp(argv[i], "--dns=", 6) == 0) { |
1168 | uint32_t dns; | 1178 | uint32_t dns; |
1169 | if (atoip(argv[i] + 6, &dns)) { | 1179 | if (atoip(argv[i] + 6, &dns)) { |
@@ -1182,6 +1192,7 @@ int main(int argc, char **argv) { | |||
1182 | return 1; | 1192 | return 1; |
1183 | } | 1193 | } |
1184 | } | 1194 | } |
1195 | #ifdef HAVE_NETWORK | ||
1185 | else if (strcmp(argv[i], "--netfilter") == 0) | 1196 | else if (strcmp(argv[i], "--netfilter") == 0) |
1186 | arg_netfilter = 1; | 1197 | arg_netfilter = 1; |
1187 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1198 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
@@ -1194,7 +1205,7 @@ int main(int argc, char **argv) { | |||
1194 | arg_netfilter6_file = argv[i] + 13; | 1205 | arg_netfilter6_file = argv[i] + 13; |
1195 | check_netfilter_file(arg_netfilter6_file); | 1206 | check_netfilter_file(arg_netfilter6_file); |
1196 | } | 1207 | } |
1197 | 1208 | #endif | |
1198 | //************************************* | 1209 | //************************************* |
1199 | // command | 1210 | // command |
1200 | //************************************* | 1211 | //************************************* |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f6b062d2b..2d7b07c6d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -110,7 +110,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
110 | } | 110 | } |
111 | // seccomp, caps, private, user namespace | 111 | // seccomp, caps, private, user namespace |
112 | else if (strcmp(ptr, "noroot") == 0) { | 112 | else if (strcmp(ptr, "noroot") == 0) { |
113 | #if HAVE_USERNS | ||
113 | check_user_namespace(); | 114 | check_user_namespace(); |
115 | #endif | ||
114 | return 0; | 116 | return 0; |
115 | } | 117 | } |
116 | else if (strcmp(ptr, "seccomp") == 0) { | 118 | else if (strcmp(ptr, "seccomp") == 0) { |
@@ -146,31 +148,39 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
146 | return 0; | 148 | return 0; |
147 | } | 149 | } |
148 | else if (strcmp(ptr, "netfilter") == 0) { | 150 | else if (strcmp(ptr, "netfilter") == 0) { |
151 | #ifdef HAVE_NETWORK | ||
149 | arg_netfilter = 1; | 152 | arg_netfilter = 1; |
153 | #endif | ||
150 | return 0; | 154 | return 0; |
151 | } | 155 | } |
152 | else if (strncmp(ptr, "netfilter ", 10) == 0) { | 156 | else if (strncmp(ptr, "netfilter ", 10) == 0) { |
157 | #ifdef HAVE_NETWORK | ||
153 | arg_netfilter = 1; | 158 | arg_netfilter = 1; |
154 | arg_netfilter_file = strdup(ptr + 10); | 159 | arg_netfilter_file = strdup(ptr + 10); |
155 | if (!arg_netfilter_file) | 160 | if (!arg_netfilter_file) |
156 | errExit("strdup"); | 161 | errExit("strdup"); |
157 | check_netfilter_file(arg_netfilter_file); | 162 | check_netfilter_file(arg_netfilter_file); |
163 | #endif | ||
158 | return 0; | 164 | return 0; |
159 | } | 165 | } |
160 | else if (strncmp(ptr, "netfilter6 ", 11) == 0) { | 166 | else if (strncmp(ptr, "netfilter6 ", 11) == 0) { |
167 | #ifdef HAVE_NETWORK | ||
161 | arg_netfilter6 = 1; | 168 | arg_netfilter6 = 1; |
162 | arg_netfilter6_file = strdup(ptr + 11); | 169 | arg_netfilter6_file = strdup(ptr + 11); |
163 | if (!arg_netfilter6_file) | 170 | if (!arg_netfilter6_file) |
164 | errExit("strdup"); | 171 | errExit("strdup"); |
165 | check_netfilter_file(arg_netfilter6_file); | 172 | check_netfilter_file(arg_netfilter6_file); |
173 | #endif | ||
166 | return 0; | 174 | return 0; |
167 | } | 175 | } |
168 | else if (strcmp(ptr, "net none") == 0) { | 176 | else if (strcmp(ptr, "net none") == 0) { |
177 | #ifdef HAVE_NETWORK | ||
169 | arg_nonetwork = 1; | 178 | arg_nonetwork = 1; |
170 | cfg.bridge0.configured = 0; | 179 | cfg.bridge0.configured = 0; |
171 | cfg.bridge1.configured = 0; | 180 | cfg.bridge1.configured = 0; |
172 | cfg.bridge2.configured = 0; | 181 | cfg.bridge2.configured = 0; |
173 | cfg.bridge3.configured = 0; | 182 | cfg.bridge3.configured = 0; |
183 | #endif | ||
174 | return 0; | 184 | return 0; |
175 | } | 185 | } |
176 | 186 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d3ebefaae..6a033b922 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -34,10 +34,12 @@ void usage(void) { | |||
34 | printf("\n"); | 34 | printf("\n"); |
35 | printf("Options:\n\n"); | 35 | printf("Options:\n\n"); |
36 | printf("\t-- - signal the end of options and disables further option processing.\n\n"); | 36 | printf("\t-- - signal the end of options and disables further option processing.\n\n"); |
37 | #ifdef HAVE_NETWORK | ||
37 | printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); | 38 | printf("\t--bandwidth=name - set bandwidth limits for the sandbox identified\n"); |
38 | printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); | 39 | printf("\t\tby name, see Traffic Shaping section for more details.\n\n"); |
39 | printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n"); | 40 | printf("\t--bandwidth=pid - set bandwidth limits for the sandbox identified\n"); |
40 | printf("\t\tby PID, see Traffic Shaping section for more details.\n\n"); | 41 | printf("\t\tby PID, see Traffic Shaping section for more details.\n\n"); |
42 | #endif | ||
41 | #ifdef HAVE_BIND | 43 | #ifdef HAVE_BIND |
42 | printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); | 44 | printf("\t--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n\n"); |
43 | printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); | 45 | printf("\t--bind=filename1,dirname2 - mount-bind filename1 on top of filename2.\n\n"); |
@@ -81,8 +83,10 @@ void usage(void) { | |||
81 | 83 | ||
82 | 84 | ||
83 | 85 | ||
86 | #ifdef HAVE_NETWORK | ||
84 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); | 87 | printf("\t--defaultgw=address - use this address as default gateway in the new\n"); |
85 | printf("\t\tnetwork namespace.\n\n"); | 88 | printf("\t\tnetwork namespace.\n\n"); |
89 | #endif | ||
86 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); | 90 | printf("\t--dns=address - set a DNS server for the sandbox. Up to three DNS\n"); |
87 | printf("\t\tservers can be defined.\n\n"); | 91 | printf("\t\tservers can be defined.\n\n"); |
88 | printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); | 92 | printf("\t--dns.print=name - print DNS configuration for the sandbox identified\n"); |
@@ -99,15 +103,16 @@ void usage(void) { | |||
99 | printf("\t--help, -? - this help screen.\n\n"); | 103 | printf("\t--help, -? - this help screen.\n\n"); |
100 | printf("\t--hostname=name - set sandbox hostname.\n\n"); | 104 | printf("\t--hostname=name - set sandbox hostname.\n\n"); |
101 | printf("\t--ignore=command - ignore command in profile files.\n\n"); | 105 | printf("\t--ignore=command - ignore command in profile files.\n\n"); |
106 | #ifdef HAVE_NETWORK | ||
102 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); | 107 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); |
103 | printf("\t\tfour --interface options can be sepcified.\n\n"); | 108 | printf("\t\tfour --interface options can be sepcified.\n\n"); |
104 | |||
105 | printf("\t--ip=address - set interface IP address.\n\n"); | 109 | printf("\t--ip=address - set interface IP address.\n\n"); |
106 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); | 110 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); |
107 | printf("\t\tin the new network namespace. Use this option in case you intend\n"); | 111 | printf("\t\tin the new network namespace. Use this option in case you intend\n"); |
108 | printf("\t\tto start an external DHCP client in the sandbox.\n\n"); | 112 | printf("\t\tto start an external DHCP client in the sandbox.\n\n"); |
109 | printf("\t--ip6=address - set interface IPv6 address.\n\n"); | 113 | printf("\t--ip6=address - set interface IPv6 address.\n\n"); |
110 | printf("\t--iprange=address,address - configure an IP address in this range\n\n"); | 114 | printf("\t--iprange=address,address - configure an IP address in this range\n\n"); |
115 | #endif | ||
111 | printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); | 116 | printf("\t--ipc-namespace - enable a new IPC namespace if the sandbox was started\n"); |
112 | printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); | 117 | printf("\t\tas a regular user. IPC namespace is enabled by default only if\n"); |
113 | printf("\t\tthe sandbox is started as root.\n\n"); | 118 | printf("\t\tthe sandbox is started as root.\n\n"); |
@@ -117,14 +122,19 @@ void usage(void) { | |||
117 | printf("\t\tidentified by name.\n\n"); | 122 | printf("\t\tidentified by name.\n\n"); |
118 | printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n"); | 123 | printf("\t--join-filesystem=pid - join the mount namespace of the sandbox\n"); |
119 | printf("\t\tidentified by PID.\n\n"); | 124 | printf("\t\tidentified by PID.\n\n"); |
125 | #ifdef HAVE_NETWORK | ||
120 | printf("\t--join-network=name - join the network namespace of the sandbox\n"); | 126 | printf("\t--join-network=name - join the network namespace of the sandbox\n"); |
121 | printf("\t\tidentified by name.\n\n"); | 127 | printf("\t\tidentified by name.\n\n"); |
122 | printf("\t--join-network=pid - join the network namespace of the sandbox\n"); | 128 | printf("\t--join-network=pid - join the network namespace of the sandbox\n"); |
123 | printf("\t\tidentified by PID.\n\n"); | 129 | printf("\t\tidentified by PID.\n\n"); |
130 | #endif | ||
124 | printf("\t--list - list all sandboxes.\n\n"); | 131 | printf("\t--list - list all sandboxes.\n\n"); |
132 | #ifdef HAVE_NETWORK | ||
125 | printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); | 133 | printf("\t--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n\n"); |
126 | printf("\t--mtu=number - set interface MTU.\n\n"); | 134 | printf("\t--mtu=number - set interface MTU.\n\n"); |
135 | #endif | ||
127 | printf("\t--name=name - set sandbox name.\n\n"); | 136 | printf("\t--name=name - set sandbox name.\n\n"); |
137 | #ifdef HAVE_NETWORK | ||
128 | printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); | 138 | printf("\t--net=bridgename - enable network namespaces and connect to this bridge\n"); |
129 | printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); | 139 | printf("\t\tdevice. Unless specified with option --ip and --defaultgw, an\n"); |
130 | printf("\t\tIP address and a default gateway will be assigned automatically\n"); | 140 | printf("\t\tIP address and a default gateway will be assigned automatically\n"); |
@@ -163,6 +173,7 @@ void usage(void) { | |||
163 | 173 | ||
164 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); | 174 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); |
165 | printf("\t\tnetwork namespace.\n\n"); | 175 | printf("\t\tnetwork namespace.\n\n"); |
176 | #endif | ||
166 | printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); | 177 | printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n"); |
167 | printf("\t\tor file.\n\n"); | 178 | printf("\t\tor file.\n\n"); |
168 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); | 179 | printf("\t--nogroups - disable supplementary groups. Without this option,\n"); |
@@ -175,11 +186,11 @@ void usage(void) { | |||
175 | printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); | 186 | printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); |
176 | printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); | 187 | printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); |
177 | printf("\t\troot.\n\n"); | 188 | printf("\t\troot.\n\n"); |
178 | 189 | #ifdef HAVE_USERNS | |
179 | printf("\t--noroot - install a user namespace with a single user - the current\n"); | 190 | printf("\t--noroot - install a user namespace with a single user - the current\n"); |
180 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); | 191 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); |
181 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); | 192 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); |
182 | 193 | #endif | |
183 | printf("\t--nosound - disable sound system\n\n"); | 194 | printf("\t--nosound - disable sound system\n\n"); |
184 | 195 | ||
185 | printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); | 196 | printf("\t--output=logfile - stdout logging and log rotation. Copy stdout to\n"); |
@@ -239,11 +250,11 @@ void usage(void) { | |||
239 | printf("\t\tcreated for the real user ID of the calling process.\n\n"); | 250 | printf("\t\tcreated for the real user ID of the calling process.\n\n"); |
240 | printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); | 251 | printf("\t--rlimit-sigpending=number - set the maximum number of pending signals\n"); |
241 | printf("\t\tfor a process.\n\n"); | 252 | printf("\t\tfor a process.\n\n"); |
242 | 253 | #ifdef HAVE_NETWORK | |
243 | printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); | 254 | printf("\t--scan - ARP-scan all the networks from inside a network namespace.\n"); |
244 | printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); | 255 | printf("\t\tThis makes it possible to detect macvlan kernel device drivers\n"); |
245 | printf("\t\trunning on the current host.\n\n"); | 256 | printf("\t\trunning on the current host.\n\n"); |
246 | 257 | #endif | |
247 | #ifdef HAVE_SECCOMP | 258 | #ifdef HAVE_SECCOMP |
248 | printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n"); | 259 | printf("\t--seccomp - enable seccomp filter and blacklist the syscalls in the\n"); |
249 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); | 260 | printf("\t\tlist. The default list is as follows: mount, umount2,\n"); |
@@ -294,6 +305,7 @@ void usage(void) { | |||
294 | printf("\n"); | 305 | printf("\n"); |
295 | 306 | ||
296 | 307 | ||
308 | #ifdef HAVE_NETWORK | ||
297 | printf("Traffic Shaping\n\n"); | 309 | printf("Traffic Shaping\n\n"); |
298 | 310 | ||
299 | printf("Network bandwidth is an expensive resource shared among all sandboxes\n"); | 311 | printf("Network bandwidth is an expensive resource shared among all sandboxes\n"); |
@@ -323,7 +335,7 @@ void usage(void) { | |||
323 | printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); | 335 | printf("\t$ firejail --bandwidth=mybrowser clear eth0\n"); |
324 | printf("\n"); | 336 | printf("\n"); |
325 | printf("\n"); | 337 | printf("\n"); |
326 | 338 | #endif | |
327 | 339 | ||
328 | 340 | ||
329 | printf("Monitoring\n\n"); | 341 | printf("Monitoring\n\n"); |