Make `restricted-network` prevent use of netfilter

author: The Fox in the Shell <KellerFuchs@hashbang.sh> 2016-05-25 15:51:26 +0200
committer: The Fox in the Shell <KellerFuchs@hashbang.sh> 2016-05-25 15:51:26 +0200
commit: 99d9a32bfabe97a6eeeccb024a68feed331d8f74 (patch)
tree: 44e9886a02f97fe5092b63e63b835cf420440e17 /src
parent: 0.9.40 testing (diff)
download: firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.tar.gz
firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.tar.zst
firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a540d468b..a2342843b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1675,6 +1675,18 @@ int main(int argc, char **argv) {
 #ifdef HAVE_NETWORK
                else if (strcmp(argv[i], "--netfilter") == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                        }
@@ -1685,6 +1697,18 @@ int main(int argc, char **argv) {
                }
                else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                                arg_netfilter_file = argv[i] + 12;
author	The Fox in the Shell <KellerFuchs@hashbang.sh>	2016-05-25 15:51:26 +0200
committer	The Fox in the Shell <KellerFuchs@hashbang.sh>	2016-05-25 15:51:26 +0200
commit	99d9a32bfabe97a6eeeccb024a68feed331d8f74 (patch)
tree	44e9886a02f97fe5092b63e63b835cf420440e17 /src
parent	0.9.40 testing (diff)
download	firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.tar.gz firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.tar.zst firejail-99d9a32bfabe97a6eeeccb024a68feed331d8f74.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index a540d468b..a2342843b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1675,6 +1675,18 @@ int main(int argc, char **argv) {
1675		1675
1676	#ifdef HAVE_NETWORK	1676	#ifdef HAVE_NETWORK
1677	else if (strcmp(argv[i], "--netfilter") == 0) {	1677	else if (strcmp(argv[i], "--netfilter") == 0) {
		1678	#ifdef HAVE_NETWORK_RESTRICTED
		1679	// compile time restricted networking
		1680	if (getuid() != 0) {
		1681	fprintf(stderr, "Error: --netfilter is only allowed for root\n");
		1682	exit(1);
		1683	}
		1684	#endif
		1685	// run time restricted networking
		1686	if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
		1687	fprintf(stderr, "Error: --netfilter is only allowed for root\n");
		1688	exit(1);
		1689	}
1678	if (checkcfg(CFG_NETWORK)) {	1690	if (checkcfg(CFG_NETWORK)) {
1679	arg_netfilter = 1;	1691	arg_netfilter = 1;
1680	}	1692	}
@@ -1685,6 +1697,18 @@ int main(int argc, char **argv) {
1685	}	1697	}
1686		1698
1687	else if (strncmp(argv[i], "--netfilter=", 12) == 0) {	1699	else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
		1700	#ifdef HAVE_NETWORK_RESTRICTED
		1701	// compile time restricted networking
		1702	if (getuid() != 0) {
		1703	fprintf(stderr, "Error: --netfilter is only allowed for root\n");
		1704	exit(1);
		1705	}
		1706	#endif
		1707	// run time restricted networking
		1708	if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
		1709	fprintf(stderr, "Error: --netfilter is only allowed for root\n");
		1710	exit(1);
		1711	}
1688	if (checkcfg(CFG_NETWORK)) {	1712	if (checkcfg(CFG_NETWORK)) {
1689	arg_netfilter = 1;	1713	arg_netfilter = 1;
1690	arg_netfilter_file = argv[i] + 12;	1714	arg_netfilter_file = argv[i] + 12;