Merge pull request #415 from avoidr/add_net_to_profiles

profile.c: add --net <iface>

2 files changed, 50 insertions, 2 deletions

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ec1bd5ee3..22d6beb56 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -232,6 +232,34 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
+        else if (strncmp(ptr, "net ", 4) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        if (strcmp(ptr + 4, "lo") == 0) {
+                                fprintf(stderr, "Error: cannot attach to lo device\n");
+                                exit(1);
+                        }
+
+                        Bridge *br;
+                        if (cfg.bridge0.configured == 0)
+                                br = &cfg.bridge0;
+                        else if (cfg.bridge1.configured == 0)
+                                br = &cfg.bridge1;
+                        else if (cfg.bridge2.configured == 0)
+                                br = &cfg.bridge2;
+                        else if (cfg.bridge3.configured == 0)
+                                br = &cfg.bridge3;
+                        else {
+                                fprintf(stderr, "Error: maximum 4 network devices are allowed\n");
+                                exit(1);
+                        }
+                        net_configure_bridge(br, ptr + 4);
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
         
         if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b135ee615..ddfae5948 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -296,10 +296,30 @@ If a new network namespace is created, enabled default network filter.
 If a new network namespace is created, enabled the network filter in filename.
 
 .TP
+\fBnet bridge_interface
+Enable a new network namespace and connect it to this bridge interface.
+Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned
+automatically to the sandbox. The IP address is verified using ARP before assignment. The address
+configured as default gateway is the bridge device IP address. Up to four \-\-net
+bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
+
+.TP
+\fBnet ethernet_interface
+Enable a new network namespace and connect it
+to this ethernet interface using the standard Linux macvlan
+driver. Unless specified with option \-\-ip and \-\-defaultgw, an
+IP address and a default gateway will be assigned automatically
+to the sandbox. The IP address is verified using ARP before
+assignment. The address configured as default gateway is the
+default gateway of the host. Up to four \-\-net devices can
+be defined. Mixing bridge and macvlan devices is allowed.
+Note: wlan devices are not supported for this option.
+
+.TP
 \fBnet none
-Enable  a new, unconnected network namespace. The only interface
+Enable a new, unconnected network namespace. The only interface
 available in the new namespace is a new loopback interface (lo).
-Use  this  option  to deny network access to programs that don't
+Use this option to deny network access to programs that don't
 really need network access.
 
 .TP