network profile fix

author: netblue30 <netblue30@yahoo.com> 2016-04-08 11:51:19 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-08 11:51:19 -0400
commit: f65fceb93caae524fcbd3a2c161618e0cb3099a6 (patch)
tree: d2d7ec343f5a63973a61fb9d22695e2927a99726 /src
parent: network profile fix (diff)
download: firejail-f65fceb93caae524fcbd3a2c161618e0cb3099a6.tar.gz
firejail-f65fceb93caae524fcbd3a2c161618e0cb3099a6.tar.zst
firejail-f65fceb93caae524fcbd3a2c161618e0cb3099a6.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 22d6beb56..a917152ff 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -235,6 +235,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        else if (strncmp(ptr, "net ", 4) == 0) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK)) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
+                                exit(1);
+                        }
+                        
                        if (strcmp(ptr + 4, "lo") == 0) {
                                fprintf(stderr, "Error: cannot attach to lo device\n");
                                exit(1);
author	netblue30 <netblue30@yahoo.com>	2016-04-08 11:51:19 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-08 11:51:19 -0400
commit	f65fceb93caae524fcbd3a2c161618e0cb3099a6 (patch)
tree	d2d7ec343f5a63973a61fb9d22695e2927a99726 /src
parent	network profile fix (diff)
download	firejail-f65fceb93caae524fcbd3a2c161618e0cb3099a6.tar.gz firejail-f65fceb93caae524fcbd3a2c161618e0cb3099a6.tar.zst firejail-f65fceb93caae524fcbd3a2c161618e0cb3099a6.zip

diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 22d6beb56..a917152ff 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -235,6 +235,19 @@ int profile_check_line(char ptr, int lineno, const char fname) {
235	else if (strncmp(ptr, "net ", 4) == 0) {	235	else if (strncmp(ptr, "net ", 4) == 0) {
236	#ifdef HAVE_NETWORK	236	#ifdef HAVE_NETWORK
237	if (checkcfg(CFG_NETWORK)) {	237	if (checkcfg(CFG_NETWORK)) {
		238	#ifdef HAVE_NETWORK_RESTRICTED
		239	// compile time restricted networking
		240	if (getuid() != 0) {
		241	fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
		242	exit(1);
		243	}
		244	#endif
		245	// run time restricted networking
		246	if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
		247	fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
		248	exit(1);
		249	}
		250
238	if (strcmp(ptr + 4, "lo") == 0) {	251	if (strcmp(ptr + 4, "lo") == 0) {
239	fprintf(stderr, "Error: cannot attach to lo device\n");	252	fprintf(stderr, "Error: cannot attach to lo device\n");
240	exit(1);	253	exit(1);