diff options
author | startx2017 <vradu.startx@yandex.com> | 2018-07-26 09:58:50 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2018-07-26 09:58:50 -0400 |
commit | 45d5fe7c2aa0d6e08f19dc9eacd50314530958fd (patch) | |
tree | 43322a6274c97e4677d657aa33a1dfc1e46d3583 /src | |
parent | Document #1945 (diff) | |
download | firejail-45d5fe7c2aa0d6e08f19dc9eacd50314530958fd.tar.gz firejail-45d5fe7c2aa0d6e08f19dc9eacd50314530958fd.tar.zst firejail-45d5fe7c2aa0d6e08f19dc9eacd50314530958fd.zip |
removed compile time --enable-network=restricted, --net=none allowed even if networking was disabled at compile time or at run time, fixed issue #2061
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 11 | ||||
-rw-r--r-- | src/firejail/main.c | 61 | ||||
-rw-r--r-- | src/firejail/profile.c | 37 |
3 files changed, 28 insertions, 81 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 42ff31976..7483136f4 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -373,6 +373,13 @@ int checkcfg(int val) { | |||
373 | initialized = 1; | 373 | initialized = 1; |
374 | } | 374 | } |
375 | 375 | ||
376 | |||
377 | // merge CFG_RESTRICTED_NETWORK into CFG_NETWORK | ||
378 | if (val == CFG_NETWORK) { | ||
379 | if (cfg_val[CFG_RESTRICTED_NETWORK] && getuid() != 0) | ||
380 | return 0; | ||
381 | } | ||
382 | |||
376 | return cfg_val[val]; | 383 | return cfg_val[val]; |
377 | 384 | ||
378 | errout: | 385 | errout: |
@@ -443,10 +450,6 @@ void print_compiletime_support(void) { | |||
443 | #endif | 450 | #endif |
444 | ); | 451 | ); |
445 | 452 | ||
446 | #ifdef HAVE_NETWORK_RESTRICTED | ||
447 | printf("\t- networking features are available only to root user\n"); | ||
448 | #endif | ||
449 | |||
450 | printf("\t- overlayfs support is %s\n", | 453 | printf("\t- overlayfs support is %s\n", |
451 | #ifdef HAVE_OVERLAYFS | 454 | #ifdef HAVE_OVERLAYFS |
452 | "enabled" | 455 | "enabled" |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8e4fc6f38..3e092a3cc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1745,22 +1745,21 @@ int main(int argc, char **argv) { | |||
1745 | //************************************* | 1745 | //************************************* |
1746 | // network | 1746 | // network |
1747 | //************************************* | 1747 | //************************************* |
1748 | else if (strcmp(argv[i], "--net=none") == 0) { | ||
1749 | arg_nonetwork = 1; | ||
1750 | cfg.bridge0.configured = 0; | ||
1751 | cfg.bridge1.configured = 0; | ||
1752 | cfg.bridge2.configured = 0; | ||
1753 | cfg.bridge3.configured = 0; | ||
1754 | cfg.interface0.configured = 0; | ||
1755 | cfg.interface1.configured = 0; | ||
1756 | cfg.interface2.configured = 0; | ||
1757 | cfg.interface3.configured = 0; | ||
1758 | continue; | ||
1759 | } | ||
1748 | #ifdef HAVE_NETWORK | 1760 | #ifdef HAVE_NETWORK |
1749 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 1761 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
1750 | if (checkcfg(CFG_NETWORK)) { | 1762 | if (checkcfg(CFG_NETWORK)) { |
1751 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1752 | // compile time restricted networking | ||
1753 | if (getuid() != 0) { | ||
1754 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); | ||
1755 | exit(1); | ||
1756 | } | ||
1757 | #endif | ||
1758 | // run time restricted networking | ||
1759 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1760 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); | ||
1761 | exit(1); | ||
1762 | } | ||
1763 | |||
1764 | // checks | 1763 | // checks |
1765 | if (arg_nonetwork) { | 1764 | if (arg_nonetwork) { |
1766 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); | 1765 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); |
@@ -1818,18 +1817,6 @@ int main(int argc, char **argv) { | |||
1818 | continue; | 1817 | continue; |
1819 | } | 1818 | } |
1820 | 1819 | ||
1821 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1822 | // compile time restricted networking | ||
1823 | if (getuid() != 0) { | ||
1824 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); | ||
1825 | exit(1); | ||
1826 | } | ||
1827 | #endif | ||
1828 | // run time restricted networking | ||
1829 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1830 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); | ||
1831 | exit(1); | ||
1832 | } | ||
1833 | if (strcmp(argv[i] + 6, "lo") == 0) { | 1820 | if (strcmp(argv[i] + 6, "lo") == 0) { |
1834 | fprintf(stderr, "Error: cannot attach to lo device\n"); | 1821 | fprintf(stderr, "Error: cannot attach to lo device\n"); |
1835 | exit(1); | 1822 | exit(1); |
@@ -2072,18 +2059,6 @@ int main(int argc, char **argv) { | |||
2072 | 2059 | ||
2073 | #ifdef HAVE_NETWORK | 2060 | #ifdef HAVE_NETWORK |
2074 | else if (strcmp(argv[i], "--netfilter") == 0) { | 2061 | else if (strcmp(argv[i], "--netfilter") == 0) { |
2075 | #ifdef HAVE_NETWORK_RESTRICTED | ||
2076 | // compile time restricted networking | ||
2077 | if (getuid() != 0) { | ||
2078 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
2079 | exit(1); | ||
2080 | } | ||
2081 | #endif | ||
2082 | // run time restricted networking | ||
2083 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
2084 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
2085 | exit(1); | ||
2086 | } | ||
2087 | if (checkcfg(CFG_NETWORK)) { | 2062 | if (checkcfg(CFG_NETWORK)) { |
2088 | arg_netfilter = 1; | 2063 | arg_netfilter = 1; |
2089 | } | 2064 | } |
@@ -2092,18 +2067,6 @@ int main(int argc, char **argv) { | |||
2092 | } | 2067 | } |
2093 | 2068 | ||
2094 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 2069 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
2095 | #ifdef HAVE_NETWORK_RESTRICTED | ||
2096 | // compile time restricted networking | ||
2097 | if (getuid() != 0) { | ||
2098 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
2099 | exit(1); | ||
2100 | } | ||
2101 | #endif | ||
2102 | // run time restricted networking | ||
2103 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
2104 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
2105 | exit(1); | ||
2106 | } | ||
2107 | if (checkcfg(CFG_NETWORK)) { | 2070 | if (checkcfg(CFG_NETWORK)) { |
2108 | arg_netfilter = 1; | 2071 | arg_netfilter = 1; |
2109 | arg_netfilter_file = argv[i] + 12; | 2072 | arg_netfilter_file = argv[i] + 12; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 425f8f5c9..4b2fb3abd 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -307,39 +307,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
307 | return 0; | 307 | return 0; |
308 | } | 308 | } |
309 | else if (strcmp(ptr, "net none") == 0) { | 309 | else if (strcmp(ptr, "net none") == 0) { |
310 | #ifdef HAVE_NETWORK | 310 | arg_nonetwork = 1; |
311 | if (checkcfg(CFG_NETWORK)) { | 311 | cfg.bridge0.configured = 0; |
312 | arg_nonetwork = 1; | 312 | cfg.bridge1.configured = 0; |
313 | cfg.bridge0.configured = 0; | 313 | cfg.bridge2.configured = 0; |
314 | cfg.bridge1.configured = 0; | 314 | cfg.bridge3.configured = 0; |
315 | cfg.bridge2.configured = 0; | 315 | cfg.interface0.configured = 0; |
316 | cfg.bridge3.configured = 0; | 316 | cfg.interface1.configured = 0; |
317 | cfg.interface0.configured = 0; | 317 | cfg.interface2.configured = 0; |
318 | cfg.interface1.configured = 0; | 318 | cfg.interface3.configured = 0; |
319 | cfg.interface2.configured = 0; | ||
320 | cfg.interface3.configured = 0; | ||
321 | } | ||
322 | else | ||
323 | warning_feature_disabled("networking"); | ||
324 | #endif | ||
325 | return 0; | 319 | return 0; |
326 | } | 320 | } |
327 | else if (strncmp(ptr, "net ", 4) == 0) { | 321 | else if (strncmp(ptr, "net ", 4) == 0) { |
328 | #ifdef HAVE_NETWORK | 322 | #ifdef HAVE_NETWORK |
329 | if (checkcfg(CFG_NETWORK)) { | 323 | if (checkcfg(CFG_NETWORK)) { |
330 | #ifdef HAVE_NETWORK_RESTRICTED | ||
331 | // compile time restricted networking | ||
332 | if (getuid() != 0) { | ||
333 | fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n"); | ||
334 | exit(1); | ||
335 | } | ||
336 | #endif | ||
337 | // run time restricted networking | ||
338 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
339 | fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n"); | ||
340 | exit(1); | ||
341 | } | ||
342 | |||
343 | if (strcmp(ptr + 4, "lo") == 0) { | 324 | if (strcmp(ptr + 4, "lo") == 0) { |
344 | fprintf(stderr, "Error: cannot attach to lo device\n"); | 325 | fprintf(stderr, "Error: cannot attach to lo device\n"); |
345 | exit(1); | 326 | exit(1); |