aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar startx2017 <vradu.startx@yandex.com>2018-07-26 09:58:50 -0400
committerLibravatar startx2017 <vradu.startx@yandex.com>2018-07-26 09:58:50 -0400
commit45d5fe7c2aa0d6e08f19dc9eacd50314530958fd (patch)
tree43322a6274c97e4677d657aa33a1dfc1e46d3583 /src
parentDocument #1945 (diff)
downloadfirejail-45d5fe7c2aa0d6e08f19dc9eacd50314530958fd.tar.gz
firejail-45d5fe7c2aa0d6e08f19dc9eacd50314530958fd.tar.zst
firejail-45d5fe7c2aa0d6e08f19dc9eacd50314530958fd.zip
removed compile time --enable-network=restricted, --net=none allowed even if networking was disabled at compile time or at run time, fixed issue #2061
Diffstat (limited to 'src')
-rw-r--r--src/firejail/checkcfg.c11
-rw-r--r--src/firejail/main.c61
-rw-r--r--src/firejail/profile.c37
3 files changed, 28 insertions, 81 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 42ff31976..7483136f4 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -373,6 +373,13 @@ int checkcfg(int val) {
373 initialized = 1; 373 initialized = 1;
374 } 374 }
375 375
376
377 // merge CFG_RESTRICTED_NETWORK into CFG_NETWORK
378 if (val == CFG_NETWORK) {
379 if (cfg_val[CFG_RESTRICTED_NETWORK] && getuid() != 0)
380 return 0;
381 }
382
376 return cfg_val[val]; 383 return cfg_val[val];
377 384
378errout: 385errout:
@@ -443,10 +450,6 @@ void print_compiletime_support(void) {
443#endif 450#endif
444 ); 451 );
445 452
446#ifdef HAVE_NETWORK_RESTRICTED
447 printf("\t- networking features are available only to root user\n");
448#endif
449
450 printf("\t- overlayfs support is %s\n", 453 printf("\t- overlayfs support is %s\n",
451#ifdef HAVE_OVERLAYFS 454#ifdef HAVE_OVERLAYFS
452 "enabled" 455 "enabled"
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8e4fc6f38..3e092a3cc 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1745,22 +1745,21 @@ int main(int argc, char **argv) {
1745 //************************************* 1745 //*************************************
1746 // network 1746 // network
1747 //************************************* 1747 //*************************************
1748 else if (strcmp(argv[i], "--net=none") == 0) {
1749 arg_nonetwork = 1;
1750 cfg.bridge0.configured = 0;
1751 cfg.bridge1.configured = 0;
1752 cfg.bridge2.configured = 0;
1753 cfg.bridge3.configured = 0;
1754 cfg.interface0.configured = 0;
1755 cfg.interface1.configured = 0;
1756 cfg.interface2.configured = 0;
1757 cfg.interface3.configured = 0;
1758 continue;
1759 }
1748#ifdef HAVE_NETWORK 1760#ifdef HAVE_NETWORK
1749 else if (strncmp(argv[i], "--interface=", 12) == 0) { 1761 else if (strncmp(argv[i], "--interface=", 12) == 0) {
1750 if (checkcfg(CFG_NETWORK)) { 1762 if (checkcfg(CFG_NETWORK)) {
1751#ifdef HAVE_NETWORK_RESTRICTED
1752 // compile time restricted networking
1753 if (getuid() != 0) {
1754 fprintf(stderr, "Error: --interface is allowed only to root user\n");
1755 exit(1);
1756 }
1757#endif
1758 // run time restricted networking
1759 if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
1760 fprintf(stderr, "Error: --interface is allowed only to root user\n");
1761 exit(1);
1762 }
1763
1764 // checks 1763 // checks
1765 if (arg_nonetwork) { 1764 if (arg_nonetwork) {
1766 fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); 1765 fprintf(stderr, "Error: --network=none and --interface are incompatible\n");
@@ -1818,18 +1817,6 @@ int main(int argc, char **argv) {
1818 continue; 1817 continue;
1819 } 1818 }
1820 1819
1821#ifdef HAVE_NETWORK_RESTRICTED
1822 // compile time restricted networking
1823 if (getuid() != 0) {
1824 fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
1825 exit(1);
1826 }
1827#endif
1828 // run time restricted networking
1829 if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
1830 fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
1831 exit(1);
1832 }
1833 if (strcmp(argv[i] + 6, "lo") == 0) { 1820 if (strcmp(argv[i] + 6, "lo") == 0) {
1834 fprintf(stderr, "Error: cannot attach to lo device\n"); 1821 fprintf(stderr, "Error: cannot attach to lo device\n");
1835 exit(1); 1822 exit(1);
@@ -2072,18 +2059,6 @@ int main(int argc, char **argv) {
2072 2059
2073#ifdef HAVE_NETWORK 2060#ifdef HAVE_NETWORK
2074 else if (strcmp(argv[i], "--netfilter") == 0) { 2061 else if (strcmp(argv[i], "--netfilter") == 0) {
2075#ifdef HAVE_NETWORK_RESTRICTED
2076 // compile time restricted networking
2077 if (getuid() != 0) {
2078 fprintf(stderr, "Error: --netfilter is only allowed for root\n");
2079 exit(1);
2080 }
2081#endif
2082 // run time restricted networking
2083 if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
2084 fprintf(stderr, "Error: --netfilter is only allowed for root\n");
2085 exit(1);
2086 }
2087 if (checkcfg(CFG_NETWORK)) { 2062 if (checkcfg(CFG_NETWORK)) {
2088 arg_netfilter = 1; 2063 arg_netfilter = 1;
2089 } 2064 }
@@ -2092,18 +2067,6 @@ int main(int argc, char **argv) {
2092 } 2067 }
2093 2068
2094 else if (strncmp(argv[i], "--netfilter=", 12) == 0) { 2069 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
2095#ifdef HAVE_NETWORK_RESTRICTED
2096 // compile time restricted networking
2097 if (getuid() != 0) {
2098 fprintf(stderr, "Error: --netfilter is only allowed for root\n");
2099 exit(1);
2100 }
2101#endif
2102 // run time restricted networking
2103 if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
2104 fprintf(stderr, "Error: --netfilter is only allowed for root\n");
2105 exit(1);
2106 }
2107 if (checkcfg(CFG_NETWORK)) { 2070 if (checkcfg(CFG_NETWORK)) {
2108 arg_netfilter = 1; 2071 arg_netfilter = 1;
2109 arg_netfilter_file = argv[i] + 12; 2072 arg_netfilter_file = argv[i] + 12;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 425f8f5c9..4b2fb3abd 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -307,39 +307,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
307 return 0; 307 return 0;
308 } 308 }
309 else if (strcmp(ptr, "net none") == 0) { 309 else if (strcmp(ptr, "net none") == 0) {
310#ifdef HAVE_NETWORK 310 arg_nonetwork = 1;
311 if (checkcfg(CFG_NETWORK)) { 311 cfg.bridge0.configured = 0;
312 arg_nonetwork = 1; 312 cfg.bridge1.configured = 0;
313 cfg.bridge0.configured = 0; 313 cfg.bridge2.configured = 0;
314 cfg.bridge1.configured = 0; 314 cfg.bridge3.configured = 0;
315 cfg.bridge2.configured = 0; 315 cfg.interface0.configured = 0;
316 cfg.bridge3.configured = 0; 316 cfg.interface1.configured = 0;
317 cfg.interface0.configured = 0; 317 cfg.interface2.configured = 0;
318 cfg.interface1.configured = 0; 318 cfg.interface3.configured = 0;
319 cfg.interface2.configured = 0;
320 cfg.interface3.configured = 0;
321 }
322 else
323 warning_feature_disabled("networking");
324#endif
325 return 0; 319 return 0;
326 } 320 }
327 else if (strncmp(ptr, "net ", 4) == 0) { 321 else if (strncmp(ptr, "net ", 4) == 0) {
328#ifdef HAVE_NETWORK 322#ifdef HAVE_NETWORK
329 if (checkcfg(CFG_NETWORK)) { 323 if (checkcfg(CFG_NETWORK)) {
330#ifdef HAVE_NETWORK_RESTRICTED
331 // compile time restricted networking
332 if (getuid() != 0) {
333 fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
334 exit(1);
335 }
336#endif
337 // run time restricted networking
338 if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
339 fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
340 exit(1);
341 }
342
343 if (strcmp(ptr + 4, "lo") == 0) { 324 if (strcmp(ptr + 4, "lo") == 0) {
344 fprintf(stderr, "Error: cannot attach to lo device\n"); 325 fprintf(stderr, "Error: cannot attach to lo device\n");
345 exit(1); 326 exit(1);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 20:48:47 +0000