Add --ip=dhcp and --ip6=dhcp options

Currently, --ip=dhcp is equivalent to --ip=none and --ip6=dhcp does nothing either, except for parsing correctly
author: Kristóf Marussy <kris7topher@gmail.com> 2019-12-26 19:08:00 +0100
committer: Kristóf Marussy <kris7topher@gmail.com> 2019-12-30 02:38:59 +0100
commit: a50e86844715442008ef75aff0d466e19e473f04 (patch)
tree: 4e3c953432c62c50839da6b1b5c9939d2dcd1873 /src
parent: Harden file-roller (diff)
download: firejail-a50e86844715442008ef75aff0d466e19e473f04.tar.gz
firejail-a50e86844715442008ef75aff0d466e19e473f04.tar.zst
firejail-a50e86844715442008ef75aff0d466e19e473f04.zip
3 files changed, 37 insertions, 22 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 03bcbda46..a5eeb4067 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -103,6 +103,8 @@ typedef struct bridge_t {
        // flags
        uint8_t arg_ip_none;    // --ip=none
+  uint8_t arg_ip_dhcp;
+  uint8_t arg_ip6_dhcp;
        uint8_t macvlan;        // set by --net=eth0 (or eth1, ...); reset by --net=br0 (or br1, ...)
        uint8_t configured;
        uint8_t scan;           // set by --scan
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 179f8ddf9..0b9ebc482 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2144,7 +2144,10 @@ int main(int argc, char **argv) {
                                // configure this IP address for the last bridge defined
                                if (strcmp(argv[i] + 5, "none") == 0)
                                        br->arg_ip_none = 1;
-                                else {
+                                else if (strcmp(argv[i] + 5, "dhcp") == 0) {
+                                        br->arg_ip_none = 1;
+                                        br->arg_ip_dhcp = 1;
+                                } else {
                                        if (atoip(argv[i] + 5, &br->ipsandbox)) {
                                                fprintf(stderr, "Error: invalid IP address\n");
                                                exit(1);
@@ -2184,20 +2187,24 @@ int main(int argc, char **argv) {
                                        fprintf(stderr, "Error: no network device configured\n");
                                        exit(1);
                                }
-                                if (br->ip6sandbox) {
+                                if (br->arg_ip6_dhcp || br->ip6sandbox) {
                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
                                        exit(1);
                                }
                                // configure this IP address for the last bridge defined
-                                if (check_ip46_address(argv[i] + 6) == 0) {
+        if (strcmp(argv[i] + 6, "dhcp") == 0)
-                                        fprintf(stderr, "Error: invalid IPv6 address\n");
+          br->arg_ip6_dhcp = 1;
-                                        exit(1);
+        else {
-                                }
+          if (check_ip46_address(argv[i] + 6) == 0) {
+            fprintf(stderr, "Error: invalid IPv6 address\n");
-                                br->ip6sandbox = strdup(argv[i] + 6);
+            exit(1);
-                                if (br->ip6sandbox == NULL)
+          }
-                                        errExit("strdup");
+          br->ip6sandbox = strdup(argv[i] + 6);
+          if (br->ip6sandbox == NULL)
+            errExit("strdup");
+        }
                        }
                        else
                                exit_err_feature("networking");
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 9a724331b..959678501 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -672,7 +672,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                        // configure this IP address for the last bridge defined
                        if (strcmp(ptr + 3, "none") == 0)
                                br->arg_ip_none = 1;
-                        else {
+                        else if (strcmp(ptr + 3, "dhcp") == 0) {
+                                br->arg_ip_none = 1;
+                                br->arg_ip_dhcp = 1;
+                        } else {
                                if (atoip(ptr + 3, &br->ipsandbox)) {
                                        fprintf(stderr, "Error: invalid IP address\n");
                                        exit(1);
@@ -693,21 +696,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                fprintf(stderr, "Error: no network device configured\n");
                                exit(1);
                        }
-                        if (br->ip6sandbox) {
+                        if (br->arg_ip6_dhcp || br->ip6sandbox) {
                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
                                exit(1);
                        }
-                        // configure this IP address for the last bridge defined
+      // configure this IP address for the last bridge defined
-                        if (check_ip46_address(ptr + 4) == 0) {
+      if (strcmp(ptr + 4, "dhcp") == 0)
-                                fprintf(stderr, "Error: invalid IPv6 address\n");
+        br->arg_ip6_dhcp = 1;
-                                exit(1);
+      else {
-                        }
+        if (check_ip46_address(ptr + 4) == 0) {
+          fprintf(stderr, "Error: invalid IPv6 address\n");
-                        br->ip6sandbox = strdup(ptr + 4);
+          exit(1);
-                        if (br->ip6sandbox == NULL)
+        }
-                                errExit("strdup");
+        br->ip6sandbox = strdup(ptr + 4);
+        if (br->ip6sandbox == NULL)
+          errExit("strdup");
+      }
                }
                else
                        warning_feature_disabled("networking");
author	Kristóf Marussy <kris7topher@gmail.com>	2019-12-26 19:08:00 +0100
committer	Kristóf Marussy <kris7topher@gmail.com>	2019-12-30 02:38:59 +0100
commit	a50e86844715442008ef75aff0d466e19e473f04 (patch)
tree	4e3c953432c62c50839da6b1b5c9939d2dcd1873 /src
parent	Harden file-roller (diff)
download	firejail-a50e86844715442008ef75aff0d466e19e473f04.tar.gz firejail-a50e86844715442008ef75aff0d466e19e473f04.tar.zst firejail-a50e86844715442008ef75aff0d466e19e473f04.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 03bcbda46..a5eeb4067 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -103,6 +103,8 @@ typedef struct bridge_t {
103		103
104	// flags	104	// flags
105	uint8_t arg_ip_none; // --ip=none	105	uint8_t arg_ip_none; // --ip=none
		106	uint8_t arg_ip_dhcp;
		107	uint8_t arg_ip6_dhcp;
106	uint8_t macvlan; // set by --net=eth0 (or eth1, ...); reset by --net=br0 (or br1, ...)	108	uint8_t macvlan; // set by --net=eth0 (or eth1, ...); reset by --net=br0 (or br1, ...)
107	uint8_t configured;	109	uint8_t configured;
108	uint8_t scan; // set by --scan	110	uint8_t scan; // set by --scan


diff --git a/src/firejail/main.c b/src/firejail/main.c index 179f8ddf9..0b9ebc482 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2144,7 +2144,10 @@ int main(int argc, char **argv) {
2144	// configure this IP address for the last bridge defined	2144	// configure this IP address for the last bridge defined
2145	if (strcmp(argv[i] + 5, "none") == 0)	2145	if (strcmp(argv[i] + 5, "none") == 0)
2146	br->arg_ip_none = 1;	2146	br->arg_ip_none = 1;
2147	else {	2147	else if (strcmp(argv[i] + 5, "dhcp") == 0) {
		2148	br->arg_ip_none = 1;
		2149	br->arg_ip_dhcp = 1;
		2150	} else {
2148	if (atoip(argv[i] + 5, &br->ipsandbox)) {	2151	if (atoip(argv[i] + 5, &br->ipsandbox)) {
2149	fprintf(stderr, "Error: invalid IP address\n");	2152	fprintf(stderr, "Error: invalid IP address\n");
2150	exit(1);	2153	exit(1);
@@ -2184,20 +2187,24 @@ int main(int argc, char **argv) {
2184	fprintf(stderr, "Error: no network device configured\n");	2187	fprintf(stderr, "Error: no network device configured\n");
2185	exit(1);	2188	exit(1);
2186	}	2189	}
2187	if (br->ip6sandbox) {	2190	if (br->arg_ip6_dhcp \|\| br->ip6sandbox) {
2188	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");	2191	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
2189	exit(1);	2192	exit(1);
2190	}	2193	}
2191		2194
2192	// configure this IP address for the last bridge defined	2195	// configure this IP address for the last bridge defined
2193	if (check_ip46_address(argv[i] + 6) == 0) {	2196	if (strcmp(argv[i] + 6, "dhcp") == 0)
2194	fprintf(stderr, "Error: invalid IPv6 address\n");	2197	br->arg_ip6_dhcp = 1;
2195	exit(1);	2198	else {
2196	}	2199	if (check_ip46_address(argv[i] + 6) == 0) {
2197		2200	fprintf(stderr, "Error: invalid IPv6 address\n");
2198	br->ip6sandbox = strdup(argv[i] + 6);	2201	exit(1);
2199	if (br->ip6sandbox == NULL)	2202	}
2200	errExit("strdup");	2203
		2204	br->ip6sandbox = strdup(argv[i] + 6);
		2205	if (br->ip6sandbox == NULL)
		2206	errExit("strdup");
		2207	}
2201	}	2208	}
2202	else	2209	else
2203	exit_err_feature("networking");	2210	exit_err_feature("networking");


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9a724331b..959678501 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -672,7 +672,10 @@ int profile_check_line(char ptr, int lineno, const char fname) {
672	// configure this IP address for the last bridge defined	672	// configure this IP address for the last bridge defined
673	if (strcmp(ptr + 3, "none") == 0)	673	if (strcmp(ptr + 3, "none") == 0)
674	br->arg_ip_none = 1;	674	br->arg_ip_none = 1;
675	else {	675	else if (strcmp(ptr + 3, "dhcp") == 0) {
		676	br->arg_ip_none = 1;
		677	br->arg_ip_dhcp = 1;
		678	} else {
676	if (atoip(ptr + 3, &br->ipsandbox)) {	679	if (atoip(ptr + 3, &br->ipsandbox)) {
677	fprintf(stderr, "Error: invalid IP address\n");	680	fprintf(stderr, "Error: invalid IP address\n");
678	exit(1);	681	exit(1);
@@ -693,21 +696,24 @@ int profile_check_line(char ptr, int lineno, const char fname) {
693	fprintf(stderr, "Error: no network device configured\n");	696	fprintf(stderr, "Error: no network device configured\n");
694	exit(1);	697	exit(1);
695	}	698	}
696	if (br->ip6sandbox) {	699	if (br->arg_ip6_dhcp \|\| br->ip6sandbox) {
697	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");	700	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
698	exit(1);	701	exit(1);
699	}	702	}
700		703
701	// configure this IP address for the last bridge defined	704	// configure this IP address for the last bridge defined
702	if (check_ip46_address(ptr + 4) == 0) {	705	if (strcmp(ptr + 4, "dhcp") == 0)
703	fprintf(stderr, "Error: invalid IPv6 address\n");	706	br->arg_ip6_dhcp = 1;
704	exit(1);	707	else {
705	}	708	if (check_ip46_address(ptr + 4) == 0) {
706		709	fprintf(stderr, "Error: invalid IPv6 address\n");
707	br->ip6sandbox = strdup(ptr + 4);	710	exit(1);
708	if (br->ip6sandbox == NULL)	711	}
709	errExit("strdup");	712
710		713	br->ip6sandbox = strdup(ptr + 4);
		714	if (br->ip6sandbox == NULL)
		715	errExit("strdup");
		716	}
711	}	717	}
712	else	718	else
713	warning_feature_disabled("networking");	719	warning_feature_disabled("networking");