aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-09-28 13:23:09 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2016-09-28 13:23:09 -0400
commitd50b3b3db2df3ac5e82bbf49eb8de132099488f0 (patch)
tree3c212f9391035d677a7fbb81c8272a3ff49224e9 /src
parentprofile cleanup (diff)
downloadfirejail-d50b3b3db2df3ac5e82bbf49eb8de132099488f0.tar.gz
firejail-d50b3b3db2df3ac5e82bbf49eb8de132099488f0.tar.zst
firejail-d50b3b3db2df3ac5e82bbf49eb8de132099488f0.zip
--veth-name option
Diffstat (limited to 'src')
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/main.c21
-rw-r--r--src/firejail/network.c6
-rw-r--r--src/firejail/network_main.c9
-rw-r--r--src/firejail/profile.c24
-rw-r--r--src/firejail/usage.c4
-rw-r--r--src/man/firejail-profile.txt5
-rw-r--r--src/man/firejail.txt12
8 files changed, 80 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4ee1c943a..29cdc2c20 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -131,6 +131,8 @@ typedef struct bridge_t {
131 uint8_t mac[6]; // interface mac address 131 uint8_t mac[6]; // interface mac address
132 int mtu; // interface mtu 132 int mtu; // interface mtu
133 133
134 char *veth_name; // veth name for the device connected to the bridge
135
134 // inside the sandbox 136 // inside the sandbox
135 char *devsandbox; // name of the device inside the sandbox 137 char *devsandbox; // name of the device inside the sandbox
136 uint32_t ipsandbox; // ip address inside the sandbox 138 uint32_t ipsandbox; // ip address inside the sandbox
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c2d71bdf5..8576c9ee4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1855,6 +1855,27 @@ int main(int argc, char **argv) {
1855 } 1855 }
1856 } 1856 }
1857 1857
1858 else if (strncmp(argv[i], "--veth-name=", 12) == 0) {
1859 if (checkcfg(CFG_NETWORK)) {
1860 Bridge *br = last_bridge_configured();
1861 if (br == NULL) {
1862 fprintf(stderr, "Error: no network device configured\n");
1863 exit(1);
1864 }
1865 br->veth_name = strdup(argv[i] + 12);
1866 if (br->veth_name == NULL)
1867 errExit("strdup");
1868 if (*br->veth_name == '\0') {
1869 fprintf(stderr, "Error: no veth-name configured\n");
1870 exit(1);
1871 }
1872 }
1873 else {
1874 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
1875 exit(1);
1876 }
1877 }
1878
1858 else if (strcmp(argv[i], "--scan") == 0) { 1879 else if (strcmp(argv[i], "--scan") == 0) {
1859 if (checkcfg(CFG_NETWORK)) { 1880 if (checkcfg(CFG_NETWORK)) {
1860 arg_scan = 1; 1881 arg_scan = 1;
diff --git a/src/firejail/network.c b/src/firejail/network.c
index aac48e521..4473ef099 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -204,6 +204,7 @@ void net_if_up(const char *ifname) {
204 // read the existing flags 204 // read the existing flags
205 if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { 205 if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
206 close(sock); 206 close(sock);
207 printf("Error: cannot bring up interface %s\n", ifname);
207 errExit("ioctl"); 208 errExit("ioctl");
208 } 209 }
209 210
@@ -212,6 +213,7 @@ void net_if_up(const char *ifname) {
212 // set the new flags 213 // set the new flags
213 if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { 214 if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
214 close(sock); 215 close(sock);
216 printf("Error: cannot bring up interface %s\n", ifname);
215 errExit("ioctl"); 217 errExit("ioctl");
216 } 218 }
217 219
@@ -219,6 +221,7 @@ void net_if_up(const char *ifname) {
219 // read the existing flags 221 // read the existing flags
220 if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { 222 if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
221 close(sock); 223 close(sock);
224 printf("Error: cannot bring up interface %s\n", ifname);
222 errExit("ioctl"); 225 errExit("ioctl");
223 } 226 }
224 227
@@ -230,6 +233,7 @@ void net_if_up(const char *ifname) {
230 // read the existing flags 233 // read the existing flags
231 if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { 234 if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
232 close(sock); 235 close(sock);
236 printf("Error: cannot bring up interface %s\n", ifname);
233 errExit("ioctl"); 237 errExit("ioctl");
234 } 238 }
235 if (ifr.ifr_flags & IFF_RUNNING) 239 if (ifr.ifr_flags & IFF_RUNNING)
@@ -260,6 +264,7 @@ void net_if_down(const char *ifname) {
260 // read the existing flags 264 // read the existing flags
261 if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { 265 if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
262 close(sock); 266 close(sock);
267 printf("Error: cannot shut down interface %s\n", ifname);
263 errExit("ioctl"); 268 errExit("ioctl");
264 } 269 }
265 270
@@ -268,6 +273,7 @@ void net_if_down(const char *ifname) {
268 // set the new flags 273 // set the new flags
269 if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { 274 if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
270 close(sock); 275 close(sock);
276 printf("Error: cannot shut down interface %s\n", ifname);
271 errExit("ioctl"); 277 errExit("ioctl");
272 } 278 }
273 279
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 396c612b1..907b84642 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -120,8 +120,13 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
120 120
121 // create a veth pair 121 // create a veth pair
122 char *dev; 122 char *dev;
123 if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0) 123 if (br->veth_name == NULL) {
124 errExit("asprintf"); 124 if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0)
125 errExit("asprintf");
126 }
127 else
128 dev = br->veth_name;
129
125 net_create_veth(dev, ifname, child); 130 net_create_veth(dev, ifname, child);
126 131
127 // add interface to the bridge 132 // add interface to the bridge
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 1e1ccaf0e..079324f14 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -302,6 +302,29 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
302 return 0; 302 return 0;
303 } 303 }
304 304
305 else if (strncmp(ptr, "veth-name ", 10) == 0) {
306#ifdef HAVE_NETWORK
307 if (checkcfg(CFG_NETWORK)) {
308 Bridge *br = last_bridge_configured();
309 if (br == NULL) {
310 fprintf(stderr, "Error: no network device configured\n");
311 exit(1);
312 }
313
314 br->veth_name = strdup(ptr + 10);
315 if (br->veth_name == NULL)
316 errExit("strdup");
317 if (*br->veth_name == '\0') {
318 fprintf(stderr, "Error: no veth-name configured\n");
319 exit(1);
320 }
321 }
322 else
323 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
324#endif
325 return 0;
326 }
327
305 else if (strncmp(ptr, "iprange ", 8) == 0) { 328 else if (strncmp(ptr, "iprange ", 8) == 0) {
306#ifdef HAVE_NETWORK 329#ifdef HAVE_NETWORK
307 if (checkcfg(CFG_NETWORK)) { 330 if (checkcfg(CFG_NETWORK)) {
@@ -348,7 +371,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
348 } 371 }
349 372
350 373
351// from here
352 else if (strncmp(ptr, "mac ", 4) == 0) { 374 else if (strncmp(ptr, "mac ", 4) == 0) {
353#ifdef HAVE_NETWORK 375#ifdef HAVE_NETWORK
354 if (checkcfg(CFG_NETWORK)) { 376 if (checkcfg(CFG_NETWORK)) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 78ba34fd2..903817099 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -272,6 +272,10 @@ void usage(void) {
272 printf("\tdirectoires blacklisted by the security profile.\n\n"); 272 printf("\tdirectoires blacklisted by the security profile.\n\n");
273 printf(" --tree - print a tree of all sandboxed processes.\n\n"); 273 printf(" --tree - print a tree of all sandboxed processes.\n\n");
274 printf(" --version - print program version and exit.\n\n"); 274 printf(" --version - print program version and exit.\n\n");
275#ifdef HAVE_NETWORK
276 printf(" --veth-name=name - use this name for the interface connected to the bridge\n");
277 printf("\tfor --net=bridgename commands, instead of the default one.\n\n");
278#endif
275#ifdef HAVE_WHITELIST 279#ifdef HAVE_WHITELIST
276 printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); 280 printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
277#endif 281#endif
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b945f6828..4c5651925 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -474,6 +474,11 @@ available in the new namespace is a new loopback interface (lo).
474Use this option to deny network access to programs that don't 474Use this option to deny network access to programs that don't
475really need network access. 475really need network access.
476 476
477.TP
478\fBveth-name name
479Use this name for the interface connected to the bridge for --net=bridge_interface commands,
480instead of the default one.
481
477.SH Other 482.SH Other
478.TP 483.TP
479\fBjoin-or-start sandboxname 484\fBjoin-or-start sandboxname
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index fe3e53044..2c4944331 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1605,6 +1605,18 @@ Example:
1605$ firejail \-\-version 1605$ firejail \-\-version
1606.br 1606.br
1607firejail version 0.9.27 1607firejail version 0.9.27
1608
1609.TP
1610\fB\-\-veth-name=name
1611Use this name for the interface connected to the bridge for --net=bridge_interface commands,
1612instead of the default one.
1613.br
1614
1615.br
1616Example:
1617.br
1618$ firejail \-\-net=br0 --veth-name=if0
1619
1608.TP 1620.TP
1609\fB\-\-whitelist=dirname_or_filename 1621\fB\-\-whitelist=dirname_or_filename
1610Whitelist directory or file. A temporary file system is mounted on the top directory, and the 1622Whitelist directory or file. A temporary file system is mounted on the top directory, and the
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-28 17:22:05 +0000