diff options
-rw-r--r-- | README.md | 6 | ||||
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 24 | ||||
-rw-r--r-- | src/man/firejail-config.txt | 4 |
4 files changed, 31 insertions, 7 deletions
@@ -197,9 +197,9 @@ The following features can be enabled or disabled: | |||
197 | restricted-network | 197 | restricted-network |
198 | Enable or disable restricted network support, default disabled. | 198 | Enable or disable restricted network support, default disabled. |
199 | If enabled, networking features should also be enabled (network | 199 | If enabled, networking features should also be enabled (network |
200 | yes). Restricted networking grants access to --interface and | 200 | yes). Restricted networking grants access to --interface, |
201 | --net=ethXXX only to root user. Regular users are only allowed | 201 | --net=ethXXX and --netfilter only to root user. Regular users |
202 | --net=none. | 202 | are only allowed --net=none. Default disabled |
203 | 203 | ||
204 | secomp Enable or disable seccomp support, default enabled. | 204 | secomp Enable or disable seccomp support, default enabled. |
205 | 205 | ||
diff --git a/etc/firejail.config b/etc/firejail.config index caaeb6792..55d2faa9f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -17,8 +17,8 @@ | |||
17 | 17 | ||
18 | # Enable or disable restricted network support, default disabled. If enabled, | 18 | # Enable or disable restricted network support, default disabled. If enabled, |
19 | # networking features should also be enabled (network yes). | 19 | # networking features should also be enabled (network yes). |
20 | # Restricted networking grants access to --interface and --net=ethXXX | 20 | # Restricted networking grants access to --interface, --net=ethXXX and |
21 | # only to root user. Regular users are only allowed --net=none. | 21 | # --netfilter only to root user. Regular users are only allowed --net=none. |
22 | # restricted-network no | 22 | # restricted-network no |
23 | 23 | ||
24 | # Enable or disable seccomp support, default enabled. | 24 | # Enable or disable seccomp support, default enabled. |
diff --git a/src/firejail/main.c b/src/firejail/main.c index cda9e788e..955bd36bf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1684,6 +1684,18 @@ int main(int argc, char **argv) { | |||
1684 | 1684 | ||
1685 | #ifdef HAVE_NETWORK | 1685 | #ifdef HAVE_NETWORK |
1686 | else if (strcmp(argv[i], "--netfilter") == 0) { | 1686 | else if (strcmp(argv[i], "--netfilter") == 0) { |
1687 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1688 | // compile time restricted networking | ||
1689 | if (getuid() != 0) { | ||
1690 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1691 | exit(1); | ||
1692 | } | ||
1693 | #endif | ||
1694 | // run time restricted networking | ||
1695 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1696 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1697 | exit(1); | ||
1698 | } | ||
1687 | if (checkcfg(CFG_NETWORK)) { | 1699 | if (checkcfg(CFG_NETWORK)) { |
1688 | arg_netfilter = 1; | 1700 | arg_netfilter = 1; |
1689 | } | 1701 | } |
@@ -1694,6 +1706,18 @@ int main(int argc, char **argv) { | |||
1694 | } | 1706 | } |
1695 | 1707 | ||
1696 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1708 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
1709 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1710 | // compile time restricted networking | ||
1711 | if (getuid() != 0) { | ||
1712 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1713 | exit(1); | ||
1714 | } | ||
1715 | #endif | ||
1716 | // run time restricted networking | ||
1717 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1718 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1719 | exit(1); | ||
1720 | } | ||
1697 | if (checkcfg(CFG_NETWORK)) { | 1721 | if (checkcfg(CFG_NETWORK)) { |
1698 | arg_netfilter = 1; | 1722 | arg_netfilter = 1; |
1699 | arg_netfilter_file = argv[i] + 12; | 1723 | arg_netfilter_file = argv[i] + 12; |
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index dcede2ec6..026765f1a 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt | |||
@@ -33,8 +33,8 @@ Enable or disable networking features, default enabled. | |||
33 | \fBrestricted-network | 33 | \fBrestricted-network |
34 | Enable or disable restricted network support, default disabled. If enabled, | 34 | Enable or disable restricted network support, default disabled. If enabled, |
35 | networking features should also be enabled (network yes). | 35 | networking features should also be enabled (network yes). |
36 | Restricted networking grants access to --interface and --net=ethXXX | 36 | Restricted networking grants access to --interface, --net=ethXXX and |
37 | only to root user. Regular users are only allowed --net=none. | 37 | \-\-netfilter only to root user. Regular users are only allowed --net=none. |
38 | 38 | ||
39 | .TP | 39 | .TP |
40 | \fBsecomp | 40 | \fBsecomp |