diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/firejail.h | 13 | ||||
-rw-r--r-- | src/firejail/list.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 13 | ||||
-rw-r--r-- | src/firejail/profile.c | 46 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 31 |
6 files changed, 85 insertions, 25 deletions
@@ -5,7 +5,8 @@ firejail (0.9.40-rc1) baseline; urgency=low | |||
5 | * added --x11=xephyr option | 5 | * added --x11=xephyr option |
6 | * added --cpu.print option | 6 | * added --cpu.print option |
7 | * added filetransfer options --ls and --get | 7 | * added filetransfer options --ls and --get |
8 | * added mkdir, ipc-namespace, net iface and nosound profile commands | 8 | * added mkdir, ipc-namespace, and nosound profile commands |
9 | * added net iface, and iprange profile commands | ||
9 | * --version also prints compile options | 10 | * --version also prints compile options |
10 | * --output option also redirects stderr | 11 | * --output option also redirects stderr |
11 | * added compile-time option to restrict --net= to root only | 12 | * added compile-time option to restrict --net= to root only |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f43f31f02..92fd151c1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -182,6 +182,19 @@ typedef struct config_t { | |||
182 | } Config; | 182 | } Config; |
183 | extern Config cfg; | 183 | extern Config cfg; |
184 | 184 | ||
185 | static inline Bridge *last_bridge_configured(void) { | ||
186 | if (cfg.bridge3.configured) | ||
187 | return &cfg.bridge3; | ||
188 | else if (cfg.bridge2.configured) | ||
189 | return &cfg.bridge2; | ||
190 | else if (cfg.bridge1.configured) | ||
191 | return &cfg.bridge1; | ||
192 | else if (cfg.bridge0.configured) | ||
193 | return &cfg.bridge0; | ||
194 | else | ||
195 | return NULL; | ||
196 | } | ||
197 | |||
185 | static inline int any_bridge_configured(void) { | 198 | static inline int any_bridge_configured(void) { |
186 | if (cfg.bridge0.configured || cfg.bridge1.configured || cfg.bridge2.configured || cfg.bridge3.configured) | 199 | if (cfg.bridge0.configured || cfg.bridge1.configured || cfg.bridge2.configured || cfg.bridge3.configured) |
187 | return 1; | 200 | return 1; |
diff --git a/src/firejail/list.c b/src/firejail/list.c index b7c0b5264..cd53264b6 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c | |||
@@ -21,7 +21,6 @@ | |||
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | 23 | ||
24 | #if 0 | ||
25 | static void grsec_elevate_privileges(void) { | 24 | static void grsec_elevate_privileges(void) { |
26 | struct stat s; | 25 | struct stat s; |
27 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 26 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
@@ -34,7 +33,6 @@ static void grsec_elevate_privileges(void) { | |||
34 | errExit("setregid"); | 33 | errExit("setregid"); |
35 | } | 34 | } |
36 | } | 35 | } |
37 | #endif | ||
38 | 36 | ||
39 | void top(void) { | 37 | void top(void) { |
40 | EUID_ASSERT(); | 38 | EUID_ASSERT(); |
@@ -49,7 +47,7 @@ void top(void) { | |||
49 | 47 | ||
50 | void netstats(void) { | 48 | void netstats(void) { |
51 | EUID_ASSERT(); | 49 | EUID_ASSERT(); |
52 | // grsec_elevate_privileges(); | 50 | grsec_elevate_privileges(); |
53 | 51 | ||
54 | char *arg[4]; | 52 | char *arg[4]; |
55 | arg[0] = "bash"; | 53 | arg[0] = "bash"; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e8b17bf45..b267a5ecb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -132,19 +132,6 @@ static void my_handler(int s){ | |||
132 | myexit(1); | 132 | myexit(1); |
133 | } | 133 | } |
134 | 134 | ||
135 | static inline Bridge *last_bridge_configured(void) { | ||
136 | if (cfg.bridge3.configured) | ||
137 | return &cfg.bridge3; | ||
138 | else if (cfg.bridge2.configured) | ||
139 | return &cfg.bridge2; | ||
140 | else if (cfg.bridge1.configured) | ||
141 | return &cfg.bridge1; | ||
142 | else if (cfg.bridge0.configured) | ||
143 | return &cfg.bridge0; | ||
144 | else | ||
145 | return NULL; | ||
146 | } | ||
147 | |||
148 | // return 1 if error, 0 if a valid pid was found | 135 | // return 1 if error, 0 if a valid pid was found |
149 | static inline int read_pid(char *str, pid_t *pid) { | 136 | static inline int read_pid(char *str, pid_t *pid) { |
150 | char *endptr; | 137 | char *endptr; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a917152ff..6ded0ca2f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -274,6 +274,52 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
274 | return 0; | 274 | return 0; |
275 | } | 275 | } |
276 | 276 | ||
277 | else if (strncmp(ptr, "iprange ", 8) == 0) { | ||
278 | #ifdef HAVE_NETWORK | ||
279 | if (checkcfg(CFG_NETWORK)) { | ||
280 | Bridge *br = last_bridge_configured(); | ||
281 | if (br == NULL) { | ||
282 | fprintf(stderr, "Error: no network device configured\n"); | ||
283 | exit(1); | ||
284 | } | ||
285 | if (br->iprange_start || br->iprange_end) { | ||
286 | fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n"); | ||
287 | exit(1); | ||
288 | } | ||
289 | |||
290 | // parse option arguments | ||
291 | char *firstip = ptr + 8; | ||
292 | char *secondip = firstip; | ||
293 | while (*secondip != '\0') { | ||
294 | if (*secondip == ',') | ||
295 | break; | ||
296 | secondip++; | ||
297 | } | ||
298 | if (*secondip == '\0') { | ||
299 | fprintf(stderr, "Error: invalid IP range\n"); | ||
300 | exit(1); | ||
301 | } | ||
302 | *secondip = '\0'; | ||
303 | secondip++; | ||
304 | |||
305 | // check addresses | ||
306 | if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) || | ||
307 | br->iprange_start >= br->iprange_end) { | ||
308 | fprintf(stderr, "Error: invalid IP range\n"); | ||
309 | exit(1); | ||
310 | } | ||
311 | if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) { | ||
312 | fprintf(stderr, "Error: IP range addresses not in network range\n"); | ||
313 | exit(1); | ||
314 | } | ||
315 | } | ||
316 | else | ||
317 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
318 | #endif | ||
319 | return 0; | ||
320 | } | ||
321 | |||
322 | |||
277 | if (strncmp(ptr, "protocol ", 9) == 0) { | 323 | if (strncmp(ptr, "protocol ", 9) == 0) { |
278 | #ifdef HAVE_SECCOMP | 324 | #ifdef HAVE_SECCOMP |
279 | if (checkcfg(CFG_SECCOMP)) | 325 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ddfae5948..9045c1122 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -287,6 +287,29 @@ Disable sound system. | |||
287 | .SH Networking | 287 | .SH Networking |
288 | Networking features available in profile files. | 288 | Networking features available in profile files. |
289 | 289 | ||
290 | \fBdns address | ||
291 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | ||
292 | |||
293 | .TP | ||
294 | \fBhostname name | ||
295 | Set a hostname for the sandbox. | ||
296 | |||
297 | .TP | ||
298 | \fBiprange address,address | ||
299 | Assign an IP address in the provided range to the last network | ||
300 | interface defined by a net command. A default gateway is assigned by default. | ||
301 | .br | ||
302 | |||
303 | .br | ||
304 | Example: | ||
305 | .br | ||
306 | |||
307 | .br | ||
308 | net eth0 | ||
309 | .br | ||
310 | iprange 192.168.1.150,192.168.1.160 | ||
311 | .br | ||
312 | |||
290 | .TP | 313 | .TP |
291 | \fBnetfilter | 314 | \fBnetfilter |
292 | If a new network namespace is created, enabled default network filter. | 315 | If a new network namespace is created, enabled default network filter. |
@@ -322,14 +345,6 @@ available in the new namespace is a new loopback interface (lo). | |||
322 | Use this option to deny network access to programs that don't | 345 | Use this option to deny network access to programs that don't |
323 | really need network access. | 346 | really need network access. |
324 | 347 | ||
325 | .TP | ||
326 | \fBdns address | ||
327 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | ||
328 | |||
329 | .TP | ||
330 | \fBhostname name | ||
331 | Set a hostname for the sandbox. | ||
332 | |||
333 | .SH RELOCATING PROFILES | 348 | .SH RELOCATING PROFILES |
334 | For various reasons some users might want to keep the profile files in a different directory. | 349 | For various reasons some users might want to keep the profile files in a different directory. |
335 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles | 350 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles |