diff options
-rw-r--r-- | README.md | 18 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 26 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 20 |
5 files changed, 67 insertions, 0 deletions
@@ -162,6 +162,24 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
162 | 162 | ||
163 | Example: | 163 | Example: |
164 | $ firejail --private-cache | 164 | $ firejail --private-cache |
165 | |||
166 | --tunnel[=devname] | ||
167 | Connect the sandbox to a network overlay/VPN tunnel created by | ||
168 | firetunnel utility. This options tries first the client side of | ||
169 | the tunnel. If this fails, it tries the server side. If multiā | ||
170 | ple tunnels are active, please specify the tunnel device using | ||
171 | --tunnel=devname. | ||
172 | |||
173 | The available tunnel devices are listed in /etc/firetunnel | ||
174 | directory, one file for each device. The files are regular | ||
175 | firejail profile files containing the network configuration, | ||
176 | and are created and managed by firetunnel utility. By default | ||
177 | ftc is the client-side device and fts is the server-side | ||
178 | device. For more information please see man 1 firetunnel. | ||
179 | |||
180 | Example: | ||
181 | $ firejail --tunnel firefox | ||
182 | |||
165 | ````` | 183 | ````` |
166 | 184 | ||
167 | ## New profiles | 185 | ## New profiles |
@@ -10,6 +10,7 @@ firejail (0.9.56~rc1) baseline; urgency=low | |||
10 | * support tap devices in --net option (tunneling support) | 10 | * support tap devices in --net option (tunneling support) |
11 | * allow IP address configuration if the parent interface specified | 11 | * allow IP address configuration if the parent interface specified |
12 | by --net is not configured (--netmask) | 12 | by --net is not configured (--netmask) |
13 | * support for firetunnel utility | ||
13 | * disable U2F devices (--nou2f) | 14 | * disable U2F devices (--nou2f) |
14 | * add --private-cache to support private ~/.cache | 15 | * add --private-cache to support private ~/.cache |
15 | * support full paths in private-lib | 16 | * support full paths in private-lib |
diff --git a/src/firejail/main.c b/src/firejail/main.c index fe9118580..da052320c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1447,6 +1447,32 @@ int main(int argc, char **argv) { | |||
1447 | exit_err_feature("overlayfs"); | 1447 | exit_err_feature("overlayfs"); |
1448 | } | 1448 | } |
1449 | #endif | 1449 | #endif |
1450 | else if (strcmp(argv[i], "--tunnel") == 0) { | ||
1451 | // try to connect to the default client side of the tunnel | ||
1452 | // if this fails, try the default server side of the tunnel | ||
1453 | if (access("/run/firetunnel/ftc", R_OK) == 0) | ||
1454 | profile_read("/run/firetunnel/ftc"); | ||
1455 | else if (access("/run/firetunnel/fts", R_OK) == 0) | ||
1456 | profile_read("/run/firetunnel/fts"); | ||
1457 | else { | ||
1458 | fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n"); | ||
1459 | exit(1); | ||
1460 | } | ||
1461 | } | ||
1462 | else if (strncmp(argv[i], "--tunnel=", 9) == 0) { | ||
1463 | char *fname; | ||
1464 | |||
1465 | if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1) | ||
1466 | errExit("asprintf"); | ||
1467 | invalid_filename(fname, 0); // no globbing | ||
1468 | if (access(fname, R_OK) == 0) | ||
1469 | profile_read(fname); | ||
1470 | else { | ||
1471 | fprintf(stderr, "Error: tunnel not found\n"); | ||
1472 | exit(1); | ||
1473 | } | ||
1474 | } | ||
1475 | |||
1450 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1476 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1451 | // multiple profile files are allowed! | 1477 | // multiple profile files are allowed! |
1452 | 1478 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c8866da3a..f54e6f744 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -214,6 +214,8 @@ static char *usage_str = | |||
214 | " --tracelog - add a syslog message for every access to files or\n" | 214 | " --tracelog - add a syslog message for every access to files or\n" |
215 | "\tdirectories blacklisted by the security profile.\n" | 215 | "\tdirectories blacklisted by the security profile.\n" |
216 | " --tree - print a tree of all sandboxed processes.\n" | 216 | " --tree - print a tree of all sandboxed processes.\n" |
217 | " --tunnel[=devname] - connect the sandbox to a tunnel created by\n" | ||
218 | "\tfiretunnel utility.\n" | ||
217 | " --version - print program version and exit.\n" | 219 | " --version - print program version and exit.\n" |
218 | #ifdef HAVE_NETWORK | 220 | #ifdef HAVE_NETWORK |
219 | " --veth-name=name - use this name for the interface connected to the bridge.\n" | 221 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c09684596..4d24bdd7e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2130,6 +2130,26 @@ $ firejail \-\-tree | |||
2130 | 11970:netblue:transmission-gtk | 2130 | 11970:netblue:transmission-gtk |
2131 | 2131 | ||
2132 | .TP | 2132 | .TP |
2133 | \fB\-\-tunnel[=devname] | ||
2134 | Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options | ||
2135 | tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active, | ||
2136 | please specify the tunnel device using \-\-tunnel=devname. | ||
2137 | .br | ||
2138 | |||
2139 | .br | ||
2140 | The available tunnel devices are listed in /etc/firetunnel directory, one file for each device. | ||
2141 | The files are regular firejail profile files containing the network configuration, | ||
2142 | and are created and managed by firetunnel utility. | ||
2143 | By default ftc is the client-side device and fts is the server-side device. For more information | ||
2144 | please see man 1 firetunnel. | ||
2145 | .br | ||
2146 | |||
2147 | .br | ||
2148 | Example: | ||
2149 | .br | ||
2150 | $ firejail --tunnel firefox | ||
2151 | .br | ||
2152 | .TP | ||
2133 | \fB\-\-version | 2153 | \fB\-\-version |
2134 | Print program version and exit. | 2154 | Print program version and exit. |
2135 | .br | 2155 | .br |