7 files changed, 32 insertions, 118 deletions
diff --git a/RELNOTES b/RELNOTES
index b1cf333dd..6af251850 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,9 @@
 firejail (0.9.55) baseline; urgency=low
  * work in progress
  * modif: removed CFG_CHROOT_DESKTOP configuration option
+  * modif: removed compile time --enable-network=restricted
+  * modif: --net=none allowed even if networking was disabled at compile
+     time or at run time
  * support wireless devices in --net option
  * support tap devices in --net option (tunneling support)
  * allow IP address configuration if the parent interface specified
diff --git a/configure b/configure
index 2a7efcb6f..b57720fd1 100755
--- a/configure
+++ b/configure
@@ -1356,8 +1356,6 @@ Optional Features:
  --disable-globalcfg     if the global config file firejail.cfg is not
                          present, continue the program using defaults
  --disable-network       disable network
-  --enable-network=restricted
-                          restrict --net= to root only
  --disable-userns        disable user namespace
  --disable-x11           disable X11 sandboxing support
  --disable-file-transfer disable file transfer
@@ -3660,19 +3658,9 @@ if test "${enable_network+set}" = set; then :
  enableval=$enable_network;
 fi
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
 if test "x$enable_network" != "xno"; then :
        HAVE_NETWORK="-DHAVE_NETWORK"
-        if test "x$enable_network" = "xrestricted"; then :
-               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-fi
 fi
diff --git a/configure.ac b/configure.ac
index c5243ed55..253749cd5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -102,13 +102,8 @@ AS_IF([test "x$enable_globalcfg" != "xno"], [
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
    AS_HELP_STRING([--disable-network], [disable network]))
-AC_ARG_ENABLE([network],
-    AS_HELP_STRING([--enable-network=restricted], [ restrict --net= to root only]))
 AS_IF([test "x$enable_network" != "xno"], [
        HAVE_NETWORK="-DHAVE_NETWORK"
-        AS_IF([test "x$enable_network" = "xrestricted"], [
-               HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-        ])
        AC_SUBST(HAVE_NETWORK)
 ])
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 42ff31976..7483136f4 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -373,6 +373,13 @@ int checkcfg(int val) {
                initialized = 1;
        }
+        // merge CFG_RESTRICTED_NETWORK into CFG_NETWORK
+        if (val == CFG_NETWORK) {
+                if (cfg_val[CFG_RESTRICTED_NETWORK] && getuid() != 0)
+                        return 0;
+        }
        return cfg_val[val];
 errout:
@@ -443,10 +450,6 @@ void print_compiletime_support(void) {
 #endif
                );
-#ifdef HAVE_NETWORK_RESTRICTED
-        printf("\t- networking features are available only to root user\n");
-#endif
        printf("\t- overlayfs support is %s\n",
 #ifdef HAVE_OVERLAYFS
                "enabled"
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8e4fc6f38..3e092a3cc 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1745,22 +1745,21 @@ int main(int argc, char **argv) {
                //*************************************
                // network
                //*************************************
+                else if (strcmp(argv[i], "--net=none") == 0) {
+                        arg_nonetwork  = 1;
+                        cfg.bridge0.configured = 0;
+                        cfg.bridge1.configured = 0;
+                        cfg.bridge2.configured = 0;
+                        cfg.bridge3.configured = 0;
+                        cfg.interface0.configured = 0;
+                        cfg.interface1.configured = 0;
+                        cfg.interface2.configured = 0;
+                        cfg.interface3.configured = 0;
+                        continue;
+                }
 #ifdef HAVE_NETWORK
                else if (strncmp(argv[i], "--interface=", 12) == 0) {
                        if (checkcfg(CFG_NETWORK)) {
-#ifdef HAVE_NETWORK_RESTRICTED
-                                // compile time restricted networking
-                                if (getuid() != 0) {
-                                        fprintf(stderr, "Error: --interface is allowed only to root user\n");
-                                        exit(1);
-                                }
-#endif
-                                // run time restricted networking
-                                if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                        fprintf(stderr, "Error: --interface is allowed only to root user\n");
-                                        exit(1);
-                                }
                                // checks
                                if (arg_nonetwork) {
                                        fprintf(stderr, "Error: --network=none and --interface are incompatible\n");
@@ -1818,18 +1817,6 @@ int main(int argc, char **argv) {
                                        continue;
                                }
-#ifdef HAVE_NETWORK_RESTRICTED
-                                // compile time restricted networking
-                                if (getuid() != 0) {
-                                        fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
-                                        exit(1);
-                                }
-#endif
-                                // run time restricted networking
-                                if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                        fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
-                                        exit(1);
-                                }
                                if (strcmp(argv[i] + 6, "lo") == 0) {
                                        fprintf(stderr, "Error: cannot attach to lo device\n");
                                        exit(1);
@@ -2072,18 +2059,6 @@ int main(int argc, char **argv) {
 #ifdef HAVE_NETWORK
                else if (strcmp(argv[i], "--netfilter") == 0) {
-#ifdef HAVE_NETWORK_RESTRICTED
-                        // compile time restricted networking
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-                                exit(1);
-                        }
-#endif
-                        // run time restricted networking
-                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-                                exit(1);
-                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                        }
@@ -2092,18 +2067,6 @@ int main(int argc, char **argv) {
                }
                else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
-#ifdef HAVE_NETWORK_RESTRICTED
-                        // compile time restricted networking
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-                                exit(1);
-                        }
-#endif
-                        // run time restricted networking
-                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-                                exit(1);
-                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                                arg_netfilter_file = argv[i] + 12;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 425f8f5c9..4b2fb3abd 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -307,39 +307,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        else if (strcmp(ptr, "net none") == 0) {
-#ifdef HAVE_NETWORK
+                arg_nonetwork  = 1;
-                if (checkcfg(CFG_NETWORK)) {
+                cfg.bridge0.configured = 0;
-                        arg_nonetwork  = 1;
+                cfg.bridge1.configured = 0;
-                        cfg.bridge0.configured = 0;
+                cfg.bridge2.configured = 0;
-                        cfg.bridge1.configured = 0;
+                cfg.bridge3.configured = 0;
-                        cfg.bridge2.configured = 0;
+                cfg.interface0.configured = 0;
-                        cfg.bridge3.configured = 0;
+                cfg.interface1.configured = 0;
-                        cfg.interface0.configured = 0;
+                cfg.interface2.configured = 0;
-                        cfg.interface1.configured = 0;
+                cfg.interface3.configured = 0;
-                        cfg.interface2.configured = 0;
-                        cfg.interface3.configured = 0;
-                }
-                else
-                        warning_feature_disabled("networking");
-#endif
                return 0;
        }
        else if (strncmp(ptr, "net ", 4) == 0) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK)) {
-#ifdef HAVE_NETWORK_RESTRICTED
-                        // compile time restricted networking
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
-                                exit(1);
-                        }
-#endif
-                        // run time restricted networking
-                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-                                fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
-                                exit(1);
-                        }
                        if (strcmp(ptr + 4, "lo") == 0) {
                                fprintf(stderr, "Error: cannot attach to lo device\n");
                                exit(1);
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 9b7d19057..9d35bbcde 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -7,7 +7,7 @@ arr[4]="TEST 4: compile bind disabled"
 arr[5]="TEST 5: compile user namespace disabled"
 arr[6]="TEST 6: compile network disabled"
 arr[7]="TEST 7: compile X11 disabled"
-arr[8]="TEST 8: compile network restricted"
+arr[8]="deprecated: TEST 8: compile network restricted"
 arr[9]="TEST 9: compile file transfer disabled"
 arr[10]="TEST 10: compile disable whitelist"
 arr[11]="TEST 11: compile disable global config"
@@ -182,25 +182,6 @@ rm output-configure output-make
 #*****************************************************************
-# TEST 8
-#*****************************************************************
-# - enable network restricted
-#*****************************************************************
-print_title "${arr[8]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test8
-grep Error output-configure output-make >> ./report-test8
-cp output-configure oc8
-cp output-make om8
-rm output-configure output-make
-#*****************************************************************
 # TEST 9
 #*****************************************************************
 # - disable file transfer