6 files changed, 85 insertions, 25 deletions
diff --git a/RELNOTES b/RELNOTES
index 3b287ed0c..2760d3f2a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,7 +5,8 @@ firejail (0.9.40-rc1) baseline; urgency=low
  * added --x11=xephyr option
  * added --cpu.print option
  * added filetransfer options --ls and --get
-  * added mkdir, ipc-namespace, net iface and nosound profile commands
+  * added mkdir, ipc-namespace, and nosound profile commands
+  * added net iface, and iprange profile commands
  * --version also prints compile options
  * --output option also redirects stderr
  * added compile-time option to restrict --net= to root only
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index f43f31f02..92fd151c1 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -182,6 +182,19 @@ typedef struct config_t {
 } Config;
 extern Config cfg;
+static inline Bridge *last_bridge_configured(void) {
+        if (cfg.bridge3.configured)
+                return &cfg.bridge3;
+        else if (cfg.bridge2.configured)
+                return &cfg.bridge2;
+        else if (cfg.bridge1.configured)
+                return &cfg.bridge1;
+        else if (cfg.bridge0.configured)
+                return &cfg.bridge0;
+        else
+                return NULL;
+}
 static inline int any_bridge_configured(void) {
        if (cfg.bridge0.configured || cfg.bridge1.configured || cfg.bridge2.configured || cfg.bridge3.configured)
                return 1;
diff --git a/src/firejail/list.c b/src/firejail/list.c
index b7c0b5264..cd53264b6 100644
--- a/src/firejail/list.c
+++ b/src/firejail/list.c
@@ -21,7 +21,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
-#if 0
 static void grsec_elevate_privileges(void) {
        struct stat s;
        if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
@@ -34,7 +33,6 @@ static void grsec_elevate_privileges(void) {
                        errExit("setregid");
        }
 }
-#endif
 void top(void) {
        EUID_ASSERT();
@@ -49,7 +47,7 @@ void top(void) {
 void netstats(void) {
        EUID_ASSERT();
-//      grsec_elevate_privileges();     
+        grsec_elevate_privileges();     
        
        char *arg[4];
        arg[0] = "bash";
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e8b17bf45..b267a5ecb 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -132,19 +132,6 @@ static void my_handler(int s){
        myexit(1);
 }
-static inline Bridge *last_bridge_configured(void) {
-        if (cfg.bridge3.configured)
-                return &cfg.bridge3;
-        else if (cfg.bridge2.configured)
-                return &cfg.bridge2;
-        else if (cfg.bridge1.configured)
-                return &cfg.bridge1;
-        else if (cfg.bridge0.configured)
-                return &cfg.bridge0;
-        else
-                return NULL;
-}
 // return 1 if error, 0 if a valid pid was found
 static inline int read_pid(char *str, pid_t *pid) {
        char *endptr;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a917152ff..6ded0ca2f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -274,6 +274,52 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+        else if (strncmp(ptr, "iprange ", 8) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        Bridge *br = last_bridge_configured();
+                        if (br == NULL) {
+                                fprintf(stderr, "Error: no network device configured\n");
+                                exit(1);
+                        }
+                        if (br->iprange_start || br->iprange_end) {
+                                fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n");
+                                exit(1);
+                        }
+                        // parse option arguments
+                        char *firstip = ptr + 8;
+                        char *secondip = firstip;
+                        while (*secondip != '\0') {
+                                if (*secondip == ',')
+                                        break;
+                                secondip++;
+                        }
+                        if (*secondip == '\0') {
+                                fprintf(stderr, "Error: invalid IP range\n");
+                                exit(1);
+                        }
+                        *secondip = '\0';
+                        secondip++;
+                        
+                        // check addresses
+                        if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) ||
+                            br->iprange_start >= br->iprange_end) {
+                                fprintf(stderr, "Error: invalid IP range\n");
+                                exit(1);
+                        }
+                        if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) {
+                                fprintf(stderr, "Error: IP range addresses not in network range\n");
+                                exit(1);
+                        }
+                }
+                else
+                        fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
+#endif
+                return 0;
+        }
+        
        if (strncmp(ptr, "protocol ", 9) == 0) {
 #ifdef HAVE_SECCOMP
                if (checkcfg(CFG_SECCOMP))
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index ddfae5948..9045c1122 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -287,6 +287,29 @@ Disable sound system.
 .SH Networking
 Networking features available in profile files.
+\fBdns address
+Set a DNS server for the sandbox. Up to three DNS servers can be defined.
+.TP
+\fBhostname name
+Set a hostname for the sandbox.
+.TP
+\fBiprange address,address
+Assign  an  IP address in the provided range to the last network
+interface defined by  a  net command.  A  default  gateway  is assigned by default.
+.br
+.br
+Example:
+.br
+.br
+net eth0
+.br
+iprange 192.168.1.150,192.168.1.160
+.br
 .TP
 \fBnetfilter
 If a new network namespace is created, enabled default network filter.
@@ -322,14 +345,6 @@ available in the new namespace is a new loopback interface (lo).
 Use this option to deny network access to programs that don't
 really need network access.
-.TP
-\fBdns address
-Set a DNS server for the sandbox. Up to three DNS servers can be defined.
-.TP
-\fBhostname name
-Set a hostname for the sandbox.
 .SH RELOCATING PROFILES
 For various reasons some users might want to keep the profile files in a different directory.
 Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles

diff --git a/RELNOTES b/RELNOTES index 3b287ed0c..2760d3f2a 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -5,7 +5,8 @@ firejail (0.9.40-rc1) baseline; urgency=low
5	* added --x11=xephyr option	5	* added --x11=xephyr option
6	* added --cpu.print option	6	* added --cpu.print option
7	* added filetransfer options --ls and --get	7	* added filetransfer options --ls and --get
8	* added mkdir, ipc-namespace, net iface and nosound profile commands	8	* added mkdir, ipc-namespace, and nosound profile commands
		9	* added net iface, and iprange profile commands
9	* --version also prints compile options	10	* --version also prints compile options
10	* --output option also redirects stderr	11	* --output option also redirects stderr
11	* added compile-time option to restrict --net= to root only	12	* added compile-time option to restrict --net= to root only


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f43f31f02..92fd151c1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -182,6 +182,19 @@ typedef struct config_t {
182	} Config;	182	} Config;
183	extern Config cfg;	183	extern Config cfg;
184		184
		185	static inline Bridge *last_bridge_configured(void) {
		186	if (cfg.bridge3.configured)
		187	return &cfg.bridge3;
		188	else if (cfg.bridge2.configured)
		189	return &cfg.bridge2;
		190	else if (cfg.bridge1.configured)
		191	return &cfg.bridge1;
		192	else if (cfg.bridge0.configured)
		193	return &cfg.bridge0;
		194	else
		195	return NULL;
		196	}
		197
185	static inline int any_bridge_configured(void) {	198	static inline int any_bridge_configured(void) {
186	if (cfg.bridge0.configured \|\| cfg.bridge1.configured \|\| cfg.bridge2.configured \|\| cfg.bridge3.configured)	199	if (cfg.bridge0.configured \|\| cfg.bridge1.configured \|\| cfg.bridge2.configured \|\| cfg.bridge3.configured)
187	return 1;	200	return 1;


diff --git a/src/firejail/list.c b/src/firejail/list.c index b7c0b5264..cd53264b6 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c
@@ -21,7 +21,6 @@
21	#include <sys/types.h>	21	#include <sys/types.h>
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23		23
24	#if 0
25	static void grsec_elevate_privileges(void) {	24	static void grsec_elevate_privileges(void) {
26	struct stat s;	25	struct stat s;
27	if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {	26	if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
@@ -34,7 +33,6 @@ static void grsec_elevate_privileges(void) {
34	errExit("setregid");	33	errExit("setregid");
35	}	34	}
36	}	35	}
37	#endif
38		36
39	void top(void) {	37	void top(void) {
40	EUID_ASSERT();	38	EUID_ASSERT();
@@ -49,7 +47,7 @@ void top(void) {
49		47
50	void netstats(void) {	48	void netstats(void) {
51	EUID_ASSERT();	49	EUID_ASSERT();
52	// grsec_elevate_privileges();	50	grsec_elevate_privileges();
53		51
54	char *arg[4];	52	char *arg[4];
55	arg[0] = "bash";	53	arg[0] = "bash";


diff --git a/src/firejail/main.c b/src/firejail/main.c index e8b17bf45..b267a5ecb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -132,19 +132,6 @@ static void my_handler(int s){
132	myexit(1);	132	myexit(1);
133	}	133	}
134		134
135	static inline Bridge *last_bridge_configured(void) {
136	if (cfg.bridge3.configured)
137	return &cfg.bridge3;
138	else if (cfg.bridge2.configured)
139	return &cfg.bridge2;
140	else if (cfg.bridge1.configured)
141	return &cfg.bridge1;
142	else if (cfg.bridge0.configured)
143	return &cfg.bridge0;
144	else
145	return NULL;
146	}
147
148	// return 1 if error, 0 if a valid pid was found	135	// return 1 if error, 0 if a valid pid was found
149	static inline int read_pid(char str, pid_t pid) {	136	static inline int read_pid(char str, pid_t pid) {
150	char *endptr;	137	char *endptr;


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a917152ff..6ded0ca2f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -274,6 +274,52 @@ int profile_check_line(char ptr, int lineno, const char fname) {
274	return 0;	274	return 0;
275	}	275	}
276		276
		277	else if (strncmp(ptr, "iprange ", 8) == 0) {
		278	#ifdef HAVE_NETWORK
		279	if (checkcfg(CFG_NETWORK)) {
		280	Bridge *br = last_bridge_configured();
		281	if (br == NULL) {
		282	fprintf(stderr, "Error: no network device configured\n");
		283	exit(1);
		284	}
		285	if (br->iprange_start \|\| br->iprange_end) {
		286	fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n");
		287	exit(1);
		288	}
		289
		290	// parse option arguments
		291	char *firstip = ptr + 8;
		292	char *secondip = firstip;
		293	while (*secondip != '\0') {
		294	if (*secondip == ',')
		295	break;
		296	secondip++;
		297	}
		298	if (*secondip == '\0') {
		299	fprintf(stderr, "Error: invalid IP range\n");
		300	exit(1);
		301	}
		302	*secondip = '\0';
		303	secondip++;
		304
		305	// check addresses
		306	if (atoip(firstip, &br->iprange_start) \|\| atoip(secondip, &br->iprange_end) \|\|
		307	br->iprange_start >= br->iprange_end) {
		308	fprintf(stderr, "Error: invalid IP range\n");
		309	exit(1);
		310	}
		311	if (in_netrange(br->iprange_start, br->ip, br->mask) \|\| in_netrange(br->iprange_end, br->ip, br->mask)) {
		312	fprintf(stderr, "Error: IP range addresses not in network range\n");
		313	exit(1);
		314	}
		315	}
		316	else
		317	fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n");
		318	#endif
		319	return 0;
		320	}
		321
		322
277	if (strncmp(ptr, "protocol ", 9) == 0) {	323	if (strncmp(ptr, "protocol ", 9) == 0) {
278	#ifdef HAVE_SECCOMP	324	#ifdef HAVE_SECCOMP
279	if (checkcfg(CFG_SECCOMP))	325	if (checkcfg(CFG_SECCOMP))


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ddfae5948..9045c1122 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -287,6 +287,29 @@ Disable sound system.
287	.SH Networking	287	.SH Networking
288	Networking features available in profile files.	288	Networking features available in profile files.
289		289
		290	\fBdns address
		291	Set a DNS server for the sandbox. Up to three DNS servers can be defined.
		292
		293	.TP
		294	\fBhostname name
		295	Set a hostname for the sandbox.
		296
		297	.TP
		298	\fBiprange address,address
		299	Assign an IP address in the provided range to the last network
		300	interface defined by a net command. A default gateway is assigned by default.
		301	.br
		302
		303	.br
		304	Example:
		305	.br
		306
		307	.br
		308	net eth0
		309	.br
		310	iprange 192.168.1.150,192.168.1.160
		311	.br
		312
290	.TP	313	.TP
291	\fBnetfilter	314	\fBnetfilter
292	If a new network namespace is created, enabled default network filter.	315	If a new network namespace is created, enabled default network filter.
@@ -322,14 +345,6 @@ available in the new namespace is a new loopback interface (lo).
322	Use this option to deny network access to programs that don't	345	Use this option to deny network access to programs that don't
323	really need network access.	346	really need network access.
324		347
325	.TP
326	\fBdns address
327	Set a DNS server for the sandbox. Up to three DNS servers can be defined.
328
329	.TP
330	\fBhostname name
331	Set a hostname for the sandbox.
332
333	.SH RELOCATING PROFILES	348	.SH RELOCATING PROFILES
334	For various reasons some users might want to keep the profile files in a different directory.	349	For various reasons some users might want to keep the profile files in a different directory.
335	Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles	350	Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles