diff options
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
3 files changed, 11 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index b5dcd6855..9b717d333 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -38,6 +38,9 @@ AC_ARG_ENABLE([network], | |||
38 | AS_HELP_STRING([--disable-network], [disable network])) | 38 | AS_HELP_STRING([--disable-network], [disable network])) |
39 | AS_IF([test "x$enable_network" != "xno"], [ | 39 | AS_IF([test "x$enable_network" != "xno"], [ |
40 | HAVE_NETWORK="-DHAVE_NETWORK" | 40 | HAVE_NETWORK="-DHAVE_NETWORK" |
41 | AS_IF([test "x$enable_network" = "xrestricted"], [ | ||
42 | HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED" | ||
43 | ]) | ||
41 | AC_SUBST(HAVE_NETWORK) | 44 | AC_SUBST(HAVE_NETWORK) |
42 | ]) | 45 | ]) |
43 | 46 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index d2a093520..3cbaf658e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1095,6 +1095,12 @@ int main(int argc, char **argv) { | |||
1095 | cfg.interface3.configured = 0; | 1095 | cfg.interface3.configured = 0; |
1096 | continue; | 1096 | continue; |
1097 | } | 1097 | } |
1098 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1099 | if (getuid() != 0) { | ||
1100 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); | ||
1101 | exit(1); | ||
1102 | } | ||
1103 | #endif | ||
1098 | if (strcmp(argv[i] + 6, "lo") == 0) { | 1104 | if (strcmp(argv[i] + 6, "lo") == 0) { |
1099 | fprintf(stderr, "Error: cannot attach to lo device\n"); | 1105 | fprintf(stderr, "Error: cannot attach to lo device\n"); |
1100 | exit(1); | 1106 | exit(1); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c4f0dbd3e..681a105af 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -471,6 +471,8 @@ Example: | |||
471 | .br | 471 | .br |
472 | $ firejail \-\-net=eth0 \-\-ip6=2001:0db8:0:f101::1/64 firefox | 472 | $ firejail \-\-net=eth0 \-\-ip6=2001:0db8:0:f101::1/64 firefox |
473 | 473 | ||
474 | Note: you don't need this option if you obtain your ip6 address from router via SLAAC (your ip6 address and default route will be configured by kernel automatically). | ||
475 | |||
474 | .TP | 476 | .TP |
475 | \fB\-\-iprange=address,address | 477 | \fB\-\-iprange=address,address |
476 | Assign an IP address in the provided range to the last network interface defined by a \-\-net option. A | 478 | Assign an IP address in the provided range to the last network interface defined by a \-\-net option. A |