diff options
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | src/firejail/main.c | 8 | ||||
| -rw-r--r-- | src/man/firejail.txt | 4 |
3 files changed, 11 insertions, 2 deletions
| @@ -1,6 +1,7 @@ | |||
| 1 | firejail (0.9.69) baseline; urgency=low | 1 | firejail (0.9.69) baseline; urgency=low |
| 2 | * work in progress | 2 | * work in progress |
| 3 | * modif: --noprofile enforces nonewprivs | 3 | * modif: --noprofile enforces nonewprivs |
| 4 | * modif: --nettrace only available to root user | ||
| 4 | * feature: enable shell tab completion (#4936) | 5 | * feature: enable shell tab completion (#4936) |
| 5 | * feature: disable user profiles at compile time (#4990) | 6 | * feature: disable user profiles at compile time (#4990) |
| 6 | * rework: whitelist restructuring (#4985) | 7 | * rework: whitelist restructuring (#4985) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index f3b656e2e..e1f19dd14 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -409,6 +409,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 409 | #ifdef HAVE_NETWORK | 409 | #ifdef HAVE_NETWORK |
| 410 | else if (strcmp(argv[i], "--nettrace") == 0) { | 410 | else if (strcmp(argv[i], "--nettrace") == 0) { |
| 411 | if (checkcfg(CFG_NETWORK)) { | 411 | if (checkcfg(CFG_NETWORK)) { |
| 412 | if (getuid() != 0) { | ||
| 413 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | ||
| 414 | exit(1); | ||
| 415 | } | ||
| 412 | netfilter_trace(0); | 416 | netfilter_trace(0); |
| 413 | } | 417 | } |
| 414 | else | 418 | else |
| @@ -417,6 +421,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 417 | } | 421 | } |
| 418 | else if (strncmp(argv[i], "--nettrace=", 11) == 0) { | 422 | else if (strncmp(argv[i], "--nettrace=", 11) == 0) { |
| 419 | if (checkcfg(CFG_NETWORK)) { | 423 | if (checkcfg(CFG_NETWORK)) { |
| 424 | if (getuid() != 0) { | ||
| 425 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | ||
| 426 | exit(1); | ||
| 427 | } | ||
| 420 | pid_t pid = require_pid(argv[i] + 11); | 428 | pid_t pid = require_pid(argv[i] + 11); |
| 421 | netfilter_trace(pid); | 429 | netfilter_trace(pid); |
| 422 | } | 430 | } |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f78b75346..5f352c843 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1528,7 +1528,7 @@ PID User RX(KB/s) TX(KB/s) Command | |||
| 1528 | .TP | 1528 | .TP |
| 1529 | \fB\-\-nettrace[=name|pid] | 1529 | \fB\-\-nettrace[=name|pid] |
| 1530 | Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes | 1530 | Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes |
| 1531 | created with \-\-net are supported. | 1531 | created with \-\-net are supported. This option is only available when running the sandbox as root. |
| 1532 | .br | 1532 | .br |
| 1533 | 1533 | ||
| 1534 | .br | 1534 | .br |
| @@ -1536,7 +1536,7 @@ Without a name/pid, Firejail will monitor the main system network namespace. | |||
| 1536 | .br | 1536 | .br |
| 1537 | 1537 | ||
| 1538 | .br | 1538 | .br |
| 1539 | $ firejail --nettrace=browser | 1539 | $ sudo firejail --nettrace=browser |
| 1540 | .br | 1540 | .br |
| 1541 | 1541 | ||
| 1542 | .br | 1542 | .br |