1 files changed, 24 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index cda9e788e..955bd36bf 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1684,6 +1684,18 @@ int main(int argc, char **argv) {
 #ifdef HAVE_NETWORK
                else if (strcmp(argv[i], "--netfilter") == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                        }
@@ -1694,6 +1706,18 @@ int main(int argc, char **argv) {
                }
                else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                                arg_netfilter_file = argv[i] + 12;

diff --git a/src/firejail/main.c b/src/firejail/main.c index cda9e788e..955bd36bf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1684,6 +1684,18 @@ int main(int argc, char **argv) {
1684		1684
1685	#ifdef HAVE_NETWORK	1685	#ifdef HAVE_NETWORK
1686	else if (strcmp(argv[i], "--netfilter") == 0) {	1686	else if (strcmp(argv[i], "--netfilter") == 0) {
		1687	#ifdef HAVE_NETWORK_RESTRICTED
		1688	// compile time restricted networking
		1689	if (getuid() != 0) {
		1690	fprintf(stderr, "Error: --netfilter is only allowed for root\n");
		1691	exit(1);
		1692	}
		1693	#endif
		1694	// run time restricted networking
		1695	if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
		1696	fprintf(stderr, "Error: --netfilter is only allowed for root\n");
		1697	exit(1);
		1698	}
1687	if (checkcfg(CFG_NETWORK)) {	1699	if (checkcfg(CFG_NETWORK)) {
1688	arg_netfilter = 1;	1700	arg_netfilter = 1;
1689	}	1701	}
@@ -1694,6 +1706,18 @@ int main(int argc, char **argv) {
1694	}	1706	}
1695		1707
1696	else if (strncmp(argv[i], "--netfilter=", 12) == 0) {	1708	else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
		1709	#ifdef HAVE_NETWORK_RESTRICTED
		1710	// compile time restricted networking
		1711	if (getuid() != 0) {
		1712	fprintf(stderr, "Error: --netfilter is only allowed for root\n");
		1713	exit(1);
		1714	}
		1715	#endif
		1716	// run time restricted networking
		1717	if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
		1718	fprintf(stderr, "Error: --netfilter is only allowed for root\n");
		1719	exit(1);
		1720	}
1697	if (checkcfg(CFG_NETWORK)) {	1721	if (checkcfg(CFG_NETWORK)) {
1698	arg_netfilter = 1;	1722	arg_netfilter = 1;
1699	arg_netfilter_file = argv[i] + 12;	1723	arg_netfilter_file = argv[i] + 12;