diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 564 |
1 files changed, 340 insertions, 224 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 02a55ac70..b20854b30 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -290,63 +290,69 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
290 | #endif | 290 | #endif |
291 | #ifdef HAVE_NETWORK | 291 | #ifdef HAVE_NETWORK |
292 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 292 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
293 | logargs(argc, argv); | 293 | if (checkcfg(CFG_NETWORK)) { |
294 | 294 | logargs(argc, argv); | |
295 | // extract the command | 295 | |
296 | if ((i + 1) == argc) { | 296 | // extract the command |
297 | fprintf(stderr, "Error: command expected after --bandwidth option\n"); | 297 | if ((i + 1) == argc) { |
298 | exit(1); | 298 | fprintf(stderr, "Error: command expected after --bandwidth option\n"); |
299 | } | ||
300 | char *cmd = argv[i + 1]; | ||
301 | if (strcmp(cmd, "status") && strcmp(cmd, "clear") && strcmp(cmd, "set")) { | ||
302 | fprintf(stderr, "Error: invalid --bandwidth command.\nValid commands: set, clear, status.\n"); | ||
303 | exit(1); | ||
304 | } | ||
305 | |||
306 | // extract network name | ||
307 | char *dev = NULL; | ||
308 | int down = 0; | ||
309 | int up = 0; | ||
310 | if (strcmp(cmd, "set") == 0 || strcmp(cmd, "clear") == 0) { | ||
311 | // extract device name | ||
312 | if ((i + 2) == argc) { | ||
313 | fprintf(stderr, "Error: network name expected after --bandwidth %s option\n", cmd); | ||
314 | exit(1); | 299 | exit(1); |
315 | } | 300 | } |
316 | dev = argv[i + 2]; | 301 | char *cmd = argv[i + 1]; |
317 | 302 | if (strcmp(cmd, "status") && strcmp(cmd, "clear") && strcmp(cmd, "set")) { | |
318 | // check device name | 303 | fprintf(stderr, "Error: invalid --bandwidth command.\nValid commands: set, clear, status.\n"); |
319 | if (if_nametoindex(dev) == 0) { | ||
320 | fprintf(stderr, "Error: network device %s not found\n", dev); | ||
321 | exit(1); | 304 | exit(1); |
322 | } | 305 | } |
323 | 306 | ||
324 | // extract bandwidth | 307 | // extract network name |
325 | if (strcmp(cmd, "set") == 0) { | 308 | char *dev = NULL; |
326 | if ((i + 4) >= argc) { | 309 | int down = 0; |
327 | fprintf(stderr, "Error: invalid --bandwidth set command\n"); | 310 | int up = 0; |
311 | if (strcmp(cmd, "set") == 0 || strcmp(cmd, "clear") == 0) { | ||
312 | // extract device name | ||
313 | if ((i + 2) == argc) { | ||
314 | fprintf(stderr, "Error: network name expected after --bandwidth %s option\n", cmd); | ||
328 | exit(1); | 315 | exit(1); |
329 | } | 316 | } |
330 | 317 | dev = argv[i + 2]; | |
331 | down = atoi(argv[i + 3]); | 318 | |
332 | if (down < 0) { | 319 | // check device name |
333 | fprintf(stderr, "Error: invalid download speed\n"); | 320 | if (if_nametoindex(dev) == 0) { |
321 | fprintf(stderr, "Error: network device %s not found\n", dev); | ||
334 | exit(1); | 322 | exit(1); |
335 | } | 323 | } |
336 | up = atoi(argv[i + 4]); | 324 | |
337 | if (up < 0) { | 325 | // extract bandwidth |
338 | fprintf(stderr, "Error: invalid upload speed\n"); | 326 | if (strcmp(cmd, "set") == 0) { |
339 | exit(1); | 327 | if ((i + 4) >= argc) { |
328 | fprintf(stderr, "Error: invalid --bandwidth set command\n"); | ||
329 | exit(1); | ||
330 | } | ||
331 | |||
332 | down = atoi(argv[i + 3]); | ||
333 | if (down < 0) { | ||
334 | fprintf(stderr, "Error: invalid download speed\n"); | ||
335 | exit(1); | ||
336 | } | ||
337 | up = atoi(argv[i + 4]); | ||
338 | if (up < 0) { | ||
339 | fprintf(stderr, "Error: invalid upload speed\n"); | ||
340 | exit(1); | ||
341 | } | ||
340 | } | 342 | } |
341 | } | 343 | } |
342 | } | 344 | |
343 | 345 | // extract pid or sandbox name | |
344 | // extract pid or sandbox name | 346 | pid_t pid; |
345 | pid_t pid; | 347 | if (read_pid(argv[i] + 12, &pid) == 0) |
346 | if (read_pid(argv[i] + 12, &pid) == 0) | 348 | bandwidth_pid(pid, cmd, dev, down, up); |
347 | bandwidth_pid(pid, cmd, dev, down, up); | 349 | else |
348 | else | 350 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); |
349 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | 351 | } |
352 | else { | ||
353 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
354 | exit(1); | ||
355 | } | ||
350 | exit(0); | 356 | exit(0); |
351 | } | 357 | } |
352 | #endif | 358 | #endif |
@@ -454,7 +460,13 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
454 | } | 460 | } |
455 | #ifdef HAVE_NETWORK | 461 | #ifdef HAVE_NETWORK |
456 | else if (strcmp(argv[i], "--netstats") == 0) { | 462 | else if (strcmp(argv[i], "--netstats") == 0) { |
457 | netstats(); | 463 | if (checkcfg(CFG_NETWORK)) { |
464 | netstats(); | ||
465 | } | ||
466 | else { | ||
467 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
468 | exit(1); | ||
469 | } | ||
458 | exit(0); | 470 | exit(0); |
459 | } | 471 | } |
460 | #endif | 472 | #endif |
@@ -531,19 +543,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
531 | } | 543 | } |
532 | #ifdef HAVE_NETWORK | 544 | #ifdef HAVE_NETWORK |
533 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { | 545 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { |
534 | logargs(argc, argv); | 546 | if (checkcfg(CFG_NETWORK)) { |
535 | arg_join_network = 1; | 547 | logargs(argc, argv); |
536 | if (getuid() != 0) { | 548 | arg_join_network = 1; |
537 | fprintf(stderr, "Error: --join-network is only available to root user\n"); | 549 | if (getuid() != 0) { |
550 | fprintf(stderr, "Error: --join-network is only available to root user\n"); | ||
551 | exit(1); | ||
552 | } | ||
553 | |||
554 | // join sandbox by pid or by name | ||
555 | pid_t pid; | ||
556 | if (read_pid(argv[i] + 15, &pid) == 0) | ||
557 | join(pid, argc, argv, i + 1); | ||
558 | else | ||
559 | join_name(argv[i] + 15, argc, argv, i + 1); | ||
560 | } | ||
561 | else { | ||
562 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
538 | exit(1); | 563 | exit(1); |
539 | } | 564 | } |
540 | 565 | ||
541 | // join sandbox by pid or by name | ||
542 | pid_t pid; | ||
543 | if (read_pid(argv[i] + 15, &pid) == 0) | ||
544 | join(pid, argc, argv, i + 1); | ||
545 | else | ||
546 | join_name(argv[i] + 15, argc, argv, i + 1); | ||
547 | exit(0); | 566 | exit(0); |
548 | } | 567 | } |
549 | #endif | 568 | #endif |
@@ -1277,204 +1296,278 @@ int main(int argc, char **argv) { | |||
1277 | //************************************* | 1296 | //************************************* |
1278 | #ifdef HAVE_NETWORK | 1297 | #ifdef HAVE_NETWORK |
1279 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 1298 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
1299 | if (checkcfg(CFG_NETWORK)) { | ||
1280 | #ifdef HAVE_NETWORK_RESTRICTED | 1300 | #ifdef HAVE_NETWORK_RESTRICTED |
1281 | if (getuid() != 0) { | 1301 | // compile time restricted networking |
1282 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); | 1302 | if (getuid() != 0) { |
1283 | exit(1); | 1303 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); |
1284 | } | 1304 | exit(1); |
1305 | } | ||
1285 | #endif | 1306 | #endif |
1286 | // checks | 1307 | // run time restricted networking |
1287 | if (arg_nonetwork) { | 1308 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { |
1288 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); | 1309 | fprintf(stderr, "Error: --interface is allowed only to root user\n"); |
1289 | exit(1); | 1310 | exit(1); |
1290 | } | 1311 | } |
1291 | if (strcmp(argv[i] + 12, "lo") == 0) { | 1312 | |
1292 | fprintf(stderr, "Error: cannot use lo device in --interface command\n"); | 1313 | // checks |
1293 | exit(1); | 1314 | if (arg_nonetwork) { |
1294 | } | 1315 | fprintf(stderr, "Error: --network=none and --interface are incompatible\n"); |
1295 | int ifindex = if_nametoindex(argv[i] + 12); | 1316 | exit(1); |
1296 | if (ifindex <= 0) { | 1317 | } |
1297 | fprintf(stderr, "Error: cannot find interface %s\n", argv[i] + 12); | 1318 | if (strcmp(argv[i] + 12, "lo") == 0) { |
1298 | exit(1); | 1319 | fprintf(stderr, "Error: cannot use lo device in --interface command\n"); |
1320 | exit(1); | ||
1321 | } | ||
1322 | int ifindex = if_nametoindex(argv[i] + 12); | ||
1323 | if (ifindex <= 0) { | ||
1324 | fprintf(stderr, "Error: cannot find interface %s\n", argv[i] + 12); | ||
1325 | exit(1); | ||
1326 | } | ||
1327 | |||
1328 | Interface *intf; | ||
1329 | if (cfg.interface0.configured == 0) | ||
1330 | intf = &cfg.interface0; | ||
1331 | else if (cfg.interface1.configured == 0) | ||
1332 | intf = &cfg.interface1; | ||
1333 | else if (cfg.interface2.configured == 0) | ||
1334 | intf = &cfg.interface2; | ||
1335 | else if (cfg.interface3.configured == 0) | ||
1336 | intf = &cfg.interface3; | ||
1337 | else { | ||
1338 | fprintf(stderr, "Error: maximum 4 interfaces are allowed\n"); | ||
1339 | return 1; | ||
1340 | } | ||
1341 | |||
1342 | intf->dev = strdup(argv[i] + 12); | ||
1343 | if (!intf->dev) | ||
1344 | errExit("strdup"); | ||
1345 | |||
1346 | if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) { | ||
1347 | fprintf(stderr, "Warning: interface %s is not configured\n", intf->dev); | ||
1348 | } | ||
1349 | intf->configured = 1; | ||
1299 | } | 1350 | } |
1300 | |||
1301 | Interface *intf; | ||
1302 | if (cfg.interface0.configured == 0) | ||
1303 | intf = &cfg.interface0; | ||
1304 | else if (cfg.interface1.configured == 0) | ||
1305 | intf = &cfg.interface1; | ||
1306 | else if (cfg.interface2.configured == 0) | ||
1307 | intf = &cfg.interface2; | ||
1308 | else if (cfg.interface3.configured == 0) | ||
1309 | intf = &cfg.interface3; | ||
1310 | else { | 1351 | else { |
1311 | fprintf(stderr, "Error: maximum 4 interfaces are allowed\n"); | 1352 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1312 | return 1; | 1353 | exit(1); |
1313 | } | ||
1314 | |||
1315 | intf->dev = strdup(argv[i] + 12); | ||
1316 | if (!intf->dev) | ||
1317 | errExit("strdup"); | ||
1318 | |||
1319 | if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) { | ||
1320 | fprintf(stderr, "Warning: interface %s is not configured\n", intf->dev); | ||
1321 | } | 1354 | } |
1322 | intf->configured = 1; | ||
1323 | } | 1355 | } |
1356 | |||
1324 | else if (strncmp(argv[i], "--net=", 6) == 0) { | 1357 | else if (strncmp(argv[i], "--net=", 6) == 0) { |
1325 | if (strcmp(argv[i] + 6, "none") == 0) { | 1358 | if (checkcfg(CFG_NETWORK)) { |
1326 | arg_nonetwork = 1; | 1359 | if (strcmp(argv[i] + 6, "none") == 0) { |
1327 | cfg.bridge0.configured = 0; | 1360 | arg_nonetwork = 1; |
1328 | cfg.bridge1.configured = 0; | 1361 | cfg.bridge0.configured = 0; |
1329 | cfg.bridge2.configured = 0; | 1362 | cfg.bridge1.configured = 0; |
1330 | cfg.bridge3.configured = 0; | 1363 | cfg.bridge2.configured = 0; |
1331 | cfg.interface0.configured = 0; | 1364 | cfg.bridge3.configured = 0; |
1332 | cfg.interface1.configured = 0; | 1365 | cfg.interface0.configured = 0; |
1333 | cfg.interface2.configured = 0; | 1366 | cfg.interface1.configured = 0; |
1334 | cfg.interface3.configured = 0; | 1367 | cfg.interface2.configured = 0; |
1335 | continue; | 1368 | cfg.interface3.configured = 0; |
1336 | } | 1369 | continue; |
1370 | } | ||
1371 | |||
1337 | #ifdef HAVE_NETWORK_RESTRICTED | 1372 | #ifdef HAVE_NETWORK_RESTRICTED |
1338 | if (getuid() != 0) { | 1373 | // compile time restricted networking |
1339 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); | 1374 | if (getuid() != 0) { |
1340 | exit(1); | 1375 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); |
1341 | } | 1376 | exit(1); |
1377 | } | ||
1342 | #endif | 1378 | #endif |
1343 | if (strcmp(argv[i] + 6, "lo") == 0) { | 1379 | // run time restricted networking |
1344 | fprintf(stderr, "Error: cannot attach to lo device\n"); | 1380 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { |
1345 | exit(1); | 1381 | fprintf(stderr, "Error: only --net=none is allowed to non-root users\n"); |
1382 | exit(1); | ||
1383 | } | ||
1384 | if (strcmp(argv[i] + 6, "lo") == 0) { | ||
1385 | fprintf(stderr, "Error: cannot attach to lo device\n"); | ||
1386 | exit(1); | ||
1387 | } | ||
1388 | |||
1389 | Bridge *br; | ||
1390 | if (cfg.bridge0.configured == 0) | ||
1391 | br = &cfg.bridge0; | ||
1392 | else if (cfg.bridge1.configured == 0) | ||
1393 | br = &cfg.bridge1; | ||
1394 | else if (cfg.bridge2.configured == 0) | ||
1395 | br = &cfg.bridge2; | ||
1396 | else if (cfg.bridge3.configured == 0) | ||
1397 | br = &cfg.bridge3; | ||
1398 | else { | ||
1399 | fprintf(stderr, "Error: maximum 4 network devices are allowed\n"); | ||
1400 | return 1; | ||
1401 | } | ||
1402 | net_configure_bridge(br, argv[i] + 6); | ||
1346 | } | 1403 | } |
1347 | |||
1348 | Bridge *br; | ||
1349 | if (cfg.bridge0.configured == 0) | ||
1350 | br = &cfg.bridge0; | ||
1351 | else if (cfg.bridge1.configured == 0) | ||
1352 | br = &cfg.bridge1; | ||
1353 | else if (cfg.bridge2.configured == 0) | ||
1354 | br = &cfg.bridge2; | ||
1355 | else if (cfg.bridge3.configured == 0) | ||
1356 | br = &cfg.bridge3; | ||
1357 | else { | 1404 | else { |
1358 | fprintf(stderr, "Error: maximum 4 network devices are allowed\n"); | 1405 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1359 | return 1; | 1406 | exit(1); |
1360 | } | 1407 | } |
1361 | net_configure_bridge(br, argv[i] + 6); | ||
1362 | } | 1408 | } |
1409 | |||
1363 | else if (strcmp(argv[i], "--scan") == 0) { | 1410 | else if (strcmp(argv[i], "--scan") == 0) { |
1364 | arg_scan = 1; | 1411 | if (checkcfg(CFG_NETWORK)) { |
1365 | } | 1412 | arg_scan = 1; |
1366 | else if (strncmp(argv[i], "--iprange=", 10) == 0) { | ||
1367 | Bridge *br = last_bridge_configured(); | ||
1368 | if (br == NULL) { | ||
1369 | fprintf(stderr, "Error: no network device configured\n"); | ||
1370 | return 1; | ||
1371 | } | 1413 | } |
1372 | if (br->iprange_start || br->iprange_end) { | 1414 | else { |
1373 | fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n"); | 1415 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1374 | return 1; | 1416 | exit(1); |
1375 | } | 1417 | } |
1376 | 1418 | } | |
1377 | // parse option arguments | 1419 | else if (strncmp(argv[i], "--iprange=", 10) == 0) { |
1378 | char *firstip = argv[i] + 10; | 1420 | if (checkcfg(CFG_NETWORK)) { |
1379 | char *secondip = firstip; | 1421 | Bridge *br = last_bridge_configured(); |
1380 | while (*secondip != '\0') { | 1422 | if (br == NULL) { |
1381 | if (*secondip == ',') | 1423 | fprintf(stderr, "Error: no network device configured\n"); |
1382 | break; | 1424 | return 1; |
1425 | } | ||
1426 | if (br->iprange_start || br->iprange_end) { | ||
1427 | fprintf(stderr, "Error: cannot configure the IP range twice for the same interface\n"); | ||
1428 | return 1; | ||
1429 | } | ||
1430 | |||
1431 | // parse option arguments | ||
1432 | char *firstip = argv[i] + 10; | ||
1433 | char *secondip = firstip; | ||
1434 | while (*secondip != '\0') { | ||
1435 | if (*secondip == ',') | ||
1436 | break; | ||
1437 | secondip++; | ||
1438 | } | ||
1439 | if (*secondip == '\0') { | ||
1440 | fprintf(stderr, "Error: invalid IP range\n"); | ||
1441 | return 1; | ||
1442 | } | ||
1443 | *secondip = '\0'; | ||
1383 | secondip++; | 1444 | secondip++; |
1445 | |||
1446 | // check addresses | ||
1447 | if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) || | ||
1448 | br->iprange_start >= br->iprange_end) { | ||
1449 | fprintf(stderr, "Error: invalid IP range\n"); | ||
1450 | return 1; | ||
1451 | } | ||
1452 | if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) { | ||
1453 | fprintf(stderr, "Error: IP range addresses not in network range\n"); | ||
1454 | return 1; | ||
1455 | } | ||
1384 | } | 1456 | } |
1385 | if (*secondip == '\0') { | 1457 | else { |
1386 | fprintf(stderr, "Error: invalid IP range\n"); | 1458 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1387 | return 1; | 1459 | exit(1); |
1388 | } | ||
1389 | *secondip = '\0'; | ||
1390 | secondip++; | ||
1391 | |||
1392 | // check addresses | ||
1393 | if (atoip(firstip, &br->iprange_start) || atoip(secondip, &br->iprange_end) || | ||
1394 | br->iprange_start >= br->iprange_end) { | ||
1395 | fprintf(stderr, "Error: invalid IP range\n"); | ||
1396 | return 1; | ||
1397 | } | ||
1398 | if (in_netrange(br->iprange_start, br->ip, br->mask) || in_netrange(br->iprange_end, br->ip, br->mask)) { | ||
1399 | fprintf(stderr, "Error: IP range addresses not in network range\n"); | ||
1400 | return 1; | ||
1401 | } | 1460 | } |
1402 | } | 1461 | } |
1462 | |||
1403 | else if (strncmp(argv[i], "--mac=", 6) == 0) { | 1463 | else if (strncmp(argv[i], "--mac=", 6) == 0) { |
1404 | Bridge *br = last_bridge_configured(); | 1464 | if (checkcfg(CFG_NETWORK)) { |
1405 | if (br == NULL) { | 1465 | Bridge *br = last_bridge_configured(); |
1406 | fprintf(stderr, "Error: no network device configured\n"); | 1466 | if (br == NULL) { |
1407 | return 1; | 1467 | fprintf(stderr, "Error: no network device configured\n"); |
1408 | } | 1468 | return 1; |
1409 | if (mac_not_zero(br->macsandbox)) { | 1469 | } |
1410 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | 1470 | if (mac_not_zero(br->macsandbox)) { |
1411 | return 1; | 1471 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); |
1472 | return 1; | ||
1473 | } | ||
1474 | |||
1475 | // read the address | ||
1476 | if (atomac(argv[i] + 6, br->macsandbox)) { | ||
1477 | fprintf(stderr, "Error: invalid MAC address\n"); | ||
1478 | return 1; | ||
1479 | } | ||
1412 | } | 1480 | } |
1413 | 1481 | else { | |
1414 | // read the address | 1482 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1415 | if (atomac(argv[i] + 6, br->macsandbox)) { | 1483 | exit(1); |
1416 | fprintf(stderr, "Error: invalid MAC address\n"); | ||
1417 | return 1; | ||
1418 | } | 1484 | } |
1419 | } | 1485 | } |
1486 | |||
1420 | else if (strncmp(argv[i], "--mtu=", 6) == 0) { | 1487 | else if (strncmp(argv[i], "--mtu=", 6) == 0) { |
1421 | Bridge *br = last_bridge_configured(); | 1488 | if (checkcfg(CFG_NETWORK)) { |
1422 | if (br == NULL) { | 1489 | Bridge *br = last_bridge_configured(); |
1423 | fprintf(stderr, "Error: no network device configured\n"); | 1490 | if (br == NULL) { |
1424 | return 1; | 1491 | fprintf(stderr, "Error: no network device configured\n"); |
1492 | return 1; | ||
1493 | } | ||
1494 | |||
1495 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | ||
1496 | fprintf(stderr, "Error: invalid mtu value\n"); | ||
1497 | return 1; | ||
1498 | } | ||
1425 | } | 1499 | } |
1426 | 1500 | else { | |
1427 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | 1501 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1428 | fprintf(stderr, "Error: invalid mtu value\n"); | 1502 | exit(1); |
1429 | return 1; | ||
1430 | } | 1503 | } |
1431 | } | 1504 | } |
1432 | else if (strncmp(argv[i], "--ip=", 5) == 0) { | ||
1433 | Bridge *br = last_bridge_configured(); | ||
1434 | if (br == NULL) { | ||
1435 | fprintf(stderr, "Error: no network device configured\n"); | ||
1436 | return 1; | ||
1437 | } | ||
1438 | if (br->arg_ip_none || br->ipsandbox) { | ||
1439 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
1440 | return 1; | ||
1441 | } | ||
1442 | 1505 | ||
1443 | // configure this IP address for the last bridge defined | 1506 | else if (strncmp(argv[i], "--ip=", 5) == 0) { |
1444 | if (strcmp(argv[i] + 5, "none") == 0) | 1507 | if (checkcfg(CFG_NETWORK)) { |
1445 | br->arg_ip_none = 1; | 1508 | Bridge *br = last_bridge_configured(); |
1446 | else { | 1509 | if (br == NULL) { |
1447 | if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1510 | fprintf(stderr, "Error: no network device configured\n"); |
1448 | fprintf(stderr, "Error: invalid IP address\n"); | ||
1449 | return 1; | 1511 | return 1; |
1450 | } | 1512 | } |
1513 | if (br->arg_ip_none || br->ipsandbox) { | ||
1514 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
1515 | return 1; | ||
1516 | } | ||
1517 | |||
1518 | // configure this IP address for the last bridge defined | ||
1519 | if (strcmp(argv[i] + 5, "none") == 0) | ||
1520 | br->arg_ip_none = 1; | ||
1521 | else { | ||
1522 | if (atoip(argv[i] + 5, &br->ipsandbox)) { | ||
1523 | fprintf(stderr, "Error: invalid IP address\n"); | ||
1524 | return 1; | ||
1525 | } | ||
1526 | } | ||
1451 | } | 1527 | } |
1452 | } | 1528 | else { |
1453 | else if (strncmp(argv[i], "--ip6=", 6) == 0) { | 1529 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
1454 | Bridge *br = last_bridge_configured(); | 1530 | exit(1); |
1455 | if (br == NULL) { | ||
1456 | fprintf(stderr, "Error: no network device configured\n"); | ||
1457 | return 1; | ||
1458 | } | ||
1459 | if (br->arg_ip_none || br->ip6sandbox) { | ||
1460 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
1461 | return 1; | ||
1462 | } | 1531 | } |
1532 | } | ||
1463 | 1533 | ||
1464 | // configure this IP address for the last bridge defined | 1534 | else if (strncmp(argv[i], "--ip6=", 6) == 0) { |
1465 | // todo: verify ipv6 syntax | 1535 | if (checkcfg(CFG_NETWORK)) { |
1466 | br->ip6sandbox = argv[i] + 6; | 1536 | Bridge *br = last_bridge_configured(); |
1537 | if (br == NULL) { | ||
1538 | fprintf(stderr, "Error: no network device configured\n"); | ||
1539 | return 1; | ||
1540 | } | ||
1541 | if (br->arg_ip_none || br->ip6sandbox) { | ||
1542 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
1543 | return 1; | ||
1544 | } | ||
1545 | |||
1546 | // configure this IP address for the last bridge defined | ||
1547 | // todo: verify ipv6 syntax | ||
1548 | br->ip6sandbox = argv[i] + 6; | ||
1467 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1549 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { |
1468 | // fprintf(stderr, "Error: invalid IP address\n"); | 1550 | // fprintf(stderr, "Error: invalid IP address\n"); |
1469 | // return 1; | 1551 | // return 1; |
1470 | // } | 1552 | // } |
1553 | } | ||
1554 | else { | ||
1555 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1556 | exit(1); | ||
1557 | } | ||
1471 | } | 1558 | } |
1472 | 1559 | ||
1473 | 1560 | ||
1474 | else if (strncmp(argv[i], "--defaultgw=", 12) == 0) { | 1561 | else if (strncmp(argv[i], "--defaultgw=", 12) == 0) { |
1475 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { | 1562 | if (checkcfg(CFG_NETWORK)) { |
1476 | fprintf(stderr, "Error: invalid IP address\n"); | 1563 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { |
1477 | return 1; | 1564 | fprintf(stderr, "Error: invalid IP address\n"); |
1565 | return 1; | ||
1566 | } | ||
1567 | } | ||
1568 | else { | ||
1569 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1570 | exit(1); | ||
1478 | } | 1571 | } |
1479 | } | 1572 | } |
1480 | #endif | 1573 | #endif |
@@ -1496,18 +1589,40 @@ int main(int argc, char **argv) { | |||
1496 | return 1; | 1589 | return 1; |
1497 | } | 1590 | } |
1498 | } | 1591 | } |
1592 | |||
1499 | #ifdef HAVE_NETWORK | 1593 | #ifdef HAVE_NETWORK |
1500 | else if (strcmp(argv[i], "--netfilter") == 0) | 1594 | else if (strcmp(argv[i], "--netfilter") == 0) { |
1501 | arg_netfilter = 1; | 1595 | if (checkcfg(CFG_NETWORK)) { |
1596 | arg_netfilter = 1; | ||
1597 | } | ||
1598 | else { | ||
1599 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1600 | exit(1); | ||
1601 | } | ||
1602 | } | ||
1603 | |||
1502 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1604 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
1503 | arg_netfilter = 1; | 1605 | if (checkcfg(CFG_NETWORK)) { |
1504 | arg_netfilter_file = argv[i] + 12; | 1606 | arg_netfilter = 1; |
1505 | check_netfilter_file(arg_netfilter_file); | 1607 | arg_netfilter_file = argv[i] + 12; |
1608 | check_netfilter_file(arg_netfilter_file); | ||
1609 | } | ||
1610 | else { | ||
1611 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1612 | exit(1); | ||
1613 | } | ||
1506 | } | 1614 | } |
1615 | |||
1507 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { | 1616 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { |
1508 | arg_netfilter6 = 1; | 1617 | if (checkcfg(CFG_NETWORK)) { |
1509 | arg_netfilter6_file = argv[i] + 13; | 1618 | arg_netfilter6 = 1; |
1510 | check_netfilter_file(arg_netfilter6_file); | 1619 | arg_netfilter6_file = argv[i] + 13; |
1620 | check_netfilter_file(arg_netfilter6_file); | ||
1621 | } | ||
1622 | else { | ||
1623 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1624 | exit(1); | ||
1625 | } | ||
1511 | } | 1626 | } |
1512 | #endif | 1627 | #endif |
1513 | //************************************* | 1628 | //************************************* |
@@ -1515,6 +1630,7 @@ int main(int argc, char **argv) { | |||
1515 | //************************************* | 1630 | //************************************* |
1516 | else if (strcmp(argv[i], "--csh") == 0) { | 1631 | else if (strcmp(argv[i], "--csh") == 0) { |
1517 | if (arg_shell_none) { | 1632 | if (arg_shell_none) { |
1633 | |||
1518 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | 1634 | fprintf(stderr, "Error: --shell=none was already specified.\n"); |
1519 | return 1; | 1635 | return 1; |
1520 | } | 1636 | } |