diff options
Diffstat (limited to 'src/firejail/netfilter.c')
-rw-r--r-- | src/firejail/netfilter.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index ea1d45dd7..14b3b54a6 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -46,7 +46,7 @@ static char *client_filter = | |||
46 | void check_netfilter_file(const char *fname) { | 46 | void check_netfilter_file(const char *fname) { |
47 | EUID_ASSERT(); | 47 | EUID_ASSERT(); |
48 | invalid_filename(fname); | 48 | invalid_filename(fname); |
49 | 49 | ||
50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { | 50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { |
51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); | 51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); |
52 | exit(1); | 52 | exit(1); |
@@ -95,14 +95,14 @@ void netfilter(const char *fname) { | |||
95 | // push filter | 95 | // push filter |
96 | if (arg_debug) | 96 | if (arg_debug) |
97 | printf("Installing network filter:\n%s\n", filter); | 97 | printf("Installing network filter:\n%s\n", filter); |
98 | 98 | ||
99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | 101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); |
102 | unlink(SBOX_STDIN_FILE); | 102 | unlink(SBOX_STDIN_FILE); |
103 | 103 | ||
104 | // debug | 104 | // debug |
105 | if (arg_debug) | 105 | if (arg_debug) |
106 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); | 106 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); |
107 | 107 | ||
108 | if (allocated) | 108 | if (allocated) |
@@ -113,7 +113,7 @@ void netfilter(const char *fname) { | |||
113 | void netfilter6(const char *fname) { | 113 | void netfilter6(const char *fname) { |
114 | if (fname == NULL) | 114 | if (fname == NULL) |
115 | return; | 115 | return; |
116 | 116 | ||
117 | // find iptables command | 117 | // find iptables command |
118 | char *ip6tables = NULL; | 118 | char *ip6tables = NULL; |
119 | char *ip6tables_restore = NULL; | 119 | char *ip6tables_restore = NULL; |
@@ -149,7 +149,7 @@ void netfilter6(const char *fname) { | |||
149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | 150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); |
151 | unlink(SBOX_STDIN_FILE); | 151 | unlink(SBOX_STDIN_FILE); |
152 | 152 | ||
153 | // debug | 153 | // debug |
154 | if (arg_debug) | 154 | if (arg_debug) |
155 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL"); | 155 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL"); |