diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 21 | ||||
-rw-r--r-- | src/firejail/network.c | 6 | ||||
-rw-r--r-- | src/firejail/network_main.c | 9 | ||||
-rw-r--r-- | src/firejail/profile.c | 24 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 5 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
8 files changed, 80 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4ee1c943a..29cdc2c20 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -131,6 +131,8 @@ typedef struct bridge_t { | |||
131 | uint8_t mac[6]; // interface mac address | 131 | uint8_t mac[6]; // interface mac address |
132 | int mtu; // interface mtu | 132 | int mtu; // interface mtu |
133 | 133 | ||
134 | char *veth_name; // veth name for the device connected to the bridge | ||
135 | |||
134 | // inside the sandbox | 136 | // inside the sandbox |
135 | char *devsandbox; // name of the device inside the sandbox | 137 | char *devsandbox; // name of the device inside the sandbox |
136 | uint32_t ipsandbox; // ip address inside the sandbox | 138 | uint32_t ipsandbox; // ip address inside the sandbox |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c2d71bdf5..8576c9ee4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1855,6 +1855,27 @@ int main(int argc, char **argv) { | |||
1855 | } | 1855 | } |
1856 | } | 1856 | } |
1857 | 1857 | ||
1858 | else if (strncmp(argv[i], "--veth-name=", 12) == 0) { | ||
1859 | if (checkcfg(CFG_NETWORK)) { | ||
1860 | Bridge *br = last_bridge_configured(); | ||
1861 | if (br == NULL) { | ||
1862 | fprintf(stderr, "Error: no network device configured\n"); | ||
1863 | exit(1); | ||
1864 | } | ||
1865 | br->veth_name = strdup(argv[i] + 12); | ||
1866 | if (br->veth_name == NULL) | ||
1867 | errExit("strdup"); | ||
1868 | if (*br->veth_name == '\0') { | ||
1869 | fprintf(stderr, "Error: no veth-name configured\n"); | ||
1870 | exit(1); | ||
1871 | } | ||
1872 | } | ||
1873 | else { | ||
1874 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | ||
1875 | exit(1); | ||
1876 | } | ||
1877 | } | ||
1878 | |||
1858 | else if (strcmp(argv[i], "--scan") == 0) { | 1879 | else if (strcmp(argv[i], "--scan") == 0) { |
1859 | if (checkcfg(CFG_NETWORK)) { | 1880 | if (checkcfg(CFG_NETWORK)) { |
1860 | arg_scan = 1; | 1881 | arg_scan = 1; |
diff --git a/src/firejail/network.c b/src/firejail/network.c index aac48e521..4473ef099 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -204,6 +204,7 @@ void net_if_up(const char *ifname) { | |||
204 | // read the existing flags | 204 | // read the existing flags |
205 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { | 205 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { |
206 | close(sock); | 206 | close(sock); |
207 | printf("Error: cannot bring up interface %s\n", ifname); | ||
207 | errExit("ioctl"); | 208 | errExit("ioctl"); |
208 | } | 209 | } |
209 | 210 | ||
@@ -212,6 +213,7 @@ void net_if_up(const char *ifname) { | |||
212 | // set the new flags | 213 | // set the new flags |
213 | if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { | 214 | if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { |
214 | close(sock); | 215 | close(sock); |
216 | printf("Error: cannot bring up interface %s\n", ifname); | ||
215 | errExit("ioctl"); | 217 | errExit("ioctl"); |
216 | } | 218 | } |
217 | 219 | ||
@@ -219,6 +221,7 @@ void net_if_up(const char *ifname) { | |||
219 | // read the existing flags | 221 | // read the existing flags |
220 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { | 222 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { |
221 | close(sock); | 223 | close(sock); |
224 | printf("Error: cannot bring up interface %s\n", ifname); | ||
222 | errExit("ioctl"); | 225 | errExit("ioctl"); |
223 | } | 226 | } |
224 | 227 | ||
@@ -230,6 +233,7 @@ void net_if_up(const char *ifname) { | |||
230 | // read the existing flags | 233 | // read the existing flags |
231 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { | 234 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { |
232 | close(sock); | 235 | close(sock); |
236 | printf("Error: cannot bring up interface %s\n", ifname); | ||
233 | errExit("ioctl"); | 237 | errExit("ioctl"); |
234 | } | 238 | } |
235 | if (ifr.ifr_flags & IFF_RUNNING) | 239 | if (ifr.ifr_flags & IFF_RUNNING) |
@@ -260,6 +264,7 @@ void net_if_down(const char *ifname) { | |||
260 | // read the existing flags | 264 | // read the existing flags |
261 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { | 265 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { |
262 | close(sock); | 266 | close(sock); |
267 | printf("Error: cannot shut down interface %s\n", ifname); | ||
263 | errExit("ioctl"); | 268 | errExit("ioctl"); |
264 | } | 269 | } |
265 | 270 | ||
@@ -268,6 +273,7 @@ void net_if_down(const char *ifname) { | |||
268 | // set the new flags | 273 | // set the new flags |
269 | if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { | 274 | if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { |
270 | close(sock); | 275 | close(sock); |
276 | printf("Error: cannot shut down interface %s\n", ifname); | ||
271 | errExit("ioctl"); | 277 | errExit("ioctl"); |
272 | } | 278 | } |
273 | 279 | ||
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 396c612b1..907b84642 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -120,8 +120,13 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { | |||
120 | 120 | ||
121 | // create a veth pair | 121 | // create a veth pair |
122 | char *dev; | 122 | char *dev; |
123 | if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0) | 123 | if (br->veth_name == NULL) { |
124 | errExit("asprintf"); | 124 | if (asprintf(&dev, "veth%u%s", getpid(), ifname) < 0) |
125 | errExit("asprintf"); | ||
126 | } | ||
127 | else | ||
128 | dev = br->veth_name; | ||
129 | |||
125 | net_create_veth(dev, ifname, child); | 130 | net_create_veth(dev, ifname, child); |
126 | 131 | ||
127 | // add interface to the bridge | 132 | // add interface to the bridge |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1e1ccaf0e..079324f14 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -302,6 +302,29 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
302 | return 0; | 302 | return 0; |
303 | } | 303 | } |
304 | 304 | ||
305 | else if (strncmp(ptr, "veth-name ", 10) == 0) { | ||
306 | #ifdef HAVE_NETWORK | ||
307 | if (checkcfg(CFG_NETWORK)) { | ||
308 | Bridge *br = last_bridge_configured(); | ||
309 | if (br == NULL) { | ||
310 | fprintf(stderr, "Error: no network device configured\n"); | ||
311 | exit(1); | ||
312 | } | ||
313 | |||
314 | br->veth_name = strdup(ptr + 10); | ||
315 | if (br->veth_name == NULL) | ||
316 | errExit("strdup"); | ||
317 | if (*br->veth_name == '\0') { | ||
318 | fprintf(stderr, "Error: no veth-name configured\n"); | ||
319 | exit(1); | ||
320 | } | ||
321 | } | ||
322 | else | ||
323 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
324 | #endif | ||
325 | return 0; | ||
326 | } | ||
327 | |||
305 | else if (strncmp(ptr, "iprange ", 8) == 0) { | 328 | else if (strncmp(ptr, "iprange ", 8) == 0) { |
306 | #ifdef HAVE_NETWORK | 329 | #ifdef HAVE_NETWORK |
307 | if (checkcfg(CFG_NETWORK)) { | 330 | if (checkcfg(CFG_NETWORK)) { |
@@ -348,7 +371,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
348 | } | 371 | } |
349 | 372 | ||
350 | 373 | ||
351 | // from here | ||
352 | else if (strncmp(ptr, "mac ", 4) == 0) { | 374 | else if (strncmp(ptr, "mac ", 4) == 0) { |
353 | #ifdef HAVE_NETWORK | 375 | #ifdef HAVE_NETWORK |
354 | if (checkcfg(CFG_NETWORK)) { | 376 | if (checkcfg(CFG_NETWORK)) { |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 78ba34fd2..903817099 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -272,6 +272,10 @@ void usage(void) { | |||
272 | printf("\tdirectoires blacklisted by the security profile.\n\n"); | 272 | printf("\tdirectoires blacklisted by the security profile.\n\n"); |
273 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); | 273 | printf(" --tree - print a tree of all sandboxed processes.\n\n"); |
274 | printf(" --version - print program version and exit.\n\n"); | 274 | printf(" --version - print program version and exit.\n\n"); |
275 | #ifdef HAVE_NETWORK | ||
276 | printf(" --veth-name=name - use this name for the interface connected to the bridge\n"); | ||
277 | printf("\tfor --net=bridgename commands, instead of the default one.\n\n"); | ||
278 | #endif | ||
275 | #ifdef HAVE_WHITELIST | 279 | #ifdef HAVE_WHITELIST |
276 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); | 280 | printf(" --whitelist=dirname_or_filename - whitelist directory or file.\n\n"); |
277 | #endif | 281 | #endif |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b945f6828..4c5651925 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -474,6 +474,11 @@ available in the new namespace is a new loopback interface (lo). | |||
474 | Use this option to deny network access to programs that don't | 474 | Use this option to deny network access to programs that don't |
475 | really need network access. | 475 | really need network access. |
476 | 476 | ||
477 | .TP | ||
478 | \fBveth-name name | ||
479 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | ||
480 | instead of the default one. | ||
481 | |||
477 | .SH Other | 482 | .SH Other |
478 | .TP | 483 | .TP |
479 | \fBjoin-or-start sandboxname | 484 | \fBjoin-or-start sandboxname |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fe3e53044..2c4944331 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1605,6 +1605,18 @@ Example: | |||
1605 | $ firejail \-\-version | 1605 | $ firejail \-\-version |
1606 | .br | 1606 | .br |
1607 | firejail version 0.9.27 | 1607 | firejail version 0.9.27 |
1608 | |||
1609 | .TP | ||
1610 | \fB\-\-veth-name=name | ||
1611 | Use this name for the interface connected to the bridge for --net=bridge_interface commands, | ||
1612 | instead of the default one. | ||
1613 | .br | ||
1614 | |||
1615 | .br | ||
1616 | Example: | ||
1617 | .br | ||
1618 | $ firejail \-\-net=br0 --veth-name=if0 | ||
1619 | |||
1608 | .TP | 1620 | .TP |
1609 | \fB\-\-whitelist=dirname_or_filename | 1621 | \fB\-\-whitelist=dirname_or_filename |
1610 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the | 1622 | Whitelist directory or file. A temporary file system is mounted on the top directory, and the |