diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/netfilter.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index ed411313a..9e759ec70 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -95,7 +95,10 @@ void netfilter(const char *fname) { | |||
95 | // push filter | 95 | // push filter |
96 | if (arg_debug) | 96 | if (arg_debug) |
97 | printf("Installing network filter:\n%s\n", filter); | 97 | printf("Installing network filter:\n%s\n", filter); |
98 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | 98 | |
99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | ||
100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | ||
101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | ||
99 | unlink(SBOX_STDIN_FILE); | 102 | unlink(SBOX_STDIN_FILE); |
100 | 103 | ||
101 | // debug | 104 | // debug |
@@ -141,7 +144,10 @@ void netfilter6(const char *fname) { | |||
141 | // push filter | 144 | // push filter |
142 | if (arg_debug) | 145 | if (arg_debug) |
143 | printf("Installing network filter:\n%s\n", filter); | 146 | printf("Installing network filter:\n%s\n", filter); |
144 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | 147 | |
148 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | ||
149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | ||
150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | ||
145 | unlink(SBOX_STDIN_FILE); | 151 | unlink(SBOX_STDIN_FILE); |
146 | 152 | ||
147 | // debug | 153 | // debug |