diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 24 | ||||
-rw-r--r-- | src/man/firejail-config.txt | 4 |
2 files changed, 26 insertions, 2 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index cda9e788e..955bd36bf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1684,6 +1684,18 @@ int main(int argc, char **argv) { | |||
1684 | 1684 | ||
1685 | #ifdef HAVE_NETWORK | 1685 | #ifdef HAVE_NETWORK |
1686 | else if (strcmp(argv[i], "--netfilter") == 0) { | 1686 | else if (strcmp(argv[i], "--netfilter") == 0) { |
1687 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1688 | // compile time restricted networking | ||
1689 | if (getuid() != 0) { | ||
1690 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1691 | exit(1); | ||
1692 | } | ||
1693 | #endif | ||
1694 | // run time restricted networking | ||
1695 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1696 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1697 | exit(1); | ||
1698 | } | ||
1687 | if (checkcfg(CFG_NETWORK)) { | 1699 | if (checkcfg(CFG_NETWORK)) { |
1688 | arg_netfilter = 1; | 1700 | arg_netfilter = 1; |
1689 | } | 1701 | } |
@@ -1694,6 +1706,18 @@ int main(int argc, char **argv) { | |||
1694 | } | 1706 | } |
1695 | 1707 | ||
1696 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1708 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
1709 | #ifdef HAVE_NETWORK_RESTRICTED | ||
1710 | // compile time restricted networking | ||
1711 | if (getuid() != 0) { | ||
1712 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1713 | exit(1); | ||
1714 | } | ||
1715 | #endif | ||
1716 | // run time restricted networking | ||
1717 | if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) { | ||
1718 | fprintf(stderr, "Error: --netfilter is only allowed for root\n"); | ||
1719 | exit(1); | ||
1720 | } | ||
1697 | if (checkcfg(CFG_NETWORK)) { | 1721 | if (checkcfg(CFG_NETWORK)) { |
1698 | arg_netfilter = 1; | 1722 | arg_netfilter = 1; |
1699 | arg_netfilter_file = argv[i] + 12; | 1723 | arg_netfilter_file = argv[i] + 12; |
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt index dcede2ec6..026765f1a 100644 --- a/src/man/firejail-config.txt +++ b/src/man/firejail-config.txt | |||
@@ -33,8 +33,8 @@ Enable or disable networking features, default enabled. | |||
33 | \fBrestricted-network | 33 | \fBrestricted-network |
34 | Enable or disable restricted network support, default disabled. If enabled, | 34 | Enable or disable restricted network support, default disabled. If enabled, |
35 | networking features should also be enabled (network yes). | 35 | networking features should also be enabled (network yes). |
36 | Restricted networking grants access to --interface and --net=ethXXX | 36 | Restricted networking grants access to --interface, --net=ethXXX and |
37 | only to root user. Regular users are only allowed --net=none. | 37 | \-\-netfilter only to root user. Regular users are only allowed --net=none. |
38 | 38 | ||
39 | .TP | 39 | .TP |
40 | \fBsecomp | 40 | \fBsecomp |