diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/profile.c | 28 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 24 |
2 files changed, 50 insertions, 2 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index ec1bd5ee3..22d6beb56 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -232,6 +232,34 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
232 | #endif | 232 | #endif |
233 | return 0; | 233 | return 0; |
234 | } | 234 | } |
235 | else if (strncmp(ptr, "net ", 4) == 0) { | ||
236 | #ifdef HAVE_NETWORK | ||
237 | if (checkcfg(CFG_NETWORK)) { | ||
238 | if (strcmp(ptr + 4, "lo") == 0) { | ||
239 | fprintf(stderr, "Error: cannot attach to lo device\n"); | ||
240 | exit(1); | ||
241 | } | ||
242 | |||
243 | Bridge *br; | ||
244 | if (cfg.bridge0.configured == 0) | ||
245 | br = &cfg.bridge0; | ||
246 | else if (cfg.bridge1.configured == 0) | ||
247 | br = &cfg.bridge1; | ||
248 | else if (cfg.bridge2.configured == 0) | ||
249 | br = &cfg.bridge2; | ||
250 | else if (cfg.bridge3.configured == 0) | ||
251 | br = &cfg.bridge3; | ||
252 | else { | ||
253 | fprintf(stderr, "Error: maximum 4 network devices are allowed\n"); | ||
254 | exit(1); | ||
255 | } | ||
256 | net_configure_bridge(br, ptr + 4); | ||
257 | } | ||
258 | else | ||
259 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
260 | #endif | ||
261 | return 0; | ||
262 | } | ||
235 | 263 | ||
236 | if (strncmp(ptr, "protocol ", 9) == 0) { | 264 | if (strncmp(ptr, "protocol ", 9) == 0) { |
237 | #ifdef HAVE_SECCOMP | 265 | #ifdef HAVE_SECCOMP |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b135ee615..ddfae5948 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -296,10 +296,30 @@ If a new network namespace is created, enabled default network filter. | |||
296 | If a new network namespace is created, enabled the network filter in filename. | 296 | If a new network namespace is created, enabled the network filter in filename. |
297 | 297 | ||
298 | .TP | 298 | .TP |
299 | \fBnet bridge_interface | ||
300 | Enable a new network namespace and connect it to this bridge interface. | ||
301 | Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned | ||
302 | automatically to the sandbox. The IP address is verified using ARP before assignment. The address | ||
303 | configured as default gateway is the bridge device IP address. Up to four \-\-net | ||
304 | bridge devices can be defined. Mixing bridge and macvlan devices is allowed. | ||
305 | |||
306 | .TP | ||
307 | \fBnet ethernet_interface | ||
308 | Enable a new network namespace and connect it | ||
309 | to this ethernet interface using the standard Linux macvlan | ||
310 | driver. Unless specified with option \-\-ip and \-\-defaultgw, an | ||
311 | IP address and a default gateway will be assigned automatically | ||
312 | to the sandbox. The IP address is verified using ARP before | ||
313 | assignment. The address configured as default gateway is the | ||
314 | default gateway of the host. Up to four \-\-net devices can | ||
315 | be defined. Mixing bridge and macvlan devices is allowed. | ||
316 | Note: wlan devices are not supported for this option. | ||
317 | |||
318 | .TP | ||
299 | \fBnet none | 319 | \fBnet none |
300 | Enable a new, unconnected network namespace. The only interface | 320 | Enable a new, unconnected network namespace. The only interface |
301 | available in the new namespace is a new loopback interface (lo). | 321 | available in the new namespace is a new loopback interface (lo). |
302 | Use this option to deny network access to programs that don't | 322 | Use this option to deny network access to programs that don't |
303 | really need network access. | 323 | really need network access. |
304 | 324 | ||
305 | .TP | 325 | .TP |