18 files changed, 61 insertions, 18 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d85b470e6..c791913ea 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -357,6 +357,7 @@ extern int arg_deterministic_exit_code;	// always exit with first child's exit s
 extern int arg_deterministic_shutdown;  // shut down the sandbox if first child dies
 extern int arg_keep_fd_all;     // inherit all file descriptors to sandbox
 extern int arg_netlock; // netlocker
+extern int arg_restrict_namespaces;
 
 typedef enum {
         DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index cddf3c903..29f805e1a 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -152,7 +152,7 @@ void fs_mount_hosts_file(void) {
         // check /etc/hosts file
         struct stat s;
         if (stat("/etc/hosts", &s) == -1)
-                goto errexit;
+                return;
         // owned by root
         if (s.st_uid != 0)
                 goto errexit;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 732ca93c2..45b199db4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -165,6 +165,7 @@ int arg_tab = 0;
 int login_shell = 0;
 int just_run_the_shell = 0;
 int arg_netlock = 0;
+int arg_restrict_namespaces = 0;
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1508,8 +1509,10 @@ int main(int argc, char **argv, char **envp) {
                                 exit_err_feature("seccomp");
                 }
                 else if (strcmp(argv[i], "--restrict-namespaces") == 0) {
-                        if (checkcfg(CFG_SECCOMP))
+                        if (checkcfg(CFG_SECCOMP)) {
+                                arg_restrict_namespaces = 1;
                                 profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+                        }
                         else
                                 exit_err_feature("seccomp");
                 }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 6055ec95b..e0c11a005 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -96,12 +96,16 @@ void preproc_mount_mnt_dir(void) {
                 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
                         errExit("set_perms");
                 if (cfg.restrict_namespaces) {
+                        copy_file(PATH_SECCOMP_NAMESPACES, RUN_SECCOMP_NS, getuid(), getgid(), 0644); // root needed
+                        copy_file(PATH_SECCOMP_NAMESPACES_32, RUN_SECCOMP_NS_32, getuid(), getgid(), 0644); // root needed
+#if 0
                         create_empty_file_as_root(RUN_SECCOMP_NS, 0644);
                         if (set_perms(RUN_SECCOMP_NS, getuid(), getgid(), 0644))
                                 errExit("set_perms");
                         create_empty_file_as_root(RUN_SECCOMP_NS_32, 0644);
                         if (set_perms(RUN_SECCOMP_NS_32, getuid(), getgid(), 0644))
                                 errExit("set_perms");
+#endif
                 }
                 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
                 if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index ae881664b..07449f646 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1088,8 +1088,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // restrict-namespaces
         if (strcmp(ptr, "restrict-namespaces") == 0) {
-                if (checkcfg(CFG_SECCOMP))
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_restrict_namespaces = 1;
                         profile_list_augment(&cfg.restrict_namespaces, "cgroup,ipc,net,mnt,pid,time,user,uts");
+                }
                 else
                         warning_feature_disabled("seccomp");
                 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 19ac8d9ec..538f5be67 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -987,12 +987,8 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // hosts and hostname
         //****************************
-//      if (cfg.hostname)
         fs_hostname();
 
-//      if (cfg.hosts_file)
-//              fs_mount_hosts_file();
-
         //****************************
         // /etc overrides from the network namespace
         //****************************
@@ -1215,7 +1211,19 @@ int sandbox(void* sandbox_arg) {
                 seccomp_load(RUN_SECCOMP_MDWX_32);
         }
 
-        if (cfg.restrict_namespaces) {
+        if (arg_restrict_namespaces) {
+                if (arg_seccomp_error_action != EPERM) {
+                        seccomp_filter_namespaces(true, cfg.restrict_namespaces);
+                        seccomp_filter_namespaces(false, cfg.restrict_namespaces);
+                }
+
+                if (arg_debug)
+                        printf("Install namespaces filter\n");
+                seccomp_load(RUN_SECCOMP_NS);   // install filter
+                seccomp_load(RUN_SECCOMP_NS_32);
+
+        }
+        else if (cfg.restrict_namespaces) {
                 seccomp_filter_namespaces(true, cfg.restrict_namespaces);
                 seccomp_filter_namespaces(false, cfg.restrict_namespaces);
 
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile
index 9748a3b47..68a4cbdc0 100644
--- a/src/fnettrace/Makefile
+++ b/src/fnettrace/Makefile
@@ -11,6 +11,3 @@ include $(ROOT)/src/prog.mk
 all: $(TARGET) static-ip-map
 static-ip-map: static-ip-map.txt fnettrace
         ./fnettrace --squash-map=static-ip-map.txt > static-ip-map
-
-
-
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index 92c55d148..2742e71c5 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -359,6 +359,7 @@
 172.105.128.0/23 Linode
 
 # Akamai
+2.16.0.0/13 Akamai
 23.0.0.0/12 Akamai
 23.32.0.0/11 Akamai
 23.64.0.0/14 Akamai
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 7fc0f21f3..d36851a4e 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -79,6 +79,8 @@
 #define PATH_SECCOMP_DEBUG_32           LIBDIR "/firejail/seccomp.debug32"              // 32bit arch debug filter built during make
 #define PATH_SECCOMP_MDWX               LIBDIR "/firejail/seccomp.mdwx"                 // filter for memory-deny-write-execute built during make
 #define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
+#define PATH_SECCOMP_NAMESPACES LIBDIR "/firejail/seccomp.namespaces"   // filter for restrict-namespaces
+#define PATH_SECCOMP_NAMESPACES_32      LIBDIR "/firejail/seccomp.namespaces.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
 
 #define RUN_DEV_DIR                     RUN_MNT_DIR "/dev"
diff --git a/src/man/Makefile b/src/man/Makefile
index 197f76192..526ed7fcb 100644
--- a/src/man/Makefile
+++ b/src/man/Makefile
@@ -2,14 +2,25 @@
 ROOT = ../..
 -include $(ROOT)/config.mk
 
+MOD_DIR := $(ROOT)/src/man
+MANPAGES_IN := $(sort $(wildcard $(MOD_DIR)/*.in))
+MANPAGES_GZ := $(MANPAGES_IN:.in=.gz)
+TARGET = $(MANPAGES_GZ)
+
 .PHONY: all
-all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man
+all: $(TARGET)
 
-%.man: %.txt $(ROOT)/config.mk
-        gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@
+# foo.1: foo.1.in
+$(MOD_DIR)/%: $(MOD_DIR)/%.in $(ROOT)/config.mk
+        @printf 'Generating %s from %s\n' $@ $<
+        @gawk -f $(MOD_DIR)/preproc.awk -- $(MANFLAGS) <$< | \
+          $(MOD_DIR)/mkman.sh $(VERSION) >$@
 
-.PHONY: clean
-clean:; rm -fr *.man
+# foo.1.gz: foo.1
+$(MOD_DIR)/%.gz: $(MOD_DIR)/%
+        @printf 'Generating %s from %s\n' $@ $<
+        @rm -f $@
+        @gzip -n9 $<
 
-.PHONY: distclean
-distclean: clean
+.PHONY: clean
+clean:; rm -f *.1 *.5 *.gz
diff --git a/src/man/firecfg.txt b/src/man/firecfg.1.in
index 42add6a41..42add6a41 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.1.in
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.5.in
index f03fc3c37..f03fc3c37 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.5.in
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.5.in
index fa294d888..fa294d888 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.5.in
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.5.in
index 7aa151680..7aa151680 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.5.in
diff --git a/src/man/firejail.txt b/src/man/firejail.1.in
index 19fc94ebd..19fc94ebd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.1.in
diff --git a/src/man/firemon.txt b/src/man/firemon.1.in
index fb0cf1175..fb0cf1175 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.1.in
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.1.in
index e889ea91b..e889ea91b 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.1.in
diff --git a/src/man/mkman.sh b/src/man/mkman.sh
new file mode 100755
index 000000000..0302e0778
--- /dev/null
+++ b/src/man/mkman.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set -e
+
+MONTH="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b)"
+YEAR="$(LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y)"
+
+sed \
+  -e "s/VERSION/$1/g" \
+  -e "s/MONTH/$MONTH/g" \
+  -e "s/YEAR/$YEAR/g"