diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 24 | ||||
-rw-r--r-- | src/firejail/profile.c | 121 |
2 files changed, 132 insertions, 13 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b51ba2e65..15720b4c6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1542,17 +1542,17 @@ int main(int argc, char **argv) { | |||
1542 | Bridge *br = last_bridge_configured(); | 1542 | Bridge *br = last_bridge_configured(); |
1543 | if (br == NULL) { | 1543 | if (br == NULL) { |
1544 | fprintf(stderr, "Error: no network device configured\n"); | 1544 | fprintf(stderr, "Error: no network device configured\n"); |
1545 | return 1; | 1545 | exit(1); |
1546 | } | 1546 | } |
1547 | if (mac_not_zero(br->macsandbox)) { | 1547 | if (mac_not_zero(br->macsandbox)) { |
1548 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | 1548 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); |
1549 | return 1; | 1549 | exit(1); |
1550 | } | 1550 | } |
1551 | 1551 | ||
1552 | // read the address | 1552 | // read the address |
1553 | if (atomac(argv[i] + 6, br->macsandbox)) { | 1553 | if (atomac(argv[i] + 6, br->macsandbox)) { |
1554 | fprintf(stderr, "Error: invalid MAC address\n"); | 1554 | fprintf(stderr, "Error: invalid MAC address\n"); |
1555 | return 1; | 1555 | exit(1); |
1556 | } | 1556 | } |
1557 | } | 1557 | } |
1558 | else { | 1558 | else { |
@@ -1566,12 +1566,12 @@ int main(int argc, char **argv) { | |||
1566 | Bridge *br = last_bridge_configured(); | 1566 | Bridge *br = last_bridge_configured(); |
1567 | if (br == NULL) { | 1567 | if (br == NULL) { |
1568 | fprintf(stderr, "Error: no network device configured\n"); | 1568 | fprintf(stderr, "Error: no network device configured\n"); |
1569 | return 1; | 1569 | exit(1); |
1570 | } | 1570 | } |
1571 | 1571 | ||
1572 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | 1572 | if (sscanf(argv[i] + 6, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { |
1573 | fprintf(stderr, "Error: invalid mtu value\n"); | 1573 | fprintf(stderr, "Error: invalid mtu value\n"); |
1574 | return 1; | 1574 | exit(1); |
1575 | } | 1575 | } |
1576 | } | 1576 | } |
1577 | else { | 1577 | else { |
@@ -1585,11 +1585,11 @@ int main(int argc, char **argv) { | |||
1585 | Bridge *br = last_bridge_configured(); | 1585 | Bridge *br = last_bridge_configured(); |
1586 | if (br == NULL) { | 1586 | if (br == NULL) { |
1587 | fprintf(stderr, "Error: no network device configured\n"); | 1587 | fprintf(stderr, "Error: no network device configured\n"); |
1588 | return 1; | 1588 | exit(1); |
1589 | } | 1589 | } |
1590 | if (br->arg_ip_none || br->ipsandbox) { | 1590 | if (br->arg_ip_none || br->ipsandbox) { |
1591 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 1591 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
1592 | return 1; | 1592 | exit(1); |
1593 | } | 1593 | } |
1594 | 1594 | ||
1595 | // configure this IP address for the last bridge defined | 1595 | // configure this IP address for the last bridge defined |
@@ -1598,7 +1598,7 @@ int main(int argc, char **argv) { | |||
1598 | else { | 1598 | else { |
1599 | if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1599 | if (atoip(argv[i] + 5, &br->ipsandbox)) { |
1600 | fprintf(stderr, "Error: invalid IP address\n"); | 1600 | fprintf(stderr, "Error: invalid IP address\n"); |
1601 | return 1; | 1601 | exit(1); |
1602 | } | 1602 | } |
1603 | } | 1603 | } |
1604 | } | 1604 | } |
@@ -1613,11 +1613,11 @@ int main(int argc, char **argv) { | |||
1613 | Bridge *br = last_bridge_configured(); | 1613 | Bridge *br = last_bridge_configured(); |
1614 | if (br == NULL) { | 1614 | if (br == NULL) { |
1615 | fprintf(stderr, "Error: no network device configured\n"); | 1615 | fprintf(stderr, "Error: no network device configured\n"); |
1616 | return 1; | 1616 | exit(1); |
1617 | } | 1617 | } |
1618 | if (br->arg_ip_none || br->ip6sandbox) { | 1618 | if (br->arg_ip_none || br->ip6sandbox) { |
1619 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 1619 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
1620 | return 1; | 1620 | exit(1); |
1621 | } | 1621 | } |
1622 | 1622 | ||
1623 | // configure this IP address for the last bridge defined | 1623 | // configure this IP address for the last bridge defined |
@@ -1625,7 +1625,7 @@ int main(int argc, char **argv) { | |||
1625 | br->ip6sandbox = argv[i] + 6; | 1625 | br->ip6sandbox = argv[i] + 6; |
1626 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | 1626 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { |
1627 | // fprintf(stderr, "Error: invalid IP address\n"); | 1627 | // fprintf(stderr, "Error: invalid IP address\n"); |
1628 | // return 1; | 1628 | // exit(1); |
1629 | // } | 1629 | // } |
1630 | } | 1630 | } |
1631 | else { | 1631 | else { |
@@ -1639,7 +1639,7 @@ int main(int argc, char **argv) { | |||
1639 | if (checkcfg(CFG_NETWORK)) { | 1639 | if (checkcfg(CFG_NETWORK)) { |
1640 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { | 1640 | if (atoip(argv[i] + 12, &cfg.defaultgw)) { |
1641 | fprintf(stderr, "Error: invalid IP address\n"); | 1641 | fprintf(stderr, "Error: invalid IP address\n"); |
1642 | return 1; | 1642 | exit(1); |
1643 | } | 1643 | } |
1644 | } | 1644 | } |
1645 | else { | 1645 | else { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 6ded0ca2f..7ff7c7926 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -319,7 +319,126 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
319 | return 0; | 319 | return 0; |
320 | } | 320 | } |
321 | 321 | ||
322 | 322 | ||
323 | // from here | ||
324 | else if (strncmp(ptr, "mac ", 4) == 0) { | ||
325 | #ifdef HAVE_NETWORK | ||
326 | if (checkcfg(CFG_NETWORK)) { | ||
327 | Bridge *br = last_bridge_configured(); | ||
328 | if (br == NULL) { | ||
329 | fprintf(stderr, "Error: no network device configured\n"); | ||
330 | exit(1); | ||
331 | } | ||
332 | |||
333 | if (mac_not_zero(br->macsandbox)) { | ||
334 | fprintf(stderr, "Error: cannot configure the MAC address twice for the same interface\n"); | ||
335 | exit(1); | ||
336 | } | ||
337 | |||
338 | // read the address | ||
339 | if (atomac(ptr + 4, br->macsandbox)) { | ||
340 | fprintf(stderr, "Error: invalid MAC address\n"); | ||
341 | exit(1); | ||
342 | } | ||
343 | } | ||
344 | else | ||
345 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
346 | #endif | ||
347 | return 0; | ||
348 | } | ||
349 | |||
350 | else if (strncmp(ptr, "mtu ", 4) == 0) { | ||
351 | #ifdef HAVE_NETWORK | ||
352 | if (checkcfg(CFG_NETWORK)) { | ||
353 | Bridge *br = last_bridge_configured(); | ||
354 | if (br == NULL) { | ||
355 | fprintf(stderr, "Error: no network device configured\n"); | ||
356 | exit(1); | ||
357 | } | ||
358 | |||
359 | if (sscanf(ptr + 4, "%d", &br->mtu) != 1 || br->mtu < 576 || br->mtu > 9198) { | ||
360 | fprintf(stderr, "Error: invalid mtu value\n"); | ||
361 | exit(1); | ||
362 | } | ||
363 | } | ||
364 | else | ||
365 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
366 | #endif | ||
367 | return 0; | ||
368 | } | ||
369 | |||
370 | else if (strncmp(ptr, "ip ", 3) == 0) { | ||
371 | #ifdef HAVE_NETWORK | ||
372 | if (checkcfg(CFG_NETWORK)) { | ||
373 | Bridge *br = last_bridge_configured(); | ||
374 | if (br == NULL) { | ||
375 | fprintf(stderr, "Error: no network device configured\n"); | ||
376 | exit(1); | ||
377 | } | ||
378 | if (br->arg_ip_none || br->ipsandbox) { | ||
379 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
380 | exit(1); | ||
381 | } | ||
382 | |||
383 | // configure this IP address for the last bridge defined | ||
384 | if (strcmp(ptr + 3, "none") == 0) | ||
385 | br->arg_ip_none = 1; | ||
386 | else { | ||
387 | if (atoip(ptr + 3, &br->ipsandbox)) { | ||
388 | fprintf(stderr, "Error: invalid IP address\n"); | ||
389 | exit(1); | ||
390 | } | ||
391 | } | ||
392 | } | ||
393 | else | ||
394 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
395 | #endif | ||
396 | return 0; | ||
397 | } | ||
398 | |||
399 | else if (strncmp(ptr, "ip6 ", 4) == 0) { | ||
400 | #ifdef HAVE_NETWORK | ||
401 | if (checkcfg(CFG_NETWORK)) { | ||
402 | Bridge *br = last_bridge_configured(); | ||
403 | if (br == NULL) { | ||
404 | fprintf(stderr, "Error: no network device configured\n"); | ||
405 | exit(1); | ||
406 | } | ||
407 | if (br->arg_ip_none || br->ip6sandbox) { | ||
408 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | ||
409 | exit(1); | ||
410 | } | ||
411 | |||
412 | // configure this IP address for the last bridge defined | ||
413 | // todo: verify ipv6 syntax | ||
414 | br->ip6sandbox = ptr + 4; | ||
415 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | ||
416 | // fprintf(stderr, "Error: invalid IP address\n"); | ||
417 | // exit(1); | ||
418 | // } | ||
419 | |||
420 | } | ||
421 | else | ||
422 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
423 | #endif | ||
424 | return 0; | ||
425 | } | ||
426 | |||
427 | else if (strncmp(ptr, "defaultgw ", 10) == 0) { | ||
428 | #ifdef HAVE_NETWORK | ||
429 | if (checkcfg(CFG_NETWORK)) { | ||
430 | Bridge *br = last_bridge_configured(); | ||
431 | if (atoip(ptr + 10, &cfg.defaultgw)) { | ||
432 | fprintf(stderr, "Error: invalid IP address\n"); | ||
433 | exit(1); | ||
434 | } | ||
435 | } | ||
436 | else | ||
437 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | ||
438 | #endif | ||
439 | return 0; | ||
440 | } | ||
441 | |||
323 | if (strncmp(ptr, "protocol ", 9) == 0) { | 442 | if (strncmp(ptr, "protocol ", 9) == 0) { |
324 | #ifdef HAVE_SECCOMP | 443 | #ifdef HAVE_SECCOMP |
325 | if (checkcfg(CFG_SECCOMP)) | 444 | if (checkcfg(CFG_SECCOMP)) |