diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 8 | ||||
-rw-r--r-- | src/firejail/fs_hostname.c | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 20 | ||||
-rw-r--r-- | src/firejail/network.c | 15 | ||||
-rw-r--r-- | src/firejail/profile.c | 21 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 14 |
6 files changed, 59 insertions, 29 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a76d2795d..e96a5d63e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -240,9 +240,10 @@ typedef struct config_t { | |||
240 | Interface interface1; | 240 | Interface interface1; |
241 | Interface interface2; | 241 | Interface interface2; |
242 | Interface interface3; | 242 | Interface interface3; |
243 | uint32_t dns1; // up to 3 IP addresses for dns servers | 243 | char *dns1; // up to 3 IP (v4/v6) addresses for dns servers |
244 | uint32_t dns2; | 244 | char *dns2; |
245 | uint32_t dns3; | 245 | char *dns3; |
246 | char *dns4; | ||
246 | 247 | ||
247 | // seccomp | 248 | // seccomp |
248 | char *seccomp_list;// optional seccomp list on top of default filter | 249 | char *seccomp_list;// optional seccomp list on top of default filter |
@@ -409,6 +410,7 @@ void net_dns_print(pid_t pid); | |||
409 | void network_main(pid_t child); | 410 | void network_main(pid_t child); |
410 | 411 | ||
411 | // network.c | 412 | // network.c |
413 | int check_ip46_address(const char *addr); | ||
412 | void net_if_up(const char *ifname); | 414 | void net_if_up(const char *ifname); |
413 | void net_if_down(const char *ifname); | 415 | void net_if_down(const char *ifname); |
414 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu); | 416 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu); |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 137686572..fd823b812 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -89,7 +89,7 @@ errexit: | |||
89 | } | 89 | } |
90 | 90 | ||
91 | void fs_resolvconf(void) { | 91 | void fs_resolvconf(void) { |
92 | if (cfg.dns1 == 0) | 92 | if (cfg.dns1 == NULL) |
93 | return; | 93 | return; |
94 | 94 | ||
95 | if (arg_debug) | 95 | if (arg_debug) |
@@ -164,11 +164,13 @@ void fs_resolvconf(void) { | |||
164 | } | 164 | } |
165 | 165 | ||
166 | if (cfg.dns1) | 166 | if (cfg.dns1) |
167 | fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); | 167 | fprintf(fp, "nameserver %s\n", cfg.dns1); |
168 | if (cfg.dns2) | 168 | if (cfg.dns2) |
169 | fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns2)); | 169 | fprintf(fp, "nameserver %s\n", cfg.dns2); |
170 | if (cfg.dns3) | 170 | if (cfg.dns3) |
171 | fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns3)); | 171 | fprintf(fp, "nameserver %s\n", cfg.dns3); |
172 | if (cfg.dns4) | ||
173 | fprintf(fp, "nameserver %s\n", cfg.dns4); | ||
172 | 174 | ||
173 | // mode and owner | 175 | // mode and owner |
174 | SET_PERMS_STREAM(fp, 0, 0, 0644); | 176 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index bc6eb8219..b2b4fe525 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2064,20 +2064,24 @@ int main(int argc, char **argv) { | |||
2064 | } | 2064 | } |
2065 | #endif | 2065 | #endif |
2066 | else if (strncmp(argv[i], "--dns=", 6) == 0) { | 2066 | else if (strncmp(argv[i], "--dns=", 6) == 0) { |
2067 | uint32_t dns; | 2067 | if (check_ip46_address(argv[i] + 6) == 0) { |
2068 | if (atoip(argv[i] + 6, &dns)) { | 2068 | fprintf(stderr, "Error: invalid DNS server IPv4 or IPv6 address\n"); |
2069 | fprintf(stderr, "Error: invalid DNS server IP address\n"); | 2069 | exit(1); |
2070 | return 1; | ||
2071 | } | 2070 | } |
2071 | char *dns = strdup(argv[i] + 6); | ||
2072 | if (!dns) | ||
2073 | errExit("strdup"); | ||
2072 | 2074 | ||
2073 | if (cfg.dns1 == 0) | 2075 | if (cfg.dns1 == NULL) |
2074 | cfg.dns1 = dns; | 2076 | cfg.dns1 = dns; |
2075 | else if (cfg.dns2 == 0) | 2077 | else if (cfg.dns2 == NULL) |
2076 | cfg.dns2 = dns; | 2078 | cfg.dns2 = dns; |
2077 | else if (cfg.dns3 == 0) | 2079 | else if (cfg.dns3 == NULL) |
2078 | cfg.dns3 = dns; | 2080 | cfg.dns3 = dns; |
2081 | else if (cfg.dns4 == NULL) | ||
2082 | cfg.dns4 = dns; | ||
2079 | else { | 2083 | else { |
2080 | fprintf(stderr, "Error: up to 3 DNS servers can be specified\n"); | 2084 | fprintf(stderr, "Error: up to 4 DNS servers can be specified\n"); |
2081 | return 1; | 2085 | return 1; |
2082 | } | 2086 | } |
2083 | } | 2087 | } |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 80f150ea0..5ebaf873c 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -28,6 +28,21 @@ | |||
28 | #include <net/route.h> | 28 | #include <net/route.h> |
29 | #include <linux/if_bridge.h> | 29 | #include <linux/if_bridge.h> |
30 | 30 | ||
31 | // return 1 if addr is a IPv4 or IPv6 address | ||
32 | int check_ip46_address(const char *addr) { | ||
33 | // check ipv4 address | ||
34 | uint32_t tmp; | ||
35 | if (atoip(addr, &tmp) == 0) | ||
36 | return 1; | ||
37 | |||
38 | // check ipv6 address | ||
39 | struct in6_addr result; | ||
40 | if (inet_pton(AF_INET6, addr, &result) == 1) | ||
41 | return 1; | ||
42 | |||
43 | // failed | ||
44 | return 0; | ||
45 | } | ||
31 | 46 | ||
32 | int net_get_mtu(const char *ifname) { | 47 | int net_get_mtu(const char *ifname) { |
33 | int mtu = 0; | 48 | int mtu = 0; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1a944beff..c14f2b1f3 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -668,20 +668,25 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
668 | 668 | ||
669 | // dns | 669 | // dns |
670 | if (strncmp(ptr, "dns ", 4) == 0) { | 670 | if (strncmp(ptr, "dns ", 4) == 0) { |
671 | uint32_t dns; | 671 | |
672 | if (atoip(ptr + 4, &dns)) { | 672 | if (check_ip46_address(ptr + 4) == 0) { |
673 | fprintf(stderr, "Error: invalid DNS server IP address\n"); | 673 | fprintf(stderr, "Error: invalid DNS server IPv4 or IPv6 address\n"); |
674 | return 1; | 674 | exit(1); |
675 | } | 675 | } |
676 | char *dns = strdup(ptr + 4); | ||
677 | if (!dns) | ||
678 | errExit("strdup"); | ||
676 | 679 | ||
677 | if (cfg.dns1 == 0) | 680 | if (cfg.dns1 == NULL) |
678 | cfg.dns1 = dns; | 681 | cfg.dns1 = dns; |
679 | else if (cfg.dns2 == 0) | 682 | else if (cfg.dns2 == NULL) |
680 | cfg.dns2 = dns; | 683 | cfg.dns2 = dns; |
681 | else if (cfg.dns3 == 0) | 684 | else if (cfg.dns3 == NULL) |
682 | cfg.dns3 = dns; | 685 | cfg.dns3 = dns; |
686 | else if (cfg.dns4 == NULL) | ||
687 | cfg.dns4 = dns; | ||
683 | else { | 688 | else { |
684 | fprintf(stderr, "Error: up to 3 DNS servers can be specified\n"); | 689 | fprintf(stderr, "Error: up to 4 DNS servers can be specified\n"); |
685 | return 1; | 690 | return 1; |
686 | } | 691 | } |
687 | return 0; | 692 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 010bb06e0..ed0a253b3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -652,12 +652,14 @@ int sandbox(void* sandbox_arg) { | |||
652 | else | 652 | else |
653 | fmessage("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); | 653 | fmessage("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw)); |
654 | } | 654 | } |
655 | if (cfg.dns1 != 0) | 655 | if (cfg.dns1 != NULL) |
656 | fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); | 656 | fmessage("DNS server %s\n", cfg.dns1); |
657 | if (cfg.dns2 != 0) | 657 | if (cfg.dns2 != NULL) |
658 | fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2)); | 658 | fmessage("DNS server %s\n", cfg.dns2); |
659 | if (cfg.dns3 != 0) | 659 | if (cfg.dns3 != NULL) |
660 | fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3)); | 660 | fmessage("DNS server %s\n", cfg.dns3); |
661 | if (cfg.dns4 != NULL) | ||
662 | fmessage("DNS server %s\n", cfg.dns4); | ||
661 | fmessage("\n"); | 663 | fmessage("\n"); |
662 | } | 664 | } |
663 | } | 665 | } |