6 files changed, 96 insertions, 43 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a76d2795d..e96a5d63e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -240,9 +240,10 @@ typedef struct config_t {
        Interface interface1;
        Interface interface2;
        Interface interface3;
-        uint32_t dns1;  // up to 3 IP addresses for dns servers
+        char *dns1;     // up to 3 IP (v4/v6) addresses for dns servers
-        uint32_t dns2;
+        char *dns2;
-        uint32_t dns3;
+        char *dns3;
+        char *dns4;
        // seccomp
        char *seccomp_list;//  optional seccomp list on top of default filter
@@ -409,6 +410,7 @@ void net_dns_print(pid_t pid);
 void network_main(pid_t child);
 // network.c
+int check_ip46_address(const char *addr);
 void net_if_up(const char *ifname);
 void net_if_down(const char *ifname);
 void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 137686572..fd823b812 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -89,7 +89,7 @@ errexit:
 }
 void fs_resolvconf(void) {
-        if (cfg.dns1 == 0)
+        if (cfg.dns1 == NULL)
                return;
        if (arg_debug)
@@ -164,11 +164,13 @@ void fs_resolvconf(void) {
        }
        if (cfg.dns1)
-                fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
+                fprintf(fp, "nameserver %s\n", cfg.dns1);
        if (cfg.dns2)
-                fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
+                fprintf(fp, "nameserver %s\n", cfg.dns2);
        if (cfg.dns3)
-                fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
+                fprintf(fp, "nameserver %s\n", cfg.dns3);
+        if (cfg.dns4)
+                fprintf(fp, "nameserver %s\n", cfg.dns4);
        // mode and owner
        SET_PERMS_STREAM(fp, 0, 0, 0644);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bc6eb8219..9cd89d42c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2034,18 +2034,20 @@ int main(int argc, char **argv) {
                                        fprintf(stderr, "Error: no network device configured\n");
                                        exit(1);
                                }
-                                if (br->arg_ip_none || br->ip6sandbox) {
+                                if (br->ip6sandbox) {
                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
                                        exit(1);
                                }
                                // configure this IP address for the last bridge defined
-                                // todo: verify ipv6 syntax
+                                if (check_ip46_address(argv[i] + 6) == 0) {
-                                br->ip6sandbox = argv[i] + 6;
+                                        fprintf(stderr, "Error: invalid IPv6 address\n");
-//                              if (atoip(argv[i] + 5, &br->ipsandbox)) {
+                                        exit(1);
-//                                      fprintf(stderr, "Error: invalid IP address\n");
+                                }
-//                                      exit(1);
-//                              }
+                                br->ip6sandbox = strdup(argv[i] + 6);
+                                if (br->ip6sandbox == NULL)
+                                        errExit("strdup");
                        }
                        else
                                exit_err_feature("networking");
@@ -2064,20 +2066,24 @@ int main(int argc, char **argv) {
                }
 #endif
                else if (strncmp(argv[i], "--dns=", 6) == 0) {
-                        uint32_t dns;
+                        if (check_ip46_address(argv[i] + 6) == 0) {
-                        if (atoip(argv[i] + 6, &dns)) {
+                                fprintf(stderr, "Error: invalid DNS server IPv4 or IPv6 address\n");
-                                fprintf(stderr, "Error: invalid DNS server IP address\n");
+                                exit(1);
-                                return 1;
                        }
+                        char *dns = strdup(argv[i] + 6);
+                        if (!dns)
+                                errExit("strdup");
-                        if (cfg.dns1 == 0)
+                        if (cfg.dns1 == NULL)
                                cfg.dns1 = dns;
-                        else if (cfg.dns2 == 0)
+                        else if (cfg.dns2 == NULL)
                                cfg.dns2 = dns;
-                        else if (cfg.dns3 == 0)
+                        else if (cfg.dns3 == NULL)
                                cfg.dns3 = dns;
+                        else if (cfg.dns4 == NULL)
+                                cfg.dns4 = dns;
                        else {
-                                fprintf(stderr, "Error: up to 3 DNS servers can be specified\n");
+                                fprintf(stderr, "Error: up to 4 DNS servers can be specified\n");
                                return 1;
                        }
                }
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 80f150ea0..7b84854d3 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -28,6 +28,40 @@
 #include <net/route.h>
 #include <linux/if_bridge.h>
+// return 1 if addr is a IPv4 or IPv6 address
+int check_ip46_address(const char *addr) {
+        // check ipv4 address
+        uint32_t tmp;
+        if (atoip(addr, &tmp) == 0)
+                return 1;
+        // check ipv6 address
+        struct in6_addr result;
+        char *tmpstr = strdup(addr);
+        if (!tmpstr)
+                errExit("strdup");
+        char *ptr = strchr(tmpstr, '/');
+        if (ptr) {
+                *ptr = '\0';
+                ptr++;
+                int mask = atoi(ptr);
+                // check the network mask
+                if (mask < 0 || mask > 128) {
+                        free(tmpstr);
+                        return 0;
+                }
+        }
+        if (inet_pton(AF_INET6, tmpstr, &result) == 1) {
+                free(tmpstr);
+                return 1;
+        }
+        free(tmpstr);
+        // failed
+        return 0;
+}
 int net_get_mtu(const char *ifname) {
        int mtu = 0;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 1a944beff..d0c43d13e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -502,18 +502,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                fprintf(stderr, "Error: no network device configured\n");
                                exit(1);
                        }
-                        if (br->arg_ip_none || br->ip6sandbox) {
+                        if (br->ip6sandbox) {
                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
                                exit(1);
                        }
                        // configure this IP address for the last bridge defined
-                        // todo: verify ipv6 syntax
+                        if (check_ip46_address(ptr + 4) == 0) {
-                        br->ip6sandbox = ptr + 4;
+                                fprintf(stderr, "Error: invalid IPv6 address\n");
-//                      if (atoip(argv[i] + 5, &br->ipsandbox)) {
+                                exit(1);
-//                              fprintf(stderr, "Error: invalid IP address\n");
+                        }
-//                              exit(1);
-//                      }
+                        br->ip6sandbox = strdup(ptr + 4);
+                        if (br->ip6sandbox == NULL)
+                                errExit("strdup");
                }
                else
@@ -668,20 +670,25 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // dns
        if (strncmp(ptr, "dns ", 4) == 0) {
-                uint32_t dns;
-                if (atoip(ptr + 4, &dns)) {
+                if (check_ip46_address(ptr + 4) == 0) {
-                        fprintf(stderr, "Error: invalid DNS server IP address\n");
+                        fprintf(stderr, "Error: invalid DNS server IPv4 or IPv6 address\n");
-                        return 1;
+                        exit(1);
                }
+                char *dns = strdup(ptr + 4);
+                if (!dns)
+                        errExit("strdup");
-                if (cfg.dns1 == 0)
+                if (cfg.dns1 == NULL)
                        cfg.dns1 = dns;
-                else if (cfg.dns2 == 0)
+                else if (cfg.dns2 == NULL)
                        cfg.dns2 = dns;
-                else if (cfg.dns3 == 0)
+                else if (cfg.dns3 == NULL)
                        cfg.dns3 = dns;
+                else if (cfg.dns4 == NULL)
+                        cfg.dns4 = dns;
                else {
-                        fprintf(stderr, "Error: up to 3 DNS servers can be specified\n");
+                        fprintf(stderr, "Error: up to 4 DNS servers can be specified\n");
                        return 1;
                }
                return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 010bb06e0..ed0a253b3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -652,12 +652,14 @@ int sandbox(void* sandbox_arg) {
                                else
                                        fmessage("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
                        }
-                        if (cfg.dns1 != 0)
+                        if (cfg.dns1 != NULL)
-                                fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
+                                fmessage("DNS server %s\n", cfg.dns1);
-                        if (cfg.dns2 != 0)
+                        if (cfg.dns2 != NULL)
-                                fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));
+                                fmessage("DNS server %s\n", cfg.dns2);
-                        if (cfg.dns3 != 0)
+                        if (cfg.dns3 != NULL)
-                                fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));
+                                fmessage("DNS server %s\n", cfg.dns3);
+                        if (cfg.dns4 != NULL)
+                                fmessage("DNS server %s\n", cfg.dns4);
                        fmessage("\n");
                }
        }

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a76d2795d..e96a5d63e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -240,9 +240,10 @@ typedef struct config_t {
240	Interface interface1;	240	Interface interface1;
241	Interface interface2;	241	Interface interface2;
242	Interface interface3;	242	Interface interface3;
243	uint32_t dns1; // up to 3 IP addresses for dns servers	243	char *dns1; // up to 3 IP (v4/v6) addresses for dns servers
244	uint32_t dns2;	244	char *dns2;
245	uint32_t dns3;	245	char *dns3;
		246	char *dns4;
246		247
247	// seccomp	248	// seccomp
248	char *seccomp_list;// optional seccomp list on top of default filter	249	char *seccomp_list;// optional seccomp list on top of default filter
@@ -409,6 +410,7 @@ void net_dns_print(pid_t pid);
409	void network_main(pid_t child);	410	void network_main(pid_t child);
410		411
411	// network.c	412	// network.c
		413	int check_ip46_address(const char *addr);
412	void net_if_up(const char *ifname);	414	void net_if_up(const char *ifname);
413	void net_if_down(const char *ifname);	415	void net_if_down(const char *ifname);
414	void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);	416	void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu);


diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 137686572..fd823b812 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c
@@ -89,7 +89,7 @@ errexit:
89	}	89	}
90		90
91	void fs_resolvconf(void) {	91	void fs_resolvconf(void) {
92	if (cfg.dns1 == 0)	92	if (cfg.dns1 == NULL)
93	return;	93	return;
94		94
95	if (arg_debug)	95	if (arg_debug)
@@ -164,11 +164,13 @@ void fs_resolvconf(void) {
164	}	164	}
165		165
166	if (cfg.dns1)	166	if (cfg.dns1)
167	fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));	167	fprintf(fp, "nameserver %s\n", cfg.dns1);
168	if (cfg.dns2)	168	if (cfg.dns2)
169	fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));	169	fprintf(fp, "nameserver %s\n", cfg.dns2);
170	if (cfg.dns3)	170	if (cfg.dns3)
171	fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));	171	fprintf(fp, "nameserver %s\n", cfg.dns3);
		172	if (cfg.dns4)
		173	fprintf(fp, "nameserver %s\n", cfg.dns4);
172		174
173	// mode and owner	175	// mode and owner
174	SET_PERMS_STREAM(fp, 0, 0, 0644);	176	SET_PERMS_STREAM(fp, 0, 0, 0644);


diff --git a/src/firejail/main.c b/src/firejail/main.c index bc6eb8219..9cd89d42c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2034,18 +2034,20 @@ int main(int argc, char **argv) {
2034	fprintf(stderr, "Error: no network device configured\n");	2034	fprintf(stderr, "Error: no network device configured\n");
2035	exit(1);	2035	exit(1);
2036	}	2036	}
2037	if (br->arg_ip_none \|\| br->ip6sandbox) {	2037	if (br->ip6sandbox) {
2038	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");	2038	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
2039	exit(1);	2039	exit(1);
2040	}	2040	}
2041		2041
2042	// configure this IP address for the last bridge defined	2042	// configure this IP address for the last bridge defined
2043	// todo: verify ipv6 syntax	2043	if (check_ip46_address(argv[i] + 6) == 0) {
2044	br->ip6sandbox = argv[i] + 6;	2044	fprintf(stderr, "Error: invalid IPv6 address\n");
2045	// if (atoip(argv[i] + 5, &br->ipsandbox)) {	2045	exit(1);
2046	// fprintf(stderr, "Error: invalid IP address\n");	2046	}
2047	// exit(1);	2047
2048	// }	2048	br->ip6sandbox = strdup(argv[i] + 6);
		2049	if (br->ip6sandbox == NULL)
		2050	errExit("strdup");
2049	}	2051	}
2050	else	2052	else
2051	exit_err_feature("networking");	2053	exit_err_feature("networking");
@@ -2064,20 +2066,24 @@ int main(int argc, char **argv) {
2064	}	2066	}
2065	#endif	2067	#endif
2066	else if (strncmp(argv[i], "--dns=", 6) == 0) {	2068	else if (strncmp(argv[i], "--dns=", 6) == 0) {
2067	uint32_t dns;	2069	if (check_ip46_address(argv[i] + 6) == 0) {
2068	if (atoip(argv[i] + 6, &dns)) {	2070	fprintf(stderr, "Error: invalid DNS server IPv4 or IPv6 address\n");
2069	fprintf(stderr, "Error: invalid DNS server IP address\n");	2071	exit(1);
2070	return 1;
2071	}	2072	}
		2073	char *dns = strdup(argv[i] + 6);
		2074	if (!dns)
		2075	errExit("strdup");
2072		2076
2073	if (cfg.dns1 == 0)	2077	if (cfg.dns1 == NULL)
2074	cfg.dns1 = dns;	2078	cfg.dns1 = dns;
2075	else if (cfg.dns2 == 0)	2079	else if (cfg.dns2 == NULL)
2076	cfg.dns2 = dns;	2080	cfg.dns2 = dns;
2077	else if (cfg.dns3 == 0)	2081	else if (cfg.dns3 == NULL)
2078	cfg.dns3 = dns;	2082	cfg.dns3 = dns;
		2083	else if (cfg.dns4 == NULL)
		2084	cfg.dns4 = dns;
2079	else {	2085	else {
2080	fprintf(stderr, "Error: up to 3 DNS servers can be specified\n");	2086	fprintf(stderr, "Error: up to 4 DNS servers can be specified\n");
2081	return 1;	2087	return 1;
2082	}	2088	}
2083	}	2089	}


diff --git a/src/firejail/network.c b/src/firejail/network.c index 80f150ea0..7b84854d3 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c
@@ -28,6 +28,40 @@
28	#include <net/route.h>	28	#include <net/route.h>
29	#include <linux/if_bridge.h>	29	#include <linux/if_bridge.h>
30		30
		31	// return 1 if addr is a IPv4 or IPv6 address
		32	int check_ip46_address(const char *addr) {
		33	// check ipv4 address
		34	uint32_t tmp;
		35	if (atoip(addr, &tmp) == 0)
		36	return 1;
		37
		38	// check ipv6 address
		39	struct in6_addr result;
		40
		41	char *tmpstr = strdup(addr);
		42	if (!tmpstr)
		43	errExit("strdup");
		44	char *ptr = strchr(tmpstr, '/');
		45	if (ptr) {
		46	*ptr = '\0';
		47	ptr++;
		48	int mask = atoi(ptr);
		49	// check the network mask
		50	if (mask < 0 \|\| mask > 128) {
		51	free(tmpstr);
		52	return 0;
		53	}
		54	}
		55	if (inet_pton(AF_INET6, tmpstr, &result) == 1) {
		56	free(tmpstr);
		57	return 1;
		58	}
		59
		60	free(tmpstr);
		61
		62	// failed
		63	return 0;
		64	}
31		65
32	int net_get_mtu(const char *ifname) {	66	int net_get_mtu(const char *ifname) {
33	int mtu = 0;	67	int mtu = 0;


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1a944beff..d0c43d13e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -502,18 +502,20 @@ int profile_check_line(char ptr, int lineno, const char fname) {
502	fprintf(stderr, "Error: no network device configured\n");	502	fprintf(stderr, "Error: no network device configured\n");
503	exit(1);	503	exit(1);
504	}	504	}
505	if (br->arg_ip_none \|\| br->ip6sandbox) {	505	if (br->ip6sandbox) {
506	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");	506	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
507	exit(1);	507	exit(1);
508	}	508	}
509		509
510	// configure this IP address for the last bridge defined	510	// configure this IP address for the last bridge defined
511	// todo: verify ipv6 syntax	511	if (check_ip46_address(ptr + 4) == 0) {
512	br->ip6sandbox = ptr + 4;	512	fprintf(stderr, "Error: invalid IPv6 address\n");
513	// if (atoip(argv[i] + 5, &br->ipsandbox)) {	513	exit(1);
514	// fprintf(stderr, "Error: invalid IP address\n");	514	}
515	// exit(1);	515
516	// }	516	br->ip6sandbox = strdup(ptr + 4);
		517	if (br->ip6sandbox == NULL)
		518	errExit("strdup");
517		519
518	}	520	}
519	else	521	else
@@ -668,20 +670,25 @@ int profile_check_line(char ptr, int lineno, const char fname) {
668		670
669	// dns	671	// dns
670	if (strncmp(ptr, "dns ", 4) == 0) {	672	if (strncmp(ptr, "dns ", 4) == 0) {
671	uint32_t dns;	673
672	if (atoip(ptr + 4, &dns)) {	674	if (check_ip46_address(ptr + 4) == 0) {
673	fprintf(stderr, "Error: invalid DNS server IP address\n");	675	fprintf(stderr, "Error: invalid DNS server IPv4 or IPv6 address\n");
674	return 1;	676	exit(1);
675	}	677	}
		678	char *dns = strdup(ptr + 4);
		679	if (!dns)
		680	errExit("strdup");
676		681
677	if (cfg.dns1 == 0)	682	if (cfg.dns1 == NULL)
678	cfg.dns1 = dns;	683	cfg.dns1 = dns;
679	else if (cfg.dns2 == 0)	684	else if (cfg.dns2 == NULL)
680	cfg.dns2 = dns;	685	cfg.dns2 = dns;
681	else if (cfg.dns3 == 0)	686	else if (cfg.dns3 == NULL)
682	cfg.dns3 = dns;	687	cfg.dns3 = dns;
		688	else if (cfg.dns4 == NULL)
		689	cfg.dns4 = dns;
683	else {	690	else {
684	fprintf(stderr, "Error: up to 3 DNS servers can be specified\n");	691	fprintf(stderr, "Error: up to 4 DNS servers can be specified\n");
685	return 1;	692	return 1;
686	}	693	}
687	return 0;	694	return 0;


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 010bb06e0..ed0a253b3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -652,12 +652,14 @@ int sandbox(void* sandbox_arg) {
652	else	652	else
653	fmessage("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));	653	fmessage("Default gateway %d.%d.%d.%d\n", PRINT_IP(cfg.defaultgw));
654	}	654	}
655	if (cfg.dns1 != 0)	655	if (cfg.dns1 != NULL)
656	fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));	656	fmessage("DNS server %s\n", cfg.dns1);
657	if (cfg.dns2 != 0)	657	if (cfg.dns2 != NULL)
658	fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns2));	658	fmessage("DNS server %s\n", cfg.dns2);
659	if (cfg.dns3 != 0)	659	if (cfg.dns3 != NULL)
660	fmessage("DNS server %d.%d.%d.%d\n", PRINT_IP(cfg.dns3));	660	fmessage("DNS server %s\n", cfg.dns3);
		661	if (cfg.dns4 != NULL)
		662	fmessage("DNS server %s\n", cfg.dns4);
661	fmessage("\n");	663	fmessage("\n");
662	}	664	}
663	}	665	}